Enable a partition to release its RX buffer and the SPMC
to update the appropriate state tracking.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I5fb6d92244b5ed5f032269b29b102aa874bf3ae3
Enable the SPMC to handle the FFA_RUN ABI and update
the state tracking accordingly.
Change-Id: I3e8a3fa3ec9b03830055d2fbd6124b8ff1ed4103
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Allow for a partition to retrieve its own partition ID.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I1a19ac30b86736d818673c239b2f8fd2d6128c06
Enable the spmc to report the features that it currently supports.
Populated with the currently implemented functionality.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I00e51ded284efd87cd50a0e9416dbc33f22ced85
Enable the SPMC to handle calls to FFA_PARTITION_INFO_GET.
This allows the normal world to discover which partitions
are running in the secure world including logical partitions
in EL3.
This implementation supports both the v1.0 and v1.1
implementations of the Partition Info Get Descriptor.
The SPMC populates the appropriate descriptor in the
partitions RX buffer, if requested, according to the
version of FF-A that the caller is using.
Additionally rename the common/uuid UUID_H include guard
due to a conflict with another header file.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I0a85f1dae50fae1fe47a3cafb765fbe9f40619e1
Enable handling of FFA_RXTX_MAP and FFA_RXTX_UNMAP ABIs
and ensure these buffers are mapped as required to allow
access by the SPMC.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: Ifc425f1ee16c90d1d95b6ae4ac9992d6f785227b
Add the support to save Nwd's floating point registers before switching
to SEL0 and then restore it after coming out of it. Emit a warning
message if SPM_MM is built with CTX_INCLUDE_FPREGS == 0
There is no need to save FP registers of SEL0 because secure partitions
run to completion.
This change is used to prevent context corruption if secure partition
enabled and Nwd decide to use floating point registers.
Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>
Change-Id: I1eea16ea2311a4f00a806ea72c118752821b9abb
Add a helper function to obtain the FF-A version of a calling
partition. This is used to ensure that the SPMC maintains
backwards compatibility if the partition implements a lower
minor version for the same major version than the SPMC.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I5b364a1e510a999bb0c4cacae28f23f8a42a1e3e
In order to allow the EL3 SPMC to know the FF-A version of the
entity running in the normal world, allow the SPMD to
forward the call rather than replying on its behalf.
This solution works as the EL3 can ERET directly back to
the calling partition however this is not an option
when the SPMC resides in a lower exception level. A new
approach will be required to support such scenario.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: Ic2d6e49c06340167eadefe893c6e1e20b67ab498
Report the SPMC version to the caller, currently v1.1 and
also store the requested version to allow the SPMC to
use the corresponding FF-A version in future ABI calls.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I79aafd1e6694cbd4b231bbd0cac5834a71063d79
Add a helper function to obtain the relevant mailbox buffers
depending on which entity was last run. This will be used in
subsequent functionality to populate requested information in
the callers RX buffer.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I85959ced4d1454be05a7b3fb6853ed3ab7f0cf3e
We assume that the first descriptor in the normal world
endpoints is reserved for the hypervisor and add a helper
function to enable retrieving this directly.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I67c3589994eb820ef420db6ab7e8bd0825d64455
Ensure that the `messaging-methods` entry is populated in
an SP's manifest. Currently only direct messaging is supported
so alert if this does not match the manifest entry.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I67f1fad71a3507627993a004e0f8579388faf178
This is a mandatory entry in an SP's manifest however
currently an S-EL1 partition running under the EL3 SPMC
must have the same amount of execution contexts as
physical cores therefore just check the entry matches
this value.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I4c2a85ccde7a7bb9b1232cf6389a8c532cbf3d41
To align with other SPMC implementations parse the UUID
from the SP manifest as 4 uint32 values and store
this internally.
Change-Id: I7de5d5ef8d98dc14bc7c76892133c2333358a379
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Add mailbox structs to the partition descriptors
and ensure these are initialised correctly.
Change-Id: Ie80166d19763c266b6a1d23e351d312dc31fb221
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Add an example logical partition to the FVP platform that
simply prints and echos the contents of a direct request
with the appropriate direct response.
Change-Id: Ib2052c9a63a74830e5e83bd8c128c5f9b0d94658
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Introduce a framework to support running logical
partitions alongside the SPMC in EL3 as per the
v1.1 FF-A spec.
The DECLARE_LOGICAL_PARTITION macro has been added to
simplify the process to define a Logical Partition.
The partitions themselves are statically allocated
with the descriptors placed in RO memory.
It is assumed that the MAX_EL3_LP_DESCS_COUNT will
be defined by the platform.
Change-Id: I1c2523e0ad2d9c5d36aeeef6b8bcb1e80db7c443
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Enable the SPMC to handle FFA_MSG_SEND_DIRECT_REQ and
FFA_MSG_SEND_DIRECT_RESP ABIs.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: Ia196c7405993f600e4fdbf467397ea3fb035a62a
This ABI is only valid during SP initialisation to indicate
failure. If this occurs during SP initialisation signal a failure,
otherwise respond with a not supported error code.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I0182a1641c0f6850e82173af333be79b594f2318
Handle an incoming call of FFA_MSG_WAIT from the secure world
and update the runtime state of the calling partition accordingly.
This ABI can be called in the following scenarios:
- Used by an SP to signal it has finished initializing.
- To resume the normal world after handling a secure interrupt
that interrupted the normal world.
- To relinquish control back to the normal world.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I929713a2280e8ec291b5b4e8f6d4b49df337228c
Use knowledge of the target partition ID and source security state
to determine which route should be used to exit the SPMC.
There are 3 exit paths:
1) Return to the normal world via the SPMD, this will take care of
switching contexts if required.
2) Return to the secure world when the call originated in the normal
world and therefore switch contexts.
3) Return to the secure world when the call originated in the secure
world, therefore we can return directly.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I4037f3a8a8519e2c9f1876be92806d2c41d0d154
Any FF-A SMC that arrives from the normal world is handled by the
SPMD before being forwarded to the SPMC. Similarly any SMC
arriving from the secure world will hit the SPMC first and be
forwarded to the SPMD if required, otherwise the SPMC will
respond directly.
This allows for the existing flow of handling FF-A ABI's when
the SPMC resides at a lower EL to be preserved.
In order to facilitate this flow the spmd_smc_forward function
has been split and control is either passed to the SPMC or it is
forwarded as before. To allow this the flags and cookie parameters
must now also be passed into this method as the SPMC must be able to
provide these when calling back into the SPMD handler as appropriate.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I84fee8390023295b9689067e14cd25cba23ca39b
Allow the SPMD to initialise an SPMC implementation at EL3 directly
rather than at a lower EL.
This includes removing the requirement to parse an SPMC manifest to
obtain information about the SPMC implementation, in this case since the
SPMD and SPMC reside in the same EL we can hardcode the required
information directly.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I66d1e1b3ec2d0abbfc28b011a32445ee890a331d
This patch introduces the core support for enabling an SPMC in EL3
as per the FF-A spec.
The current implemented functionality is targeted to enable
initialization of the SPMC itself and initial support for
bringing up a single S-EL1 SP.
This includes initialization of the SPMC's internal state,
parsing of an SP's manifest, preparing the cpu contexts and
appropriate system registers for the Secure Partition.
The spmc_smc_handler is the main handler for all incoming SMCs
to the SPMC, FF-A ABI handlers and functionality will
be implemented in subsequent patches.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: Ib33c240b91e54cbd018a69fec880d02adfbe12b9
As part of the RFC:
https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/13651,
this patch adds the 'cm_prepare_el3_exit_ns' function. The function is
a wrapper to 'cm_prepare_el3_exit' function for Non-secure state.
When EL2 sysregs context exists (CTX_INCLUDE_EL2_REGS is
enabled) EL1 and EL2 sysreg values are restored from the context
instead of directly updating the registers.
Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: I9b071030576bb05500d54090e2a03b3f125d1653
In preparation for adding the EL3 SPMC configuration as defined in
the FF-A specification, restructure the existing SPM_MM code.
With this restructuring of the code, the 'spm_mm' directory is
renamed as 'spm' and the code inside has been split into two
sub-directories named 'common' and 'spm_mm'. The code in 'spm_mm'
directory contains the code that implements the MM interface.
In subsequent patches, the 'spmc' directory will be introduced
under the 'spm' directory providing the code that implements
the 'FF-A' interface.
Currently the common functionality for S-EL1 partitions is
limited to assembler functions to enter and exit an SP
synchronously.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I37739b9b53bc68e151ab5c1c0c6a15b3ee362241
Add a dummy realm attestation key to RMMD, and return it on request.
The realm attestation key is requested with an SMC with the following
parameters:
* Fid (0xC400001B2).
* Attestation key buffer PA (the realm attestation key is copied
at this address by the monitor).
* Attestation key buffer length as input and size of realm
attesation key as output.
* Type of elliptic curve.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Signed-off-by: Subhasish Ghosh <subhasish.ghosh@arm.com>
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Change-Id: I12d8d98fd221f4638ef225c9383374ddf6e65eac
Add a dummy platform token to RMMD and return it on request. The
platform token is requested with an SMC with the following parameters:
* Fid (0xC40001B3).
* Platform token PA (the platform token is copied at this address by
the monitor). The challenge object needs to be passed by
the caller in this buffer.
* Platform token len.
* Challenge object len.
When calling the SMC, the platform token buffer received by EL3 contains
the challenge object. It is not used on the FVP and is only printed to
the log.
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
Signed-off-by: Subhasish Ghosh <subhasish.ghosh@arm.com>
Change-Id: I8b2f1d54426c04e76d7a3baa6b0fbc40b0116348
This patch reworks the GTSI service implementation in RMMD
such that it is made internal to RMMD. This rework also
lays the ground work for additional RMMD services which
can be invoked from RMM.
The rework renames some of the FID macros to make it
more suited for adding more RMMD services. All the RMM-EL31
service SMCs are now routed via rmmd_rmm_el3_handler().
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Change-Id: Ic52ca0f33b79a1fd1deefa8136f9586b088b2e07
Add FF-A v1.1 FFA_RX_ACQUIRE ABI forwarding to SPMD.
RX acquire interface is used by Hypervisor to acquire ownership of a
VM's RX buffer from SPMC when it needs to deliver a message to the VM.
Change-Id: I5f57240a9c9e94eb696a5a394ec0644170380026
Signed-off-by: Federico Recanati <federico.recanati@arm.com>
The previous delegating/undelegating sequence was incorrect as per the
specification DDI0615, "Architecture Reference Manual Supplement, The
Realm Management Extension (RME), for Armv9-A" Sections A1.1.1 and
A1.1.2
Off topic:
- cleaning the gpt_is_gpi_valid and gpt_check_pass_overlap
Change-Id: Idb64d0a2e6204f1708951137062847938ab5e0ac
Signed-off-by: Robert Wakim <robert.wakim@arm.com>
Introduced by FF-A v1.1 we must forward a call to FFA_VERSION
to the SPMC so that the ffa version of the caller can be stored
for later use. Since the return of FFA_VERSION is not wrapped in
a FF-A call we need to use a direct message request to do this
forwarding. For the spmd_handler in the SPMC to hand off to the
correct function we use w2 to specify a target framework function.
Therefore we must update PSCI CPU_OFF to do this as well.
Change-Id: Ibaa6832b66f1597b3d65aa8986034f0c5916016d
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
The original design prevented the primary CPU from doing a
warm boot sequence. This patch allows the primary to do warm
boot as well.
Signed-off-by: Mark Dykes <mark.dykes@arm.com>
Change-Id: I6baa50c3dff3051ff8b3e5a922d340634f651867
This patch enable/disable SVE/FPU for Realms depending
upon it's state in NS.
When this feature is enabled, traps to EL3 on SVE/FPU access from
Realms are disabled. However, RMM must ensure that the Realm <-> NS
SVE/FPU registers are not corrupted by each other and Realms do
not leak information to NS.
Change-Id: I0a27a055787976507017b72879ba6458f066624e
Signed-off-by: Subhasish Ghosh <subhasish.ghosh@arm.com>
This patch allocates the RMI and GTSI FIDs from the reserved
range in Standard Secure Service call range of SMCCC.
Signed-off-by: Subhasish Ghosh <subhasish.ghosh@arm.com>
Change-Id: I82e77778882194c2a78ca6340788d53bab7c3a50
The RMI command handling in RMMD did not preserve x4 to x7 when
returning to NS caller. Although this is allowed for SMCCCv1.0, this is
not correct as per v1.1. This fixes the same by differentiating the
onward and backward path during SMC handling.
This patch also fixes an issue with the backward path wherein the first
argument was being truncated to 32 bits.
Change-Id: Ibc85d574d5a2178a763975ddb32e456a12e7dc88
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
As spm_mm cannot handle SVE/SME usage in NS world so its better to give
compilation error when ENABLE_SVE_FOR_NS=1 or ENABLE_SME_FOR_NS=1.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I69dbb272ca681bb020501342008eda20d4c0b096
This patch adds two new compile time options to enable SME in TF-A:
ENABLE_SME_FOR_NS and ENABLE_SME_FOR_SWD for use in non-secure and
secure worlds respectively. Setting ENABLE_SME_FOR_NS=1 will enable
SME for non-secure worlds and trap SME, SVE, and FPU/SIMD instructions
in secure context. Setting ENABLE_SME_FOR_SWD=1 will disable these
traps, but support for SME context management does not yet exist in
SPM so building with SPD=spmd will fail.
The existing ENABLE_SVE_FOR_NS and ENABLE_SVE_FOR_SWD options cannot
be used with SME as it is a superset of SVE and will enable SVE and
FPU/SIMD along with SME.
Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: Iaaac9d22fe37b4a92315207891da848a8fd0ed73
sha 4ce3e99a3 introduced printf format specifiers for fixed width
types, which uses PRI*64 instead of "ll" for 64 bit values.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I30472411467061d58cc6ee22407ed3bad2552751
Use long instead of long long on aarch64 for 64_t stdint types.
Introduce inttypes.h to properly support printf format specifiers for
fixed width types for such change.
Change-Id: I0bca594687a996fde0a9702d7a383055b99f10a1
Signed-off-by: Scott Branden <scott.branden@broadcom.com>
Updated FFA_FEATURES according to FF-A v1.1 in SPMC can also be used
to retrieve feature information, and should now accept other arguments
than just FF-A call IDs.
Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: I02cc24a31ab3092ec1ce6fed1a9649ffe7136782
Assert condition:
1 Register secure timer(ppi=29) for sdei nmi watchdog;
2 kernel panic and then kdump;
While kdump, kernel mask all cores sdei, secure timer trigger
and go to handle_masked_trigger() and assert here:
assert(se->affinity == my_mpidr);
As kernel register with flag=0, mpidr=0 and TF-A set flag to
SDEI_REGF_RM_PE but leave mpidr=0. So set mpidr to fix his
assert issue.
Signed-off-by: Ming Huang <huangming@linux.alibaba.com>
Change-Id: Ia9182f40bde94fb004b46e2a72b186eb0ef05166
Define a handler in the SPMD to route secure interrupts occurring while
the normal world runs. On a Group1 Secure interrupt (with a GICv3 or a
Group0 interrupt on GICv2), the normal world is pre-empted to EL3 and
redirected to the SPMD/SPMC for further handling.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
Change-Id: I1350d74048c5549a2af8da0ba004c08512cc006a
SDEI specified event numbers in hexadecimal format.
Change event number format to hexadecimal to make
it easier for the reader to recognize the proper event.
Change-Id: Iac7a91d0910316e0ad54a8f09bc17209e8c6adf6
Signed-off-by: Vasyl Gomonovych <vgomonovych@marvell.com>
This patch updates and refactors the GPT library and fixes bugs.
- Support all combinations of PGS, PPS, and L0GPTSZ parameters.
- PPS and PGS are set at runtime, L0GPTSZ is read from GPCCR_EL3.
- Use compiler definitions to simplify code.
- Renaming functions to better suit intended uses.
- MMU enabled before GPT APIs called.
- Add comments to make function usage more clear in GPT library.
- Added _rme suffix to file names to differentiate better from the
GPT file system code.
- Renamed gpt_defs.h to gpt_rme_private.h to better separate private
and public code.
- Renamed gpt_core.c to gpt_rme.c to better conform to TF-A precedent.
Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: I4cbb23b0f81e697baa9fb23ba458aa3f7d1ed919
The changes include:
- A new build option (ENABLE_RME) to enable FEAT_RME
- New image called RMM. RMM is R-EL2 firmware that manages Realms.
When building TF-A, a path to RMM image can be specified using
the "RMM" build flag. If RMM image is not provided, TRP is built
by default and used as RMM image.
- Support for RMM image in fiptool
Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: I017c23ef02e465a5198baafd665a60858ecd1b25
TRP is a small test payload that implements Realm Monitor
Management (RMM) functionalities. RMM runs in the Realm world
(R-EL2) and manages the execution of Realm VMs and their
interaction with the hypervisor in Normal world.
TRP is used to test the interface between RMM and Normal world
software, known as Realm Management Interface (RMI). Current
functions includes returning RMM version and transitioning
granules from Non-secure to Realm world and vice versa.
More information about RMM can be found at:
https://developer.arm.com/documentation/den0125/latest
Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: Ic7b9a1e1f3142ef6458d40150d0b4ba6bd723ea2
Marc Bonnici
Nishant Sharma
Zelalem Aweke
Soby Mathew
Federico Recanati
Robert Wakim
Daniel Boulby
Mark Dykes
Subhasish Ghosh
Manish Pandey
johpow01
Olivier Deprez
Scott Branden
J-Alves
Ming Huang
Vasyl Gomonovych