This patch separates the code from SPM_MM to get xlat table context and
move it to a common location. In addition, only APIs required from both
SPM_MM and FF-A EL3 SPMC are moved to the common location.
This allows understanding better what is required to support a S-EL0 SP
instead of trying to retrofit what already exists.
Signed-off-by: Achin Gupta <achin.gupta@arm.com>
Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>
Change-Id: I142d7fbef5239869176d0de93842c66051d7ed78
In preparation for adding the support for SEL0 SP in EL3 SPMC,
restructure the existing SPM_MM shim code in a way that allows reuse
of the code for both SPM_MM interface and FF-A EL3 SPMC interface. The
code for changing exception levels is identical for both.
With this restructuring of the code, the shim exception code is moved to
the common sub-directory.
Signed-off-by: Sayanta Pattanayak <sayanta.pattanayak@arm.com>
Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>
Change-Id: Iadda9cf73f12b56e6a1d31fc21b5ba5dc355867f
Move ffa_partition_info_get definitions from EL3 SPMC private header
files to common header files. The structures are common to FF-A and are
useful for the EL3 SPMD logical partitions.
Signed-off-by: Raghu Krishnamurthy <raghu.ncstate@gmail.com>
Change-Id: I19de3f6cb3351afa873022da1397a475a84e3d8b
Check that the size of desc->emad_count is 4, not that sizeof(int) is
nonzero. Also improve a comment.
Change-Id: I8bf69b637158ddffe2d08aed3d9879a4d7fd3514
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
* changes:
fix(tsp): fix destination ID in direct request
fix(el3-spm): fix LSP direct message response
fix(el3-spm): improve direct messaging validation
Perform additional validation of the source and destination
IDs of direct messages.
Additionally track the sender of a direct request to allow
validating the target of the corresponding direct response.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I8d39d53a02b8333246f1500c79ba04f149459c16
Using one loop for the duplicate partition ID check is both simpler and
faster.
Change-Id: I0f6fa9ceb1aadf4383fa9be16605c39ad8643a43
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
This ensures that addresses shared using FF-A are 4K aligned, as
required by the specification.
Change-Id: I8f0a659a095fdb9391398757141d613ac9bf9b42
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
This makes the code cleaner. No functional change intended.
Change-Id: Ib7b438b830e8e3b7ac6e30d688f5172cbaa58121
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Future changes will cause spmc_shmem_obj_get_comp_mrd to panic instead
of returning NULL, so be sure that comp_mrd_offset has been validated
already. The existing code checks for 8-byte alignment, but comments in
el3_spmc_ffa_memory.h indicate that 16-byte alignment is expected, so
require 16-byte alignment.
Change-Id: I400f0f1f163522cb5ea77d4811c91e8b7e655c18
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
If the size of a shmem descriptor is not a multiple of 16, the
descriptor would be unusable, but the problem would be caught much
later.
Change-Id: I907f3862b55c6341e39a6b8b2e24784127230478
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
This ensures that descriptor size calculation does not overflow and
removes a bounds check that does not actually work.
Change-Id: If8da2bb1b312941b7f9d0debf3149b984fc3809a
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Using uint64_t is cleaner, even though size_t is 64 bits on all
platforms el3-spmc supports.
Change-Id: I457deb0b7f3df0749cb5368cceda1bb530d039de
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
The information is already available inline. No functional change
intended.
Change-Id: I13d2ad62a9315b233d7a5fd3ffcaac3dd01b055c
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Hopefully this will be a tiny speedup. No functional change intended.
Change-Id: Ia052c7f9b24d5ece6209a6fa2903b1271215ece7
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
If it is called on an invalid mtd, out-of-bounds memory reads are
likely. Checks elsewhere in the code ensure that the mtd has been
validated before calling this function.
Change-Id: If598680a5b79e1786a6e0a213779ec80cbf37494
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
size_t is not guaranteed to be 64 bits, although it happens to be 64
bits on all systems that el3-spmc supports.
Change-Id: Ieae11722a15448641de50233597ac35869eab574
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Use the address of emad 0 instead of the size of the MRD.
Change-Id: I31ec0001b4474e78caa9dfb468f63122a3708781
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
The offset has been validated on the first loop iteration. Subsequent
iterations can assume it is valid.
Change-Id: Ib06cd0240220b8aa42bcd34c3c40b69d2d86aa72
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
When called on incomplete objects, it might fail or access uninitialized
memory. This allows simplifying spmc_shm_check_obj().
Change-Id: I7c11f15d4c8ebe8cd15e7d8c37a0d0f3daa83675
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Earlier validation ensures spmc_shmem_obj_get_emad() will never fail, so
trip an assertion instead of returning NULL.
Change-Id: I285f3b59150773b2404db5719753fdb240e9ed63
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
A v1.1 descriptor has a minimum length exceeding that of a v1.0
descriptor.
Change-Id: I06265d58f53eccb0d39927fe9ff396b73735df97
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Add support for runtime detection (ENABLE_SVE_FOR_NS=2), by splitting
sve_supported() into an ID register reading function and a
second function to report the support status. That function considers
both build time settings and runtime information (if needed), and is
used before we do SVE specific setup.
Change the FVP platform default to the now supported dynamic
option (=2), so the right decision can be made by the code at runtime.
Change-Id: I1caaba2216e8e2a651452254944a003607503216
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Add support for runtime detection (ENABLE_SME_FOR_NS=2), by splitting
feat_sme_supported() into an ID register reading function and a
second function to report the support status. That function considers
both build time settings and runtime information (if needed), and is
used before we do SME specific setup.
Change the FVP platform default to the now supported dynamic option
(=2),so the right decision can be made by the code at runtime.
Change-Id: Ida9ccf737db5be20865b84f42b1f9587be0626ab
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Some of our specialized sections are not prefixed with the conventional
period. The compiler uses input section names to derive certain other
section names (e.g. `.rela.text`, `.relacpu_ops`), and these can be
difficult to select in linker scripts when there is a lack of a
delimiter.
This change introduces the period prefix to all specialized section
names.
BREAKING-CHANGE: All input and output linker section names have been
prefixed with the period character, e.g. `cpu_ops` -> `.cpu_ops`.
Change-Id: I51c13c5266d5975fbd944ef4961328e72f82fc1c
Signed-off-by: Chris Kay <chris.kay@arm.com>
* changes:
docs(build): describes the SPMC_OPTEE build option
feat(qemu): support el3 spmc
feat(el3-spmc): make platform logical partition optional
feat(qemu): support s-el2 spmc
feat(qemu): update abi between spmd and spmc
fix(sptool): add dependency to SP image
Prior to this commit a logical platform specific partition is added when
compiling with SPMC at EL3. Not all platform need to add a logical
platform so make this optional.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Change-Id: I3bdd2a91350330c1637e8d84765974bfb6b225d7
Ensure that there is sufficient space in the memory
descriptor to accommodate the size of the composite memory
struct as part of the descriptor.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: Iea646b144c59a2a1a171298cabb5f31040a8af31
Ensure that the correct execution state of an SP is reported
as part of an FF-A v1.1 PARTITION_INFO_GET response.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I714e53ae71c376463797a42cd5ab7a5e9c687fb7
Ensure that the provided descriptor size used when reserving space
for a memory descriptor does not overflow to prevent scope for
memory corruption. Reported by Matt Oh, Google Android Red Team.
Reported-by: mattoh@google.com
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: If06985c4de9a88ff82ce60d10e346da948ed383f
Ensure that the fragment_length parameter is validated to prevent
a buffer overflow before it is used. Reported by Matt Oh, Google Android Red Team.
Reported-by: mattoh@google.com
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I0323c096ffd988fbd85bbd4ade3abd8427aea977
The current logic does not cover all scenarios of overlapping
memory regions. Update the implementation to verify non-overlapping
regions instead. Reported by Matt Oh, Google Android Red Team.
Reported-by: mattoh@google.com
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I16c53d081e4455bc0e28399d28a1b27b1a9eb49c
Ensure that the full memory transaction descriptor has been transmitted
before a request to reclaim the memory transaction is permitted.
This prevents any potential accesses to the incomplete descriptor.
Reported by Matt Oh, Google Android Red Team.
Reported-by: mattoh@google.com
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I33e993c6b754632051e899ab20edd19b18b6cf65
Error check must be done on the previously allocated pointer, not a
random one from the code.
Change-Id: I1c8253eacbe778cc4a9a8d71081fc615fa7e5293
Signed-off-by: Lukas Hanel <lukas.hanel@trustonic.com>
Do not forget to pass via err_unlock_mailbox: label.
Change-Id: Icfb997b1c7cce196003af2c28bffc50dc73e30b4
Signed-off-by: Lukas Hanel <lukas.hanel@trustonic.com>
This patch fixes an issue in spmc_ffa_fill_desc.
In order to compute the spmc_shm_get_v1_1_descriptor_size,
fragment_length which is a fraction of the descriptor size is used as
desc_size parameter. It has to be replaced with the
full V1.0 descriptor size(obj->desc_filled).
Ran a subset of our tests and they are passing.
Change-Id: Ia4bbc5dabf0b77fa53d923ff609ee48ecd5bf549
Signed-off-by: vallau01 <valentin.laurent@trustonic.com>
Signed-off-by: Lukas Hanel <lukas.hanel@trustonic.com>
- Removing platform dependencies from libc modules.
- Replacing panicking with actual error handling.
- Debug macros are included indirectly from assert.h. Removing
"platform_def.h" from assert.h and adding "common/debug.h"
where the macros are used.
- Removing hack for fixing PLAT_LOG_LEVEL_ASSERT to 40.
Instead removing assert with expression, as this
does not provide additional information.
Signed-off-by: Claus Pedersen <claustbp@google.com>
Change-Id: Icc201ea7b63c1277e423c1cfd13fd6816c2bc568
This patch adds the FF-A programming model in the test
secure payload to ensure that it can be used to test
the following spec features.
1. SP initialisation on the primary and secondary cpus.
2. An event loop to receive direct requests and respond
with direct responses.
3. Ability to receive messages that indicate power on
and off of a cpu.
4. Ability to handle a secure interrupt.
Signed-off-by: Achin Gupta <achin.gupta@arm.com>
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Signed-off-by: Shruti <shruti.gupta@arm.com>
Change-Id: I81cf744904d5cdc0b27862b5e4bc6f2cfe58a13a
The current implementation expects that the endpoint IDs of all
participants of a memory transaction to be listed in the relinquish
descriptor. As per the FF-A spec, aside from the current partition
ID, only the IDs of stream endpoints whose behalf it is relinquishing
the memory region must be specified.
The current implementation does not currently support proxy endpoints
therefore ensure that the endpoint count is always equal to 1 and
no stream endpoint IDs are specified and instead just verify the
caller is a valid participant in the memory transaction.
Additionally reuse the updated check in the retrieve request flow
for additional verification.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I3b970196af8a16b2531607775398cb8a2473793b
Fix the wrong FF-A version being used for retrieving existing memory
descriptors for v1.0 clients. Internally these should always be stored
using the latest version rather than client version.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: Ibee1b2452c8d6ebd23bbd9d703c96ca185444093
