efi_loader: refactor switch to non-secure mode

Refactor the switch from supervisor to hypervisor to a new function called at the beginning of do_bootefi(). Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: Alexander Graf <agraf@suse.de>
2025-04-28 16:48:18 +00:00 · 2019-01-08 18:13:06 +01:00 · 2019-01-08 18:13:06 +01:00 · f6c6df7ebc
commit f6c6df7ebc
parent b4f471f18e
7 changed files with 132 additions and 67 deletions
--- a/arch/arm/cpu/armv7/Makefile
+++ b/arch/arm/cpu/armv7/Makefile
@ -14,6 +14,7 @@ obj-$(CONFIG_SYS_ARM_MPU) += mpu_v7r.o
 ifneq ($(CONFIG_SPL_BUILD),y)
 obj-$(CONFIG_EFI_LOADER) += sctlr.o
 obj-$(CONFIG_ARMV7_NONSEC) += exception_level.o
 endif
 ifneq ($(CONFIG_SKIP_LOWLEVEL_INIT),y)
--- a/arch/arm/cpu/armv7/exception_level.c
+++ b/arch/arm/cpu/armv7/exception_level.c
@ -0,0 +1,56 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
 * Switch to non-secure mode
 *
 * Copyright (c) 2018 Heinrich Schuchardt
 *
 * This module contains the ARMv7 specific code required for leaving the
 * secure mode before booting an operating system.
 */
 #include <common.h>
 #include <bootm.h>
 #include <asm/armv7.h>
 #include <asm/secure.h>
 #include <asm/setjmp.h>
 /**
 * entry_non_secure() - entry point when switching to non-secure mode
 *
 * When switching to non-secure mode switch_to_non_secure_mode() calls this
 * function passing a jump buffer. We use this jump buffer to restore the
 * original stack and register state.
 *
 * @non_secure_jmp:	jump buffer for restoring stack and registers
 */
 static void entry_non_secure(struct jmp_buf_data *non_secure_jmp)
 {
 	dcache_enable();
 	debug("Reached non-secure mode\n");
 	/* Restore stack and registers saved in switch_to_non_secure_mode() */
 	longjmp(non_secure_jmp, 1);
 }
 /**
 * switch_to_non_secure_mode() - switch to non-secure mode
 *
 * Operating systems may expect to run in non-secure mode. Here we check if
 * we are running in secure mode and switch to non-secure mode if necessary.
 */
 void switch_to_non_secure_mode(void)
 {
 	static bool is_nonsec;
 	struct jmp_buf_data non_secure_jmp;
 	if (armv7_boot_nonsec() && !is_nonsec) {
 		if (setjmp(&non_secure_jmp))
 			return;
 		dcache_disable();	/* flush cache before switch to HYP */
 		armv7_init_nonsec();
 		is_nonsec = true;
 		secure_ram_addr(_do_nonsec_entry)(entry_non_secure,
 						  (uintptr_t)&non_secure_jmp,
 						  0, 0);
 	}
 }
--- a/arch/arm/cpu/armv8/Makefile
+++ b/arch/arm/cpu/armv8/Makefile
@ -14,6 +14,7 @@ ifdef CONFIG_SPL_BUILD
 obj-$(CONFIG_ARMV8_SPL_EXCEPTION_VECTORS) += exceptions.o
 else
 obj-y	+= exceptions.o
 obj-y	+= exception_level.o
 endif
 obj-y	+= cache.o
 obj-y	+= tlb.o
--- a/arch/arm/cpu/armv8/exception_level.c
+++ b/arch/arm/cpu/armv8/exception_level.c
@ -0,0 +1,55 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
 * Switch to non-secure mode
 *
 * Copyright (c) 2018 Heinrich Schuchardt
 *
 * This module contains the ARMv8 specific code required to adjust the exception
 * level before booting an operating system.
 */
 #include <common.h>
 #include <bootm.h>
 #include <asm/setjmp.h>
 /**
 * entry_non_secure() - entry point when switching to non-secure mode
 *
 * When switching to non-secure mode switch_to_non_secure_mode() calls this
 * function passing a jump buffer. We use this jump buffer to restore the
 * original stack and register state.
 *
 * @non_secure_jmp:	jump buffer for restoring stack and registers
 */
 static void entry_non_secure(struct jmp_buf_data *non_secure_jmp)
 {
 	dcache_enable();
 	debug("Reached non-secure mode\n");
 	/* Restore stack and registers saved in switch_to_non_secure_mode() */
 	longjmp(non_secure_jmp, 1);
 }
 /**
 * switch_to_non_secure_mode() - switch to non-secure mode
 *
 * Exception level EL3 is meant to be used by the secure monitor only (ARM
 * trusted firmware being one embodiment). The operating system shall be
 * started at exception level EL2. So here we check the exception level
 * and switch it if necessary.
 */
 void switch_to_non_secure_mode(void)
 {
 	struct jmp_buf_data non_secure_jmp;
 	/* On AArch64 we need to make sure we call our payload in < EL3 */
 	if (current_el() == 3) {
 		if (setjmp(&non_secure_jmp))
 			return;
 		dcache_disable();	/* flush cache before switch to EL2 */
 		/* Move into EL2 and keep running there */
 		armv8_switch_to_el2((uintptr_t)&non_secure_jmp, 0, 0, 0,
 				    (uintptr_t)entry_non_secure, ES_TO_AARCH64);
 	}
 }
--- a/cmd/bootefi.c
+++ b/cmd/bootefi.c
@ -5,8 +5,9 @@
 *  Copyright (c) 2016 Alexander Graf
 */
 #include <charset.h>
 #include <common.h>
 #include <bootm.h>
 #include <charset.h>
 #include <command.h>
 #include <dm.h>
 #include <efi_loader.h>
@ -21,11 +22,6 @@
 #include <asm-generic/unaligned.h>
 #include <linux/linkage.h>
 #ifdef CONFIG_ARMV7_NONSEC
 #include <asm/armv7.h>
 #include <asm/secure.h>
 #endif
 DECLARE_GLOBAL_DATA_PTR;
 static struct efi_device_path *bootefi_image_path;
@ -151,34 +147,6 @@ static efi_status_t efi_do_enter(
 	return ret;
 }
 #ifdef CONFIG_ARM64
 static efi_status_t efi_run_in_el2(EFIAPI efi_status_t (*entry)(
 			efi_handle_t image_handle, struct efi_system_table *st),
 			efi_handle_t image_handle, struct efi_system_table *st)
 {
 	/* Enable caches again */
 	dcache_enable();
 	return efi_do_enter(image_handle, st, entry);
 }
 #endif
 #ifdef CONFIG_ARMV7_NONSEC
 static bool is_nonsec;
 static efi_status_t efi_run_in_hyp(EFIAPI efi_status_t (*entry)(
 			efi_handle_t image_handle, struct efi_system_table *st),
 			efi_handle_t image_handle, struct efi_system_table *st)
 {
 	/* Enable caches again */
 	dcache_enable();
 	is_nonsec = true;
 	return efi_do_enter(image_handle, st, entry);
 }
 #endif
 /*
 * efi_carve_out_dt_rsv() - Carve out DT reserved memory ranges
 *
@ -358,39 +326,6 @@ static efi_status_t do_bootefi_exec(void *efi,
 		goto err_prepare;
 	}
 #ifdef CONFIG_ARM64
 	/* On AArch64 we need to make sure we call our payload in < EL3 */
 	if (current_el() == 3) {
 		smp_kick_all_cpus();
 		dcache_disable();	/* flush cache before switch to EL2 */
 		/* Move into EL2 and keep running there */
 		armv8_switch_to_el2((ulong)entry,
 				    (ulong)&image_obj->header,
 				    (ulong)&systab, 0, (ulong)efi_run_in_el2,
 				    ES_TO_AARCH64);
 		/* Should never reach here, efi exits with longjmp */
 		while (1) { }
 	}
 #endif
 #ifdef CONFIG_ARMV7_NONSEC
 	if (armv7_boot_nonsec() && !is_nonsec) {
 		dcache_disable();	/* flush cache before switch to HYP */
 		armv7_init_nonsec();
 		secure_ram_addr(_do_nonsec_entry)(
 					efi_run_in_hyp,
 					(uintptr_t)entry,
 					(uintptr_t)&image_obj->header,
 					(uintptr_t)&systab);
 		/* Should never reach here, efi exits with longjmp */
 		while (1) { }
 	}
 #endif
 	ret = efi_do_enter(&image_obj->header, &systab, entry);
 err_prepare:
@ -476,6 +411,8 @@ static int do_bootefi(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
 	/* Allow unaligned memory access */
 	allow_unaligned();
 	switch_to_non_secure_mode();
 	/* Initialize EFI drivers */
 	r = efi_init_obj_list();
 	if (r != EFI_SUCCESS) {
--- a/common/bootm.c
+++ b/common/bootm.c
@ -912,6 +912,16 @@ static const void *boot_get_kernel(cmd_tbl_t *cmdtp, int flag, int argc,
 	return buf;
 }
 /**
 * switch_to_non_secure_mode() - switch to non-secure mode
 *
 * This routine is overridden by architectures requiring this feature.
 */
 void __weak switch_to_non_secure_mode(void)
 {
 }
 #else /* USE_HOSTCC */
 void memmove_wd(void *to, void *from, size_t len, ulong chunksz)
--- a/include/bootm.h
+++ b/include/bootm.h
@ -82,4 +82,9 @@ int bootm_decomp_image(int comp, ulong load, ulong image_start, int type,
 */
 void board_quiesce_devices(void);
 /**
 * switch_to_non_secure_mode() - switch to non-secure mode
 */
 void switch_to_non_secure_mode(void);
 #endif