1 /*
2 * Copyright (c) 2022, Arm Limited. All rights reserved.
3 *
4 * SPDX-License-Identifier: BSD-3-Clause
5 */
6
7 #include <assert.h>
8 #include <errno.h>
9 #include <inttypes.h>
10 #include <limits.h>
11 #include <stdint.h>
12
13 #include <arch.h>
14 #include <arch_helpers.h>
15 #include <common/debug.h>
16 #include "gpt_rme_private.h"
17 #include <lib/gpt_rme/gpt_rme.h>
18 #include <lib/smccc.h>
19 #include <lib/spinlock.h>
20 #include <lib/xlat_tables/xlat_tables_v2.h>
21
22 #if !ENABLE_RME
23 #error "ENABLE_RME must be enabled to use the GPT library."
24 #endif
25
26 /*
27 * Lookup T from PPS
28 *
29 * PPS Size T
30 * 0b000 4GB 32
31 * 0b001 64GB 36
32 * 0b010 1TB 40
33 * 0b011 4TB 42
34 * 0b100 16TB 44
35 * 0b101 256TB 48
36 * 0b110 4PB 52
37 *
38 * See section 15.1.27 of the RME specification.
39 */
40 static const gpt_t_val_e gpt_t_lookup[] = {PPS_4GB_T, PPS_64GB_T,
41 PPS_1TB_T, PPS_4TB_T,
42 PPS_16TB_T, PPS_256TB_T,
43 PPS_4PB_T};
44
45 /*
46 * Lookup P from PGS
47 *
48 * PGS Size P
49 * 0b00 4KB 12
50 * 0b10 16KB 14
51 * 0b01 64KB 16
52 *
53 * Note that pgs=0b10 is 16KB and pgs=0b01 is 64KB, this is not a typo.
54 *
55 * See section 15.1.27 of the RME specification.
56 */
57 static const gpt_p_val_e gpt_p_lookup[] = {PGS_4KB_P, PGS_64KB_P, PGS_16KB_P};
58
59 /*
60 * This structure contains GPT configuration data.
61 */
62 typedef struct {
63 uintptr_t plat_gpt_l0_base;
64 gpccr_pps_e pps;
65 gpt_t_val_e t;
66 gpccr_pgs_e pgs;
67 gpt_p_val_e p;
68 } gpt_config_t;
69
70 static gpt_config_t gpt_config;
71
72 /* These variables are used during initialization of the L1 tables. */
73 static unsigned int gpt_next_l1_tbl_idx;
74 static uintptr_t gpt_l1_tbl;
75
76 /*
77 * This function checks to see if a GPI value is valid.
78 *
79 * These are valid GPI values.
80 * GPT_GPI_NO_ACCESS U(0x0)
81 * GPT_GPI_SECURE U(0x8)
82 * GPT_GPI_NS U(0x9)
83 * GPT_GPI_ROOT U(0xA)
84 * GPT_GPI_REALM U(0xB)
85 * GPT_GPI_ANY U(0xF)
86 *
87 * Parameters
88 * gpi GPI to check for validity.
89 *
90 * Return
91 * true for a valid GPI, false for an invalid one.
92 */
gpt_is_gpi_valid(unsigned int gpi)93 static bool gpt_is_gpi_valid(unsigned int gpi)
94 {
95 if ((gpi == GPT_GPI_NO_ACCESS) || (gpi == GPT_GPI_ANY) ||
96 ((gpi >= GPT_GPI_SECURE) && (gpi <= GPT_GPI_REALM))) {
97 return true;
98 }
99 return false;
100 }
101
102 /*
103 * This function checks to see if two PAS regions overlap.
104 *
105 * Parameters
106 * base_1: base address of first PAS
107 * size_1: size of first PAS
108 * base_2: base address of second PAS
109 * size_2: size of second PAS
110 *
111 * Return
112 * True if PAS regions overlap, false if they do not.
113 */
gpt_check_pas_overlap(uintptr_t base_1,size_t size_1,uintptr_t base_2,size_t size_2)114 static bool gpt_check_pas_overlap(uintptr_t base_1, size_t size_1,
115 uintptr_t base_2, size_t size_2)
116 {
117 if (((base_1 + size_1) > base_2) && ((base_2 + size_2) > base_1)) {
118 return true;
119 }
120 return false;
121 }
122
123 /*
124 * This helper function checks to see if a PAS region from index 0 to
125 * (pas_idx - 1) occupies the L0 region at index l0_idx in the L0 table.
126 *
127 * Parameters
128 * l0_idx: Index of the L0 entry to check
129 * pas_regions: PAS region array
130 * pas_idx: Upper bound of the PAS array index.
131 *
132 * Return
133 * True if a PAS region occupies the L0 region in question, false if not.
134 */
gpt_does_previous_pas_exist_here(unsigned int l0_idx,pas_region_t * pas_regions,unsigned int pas_idx)135 static bool gpt_does_previous_pas_exist_here(unsigned int l0_idx,
136 pas_region_t *pas_regions,
137 unsigned int pas_idx)
138 {
139 /* Iterate over PAS regions up to pas_idx. */
140 for (unsigned int i = 0U; i < pas_idx; i++) {
141 if (gpt_check_pas_overlap((GPT_L0GPTSZ_ACTUAL_SIZE * l0_idx),
142 GPT_L0GPTSZ_ACTUAL_SIZE,
143 pas_regions[i].base_pa, pas_regions[i].size)) {
144 return true;
145 }
146 }
147 return false;
148 }
149
150 /*
151 * This function iterates over all of the PAS regions and checks them to ensure
152 * proper alignment of base and size, that the GPI is valid, and that no regions
153 * overlap. As a part of the overlap checks, this function checks existing L0
154 * mappings against the new PAS regions in the event that gpt_init_pas_l1_tables
155 * is called multiple times to place L1 tables in different areas of memory. It
156 * also counts the number of L1 tables needed and returns it on success.
157 *
158 * Parameters
159 * *pas_regions Pointer to array of PAS region structures.
160 * pas_region_cnt Total number of PAS regions in the array.
161 *
162 * Return
163 * Negative Linux error code in the event of a failure, number of L1 regions
164 * required when successful.
165 */
gpt_validate_pas_mappings(pas_region_t * pas_regions,unsigned int pas_region_cnt)166 static int gpt_validate_pas_mappings(pas_region_t *pas_regions,
167 unsigned int pas_region_cnt)
168 {
169 unsigned int idx;
170 unsigned int l1_cnt = 0U;
171 unsigned int pas_l1_cnt;
172 uint64_t *l0_desc = (uint64_t *)gpt_config.plat_gpt_l0_base;
173
174 assert(pas_regions != NULL);
175 assert(pas_region_cnt != 0U);
176
177 for (idx = 0U; idx < pas_region_cnt; idx++) {
178 /* Check for arithmetic overflow in region. */
179 if ((ULONG_MAX - pas_regions[idx].base_pa) <
180 pas_regions[idx].size) {
181 ERROR("[GPT] Address overflow in PAS[%u]!\n", idx);
182 return -EOVERFLOW;
183 }
184
185 /* Initial checks for PAS validity. */
186 if (((pas_regions[idx].base_pa + pas_regions[idx].size) >
187 GPT_PPS_ACTUAL_SIZE(gpt_config.t)) ||
188 !gpt_is_gpi_valid(GPT_PAS_ATTR_GPI(pas_regions[idx].attrs))) {
189 ERROR("[GPT] PAS[%u] is invalid!\n", idx);
190 return -EFAULT;
191 }
192
193 /*
194 * Make sure this PAS does not overlap with another one. We
195 * start from idx + 1 instead of 0 since prior PAS mappings will
196 * have already checked themselves against this one.
197 */
198 for (unsigned int i = idx + 1; i < pas_region_cnt; i++) {
199 if (gpt_check_pas_overlap(pas_regions[idx].base_pa,
200 pas_regions[idx].size,
201 pas_regions[i].base_pa,
202 pas_regions[i].size)) {
203 ERROR("[GPT] PAS[%u] overlaps with PAS[%u]\n",
204 i, idx);
205 return -EFAULT;
206 }
207 }
208
209 /*
210 * Since this function can be called multiple times with
211 * separate L1 tables we need to check the existing L0 mapping
212 * to see if this PAS would fall into one that has already been
213 * initialized.
214 */
215 for (unsigned int i = GPT_L0_IDX(pas_regions[idx].base_pa);
216 i <= GPT_L0_IDX(pas_regions[idx].base_pa + pas_regions[idx].size - 1);
217 i++) {
218 if ((GPT_L0_TYPE(l0_desc[i]) == GPT_L0_TYPE_BLK_DESC) &&
219 (GPT_L0_BLKD_GPI(l0_desc[i]) == GPT_GPI_ANY)) {
220 /* This descriptor is unused so continue. */
221 continue;
222 }
223
224 /*
225 * This descriptor has been initialized in a previous
226 * call to this function so cannot be initialized again.
227 */
228 ERROR("[GPT] PAS[%u] overlaps with previous L0[%d]!\n",
229 idx, i);
230 return -EFAULT;
231 }
232
233 /* Check for block mapping (L0) type. */
234 if (GPT_PAS_ATTR_MAP_TYPE(pas_regions[idx].attrs) ==
235 GPT_PAS_ATTR_MAP_TYPE_BLOCK) {
236 /* Make sure base and size are block-aligned. */
237 if (!GPT_IS_L0_ALIGNED(pas_regions[idx].base_pa) ||
238 !GPT_IS_L0_ALIGNED(pas_regions[idx].size)) {
239 ERROR("[GPT] PAS[%u] is not block-aligned!\n",
240 idx);
241 return -EFAULT;
242 }
243
244 continue;
245 }
246
247 /* Check for granule mapping (L1) type. */
248 if (GPT_PAS_ATTR_MAP_TYPE(pas_regions[idx].attrs) ==
249 GPT_PAS_ATTR_MAP_TYPE_GRANULE) {
250 /* Make sure base and size are granule-aligned. */
251 if (!GPT_IS_L1_ALIGNED(gpt_config.p, pas_regions[idx].base_pa) ||
252 !GPT_IS_L1_ALIGNED(gpt_config.p, pas_regions[idx].size)) {
253 ERROR("[GPT] PAS[%u] is not granule-aligned!\n",
254 idx);
255 return -EFAULT;
256 }
257
258 /* Find how many L1 tables this PAS occupies. */
259 pas_l1_cnt = (GPT_L0_IDX(pas_regions[idx].base_pa +
260 pas_regions[idx].size - 1) -
261 GPT_L0_IDX(pas_regions[idx].base_pa) + 1);
262
263 /*
264 * This creates a situation where, if multiple PAS
265 * regions occupy the same table descriptor, we can get
266 * an artificially high total L1 table count. The way we
267 * handle this is by checking each PAS against those
268 * before it in the array, and if they both occupy the
269 * same PAS we subtract from pas_l1_cnt and only the
270 * first PAS in the array gets to count it.
271 */
272
273 /*
274 * If L1 count is greater than 1 we know the start and
275 * end PAs are in different L0 regions so we must check
276 * both for overlap against other PAS.
277 */
278 if (pas_l1_cnt > 1) {
279 if (gpt_does_previous_pas_exist_here(
280 GPT_L0_IDX(pas_regions[idx].base_pa +
281 pas_regions[idx].size - 1),
282 pas_regions, idx)) {
283 pas_l1_cnt = pas_l1_cnt - 1;
284 }
285 }
286
287 if (gpt_does_previous_pas_exist_here(
288 GPT_L0_IDX(pas_regions[idx].base_pa),
289 pas_regions, idx)) {
290 pas_l1_cnt = pas_l1_cnt - 1;
291 }
292
293 l1_cnt += pas_l1_cnt;
294 continue;
295 }
296
297 /* If execution reaches this point, mapping type is invalid. */
298 ERROR("[GPT] PAS[%u] has invalid mapping type 0x%x.\n", idx,
299 GPT_PAS_ATTR_MAP_TYPE(pas_regions[idx].attrs));
300 return -EINVAL;
301 }
302
303 return l1_cnt;
304 }
305
306 /*
307 * This function validates L0 initialization parameters.
308 *
309 * Parameters
310 * l0_mem_base Base address of memory used for L0 tables.
311 * l1_mem_size Size of memory available for L0 tables.
312 *
313 * Return
314 * Negative Linux error code in the event of a failure, 0 for success.
315 */
gpt_validate_l0_params(gpccr_pps_e pps,uintptr_t l0_mem_base,size_t l0_mem_size)316 static int gpt_validate_l0_params(gpccr_pps_e pps, uintptr_t l0_mem_base,
317 size_t l0_mem_size)
318 {
319 size_t l0_alignment;
320
321 /*
322 * Make sure PPS is valid and then store it since macros need this value
323 * to work.
324 */
325 if (pps > GPT_PPS_MAX) {
326 ERROR("[GPT] Invalid PPS: 0x%x\n", pps);
327 return -EINVAL;
328 }
329 gpt_config.pps = pps;
330 gpt_config.t = gpt_t_lookup[pps];
331
332 /* Alignment must be the greater of 4k or l0 table size. */
333 l0_alignment = PAGE_SIZE_4KB;
334 if (l0_alignment < GPT_L0_TABLE_SIZE(gpt_config.t)) {
335 l0_alignment = GPT_L0_TABLE_SIZE(gpt_config.t);
336 }
337
338 /* Check base address. */
339 if ((l0_mem_base == 0U) || ((l0_mem_base & (l0_alignment - 1)) != 0U)) {
340 ERROR("[GPT] Invalid L0 base address: 0x%lx\n", l0_mem_base);
341 return -EFAULT;
342 }
343
344 /* Check size. */
345 if (l0_mem_size < GPT_L0_TABLE_SIZE(gpt_config.t)) {
346 ERROR("[GPT] Inadequate L0 memory: need 0x%lx, have 0x%lx)\n",
347 GPT_L0_TABLE_SIZE(gpt_config.t),
348 l0_mem_size);
349 return -ENOMEM;
350 }
351
352 return 0;
353 }
354
355 /*
356 * In the event that L1 tables are needed, this function validates
357 * the L1 table generation parameters.
358 *
359 * Parameters
360 * l1_mem_base Base address of memory used for L1 table allocation.
361 * l1_mem_size Total size of memory available for L1 tables.
362 * l1_gpt_cnt Number of L1 tables needed.
363 *
364 * Return
365 * Negative Linux error code in the event of a failure, 0 for success.
366 */
gpt_validate_l1_params(uintptr_t l1_mem_base,size_t l1_mem_size,unsigned int l1_gpt_cnt)367 static int gpt_validate_l1_params(uintptr_t l1_mem_base, size_t l1_mem_size,
368 unsigned int l1_gpt_cnt)
369 {
370 size_t l1_gpt_mem_sz;
371
372 /* Check if the granularity is supported */
373 if (!xlat_arch_is_granule_size_supported(
374 GPT_PGS_ACTUAL_SIZE(gpt_config.p))) {
375 return -EPERM;
376 }
377
378 /* Make sure L1 tables are aligned to their size. */
379 if ((l1_mem_base & (GPT_L1_TABLE_SIZE(gpt_config.p) - 1)) != 0U) {
380 ERROR("[GPT] Unaligned L1 GPT base address: 0x%lx\n",
381 l1_mem_base);
382 return -EFAULT;
383 }
384
385 /* Get total memory needed for L1 tables. */
386 l1_gpt_mem_sz = l1_gpt_cnt * GPT_L1_TABLE_SIZE(gpt_config.p);
387
388 /* Check for overflow. */
389 if ((l1_gpt_mem_sz / GPT_L1_TABLE_SIZE(gpt_config.p)) != l1_gpt_cnt) {
390 ERROR("[GPT] Overflow calculating L1 memory size.\n");
391 return -ENOMEM;
392 }
393
394 /* Make sure enough space was supplied. */
395 if (l1_mem_size < l1_gpt_mem_sz) {
396 ERROR("[GPT] Inadequate memory for L1 GPTs. ");
397 ERROR(" Expected 0x%lx bytes. Got 0x%lx bytes\n",
398 l1_gpt_mem_sz, l1_mem_size);
399 return -ENOMEM;
400 }
401
402 VERBOSE("[GPT] Requested 0x%lx bytes for L1 GPTs.\n", l1_gpt_mem_sz);
403 return 0;
404 }
405
406 /*
407 * This function initializes L0 block descriptors (regions that cannot be
408 * transitioned at the granule level) according to the provided PAS.
409 *
410 * Parameters
411 * *pas Pointer to the structure defining the PAS region to
412 * initialize.
413 */
gpt_generate_l0_blk_desc(pas_region_t * pas)414 static void gpt_generate_l0_blk_desc(pas_region_t *pas)
415 {
416 uint64_t gpt_desc;
417 unsigned int end_idx;
418 unsigned int idx;
419 uint64_t *l0_gpt_arr;
420
421 assert(gpt_config.plat_gpt_l0_base != 0U);
422 assert(pas != NULL);
423
424 /*
425 * Checking of PAS parameters has already been done in
426 * gpt_validate_pas_mappings so no need to check the same things again.
427 */
428
429 l0_gpt_arr = (uint64_t *)gpt_config.plat_gpt_l0_base;
430
431 /* Create the GPT Block descriptor for this PAS region */
432 gpt_desc = GPT_L0_BLK_DESC(GPT_PAS_ATTR_GPI(pas->attrs));
433
434 /* Start index of this region in L0 GPTs */
435 idx = GPT_L0_IDX(pas->base_pa);
436
437 /*
438 * Determine number of L0 GPT descriptors covered by
439 * this PAS region and use the count to populate these
440 * descriptors.
441 */
442 end_idx = GPT_L0_IDX(pas->base_pa + pas->size);
443
444 /* Generate the needed block descriptors. */
445 for (; idx < end_idx; idx++) {
446 l0_gpt_arr[idx] = gpt_desc;
447 VERBOSE("[GPT] L0 entry (BLOCK) index %u [%p]: GPI = 0x%" PRIx64 " (0x%" PRIx64 ")\n",
448 idx, &l0_gpt_arr[idx],
449 (gpt_desc >> GPT_L0_BLK_DESC_GPI_SHIFT) &
450 GPT_L0_BLK_DESC_GPI_MASK, l0_gpt_arr[idx]);
451 }
452 }
453
454 /*
455 * Helper function to determine if the end physical address lies in the same L0
456 * region as the current physical address. If true, the end physical address is
457 * returned else, the start address of the next region is returned.
458 *
459 * Parameters
460 * cur_pa Physical address of the current PA in the loop through
461 * the range.
462 * end_pa Physical address of the end PA in a PAS range.
463 *
464 * Return
465 * The PA of the end of the current range.
466 */
gpt_get_l1_end_pa(uintptr_t cur_pa,uintptr_t end_pa)467 static uintptr_t gpt_get_l1_end_pa(uintptr_t cur_pa, uintptr_t end_pa)
468 {
469 uintptr_t cur_idx;
470 uintptr_t end_idx;
471
472 cur_idx = GPT_L0_IDX(cur_pa);
473 end_idx = GPT_L0_IDX(end_pa);
474
475 assert(cur_idx <= end_idx);
476
477 if (cur_idx == end_idx) {
478 return end_pa;
479 }
480
481 return (cur_idx + 1U) << GPT_L0_IDX_SHIFT;
482 }
483
484 /*
485 * Helper function to fill out GPI entries in a single L1 table. This function
486 * fills out entire L1 descriptors at a time to save memory writes.
487 *
488 * Parameters
489 * gpi GPI to set this range to
490 * l1 Pointer to L1 table to fill out
491 * first Address of first granule in range.
492 * last Address of last granule in range (inclusive).
493 */
gpt_fill_l1_tbl(uint64_t gpi,uint64_t * l1,uintptr_t first,uintptr_t last)494 static void gpt_fill_l1_tbl(uint64_t gpi, uint64_t *l1, uintptr_t first,
495 uintptr_t last)
496 {
497 uint64_t gpi_field = GPT_BUILD_L1_DESC(gpi);
498 uint64_t gpi_mask = 0xFFFFFFFFFFFFFFFF;
499
500 assert(first <= last);
501 assert((first & (GPT_PGS_ACTUAL_SIZE(gpt_config.p) - 1)) == 0U);
502 assert((last & (GPT_PGS_ACTUAL_SIZE(gpt_config.p) - 1)) == 0U);
503 assert(GPT_L0_IDX(first) == GPT_L0_IDX(last));
504 assert(l1 != NULL);
505
506 /* Shift the mask if we're starting in the middle of an L1 entry. */
507 gpi_mask = gpi_mask << (GPT_L1_GPI_IDX(gpt_config.p, first) << 2);
508
509 /* Fill out each L1 entry for this region. */
510 for (unsigned int i = GPT_L1_IDX(gpt_config.p, first);
511 i <= GPT_L1_IDX(gpt_config.p, last); i++) {
512 /* Account for stopping in the middle of an L1 entry. */
513 if (i == GPT_L1_IDX(gpt_config.p, last)) {
514 gpi_mask &= (gpi_mask >> ((15 -
515 GPT_L1_GPI_IDX(gpt_config.p, last)) << 2));
516 }
517
518 /* Write GPI values. */
519 assert((l1[i] & gpi_mask) ==
520 (GPT_BUILD_L1_DESC(GPT_GPI_ANY) & gpi_mask));
521 l1[i] = (l1[i] & ~gpi_mask) | (gpi_mask & gpi_field);
522
523 /* Reset mask. */
524 gpi_mask = 0xFFFFFFFFFFFFFFFF;
525 }
526 }
527
528 /*
529 * This function finds the next available unused L1 table and initializes all
530 * granules descriptor entries to GPI_ANY. This ensures that there are no chunks
531 * of GPI_NO_ACCESS (0b0000) memory floating around in the system in the
532 * event that a PAS region stops midway through an L1 table, thus guaranteeing
533 * that all memory not explicitly assigned is GPI_ANY. This function does not
534 * check for overflow conditions, that should be done by the caller.
535 *
536 * Return
537 * Pointer to the next available L1 table.
538 */
gpt_get_new_l1_tbl(void)539 static uint64_t *gpt_get_new_l1_tbl(void)
540 {
541 /* Retrieve the next L1 table. */
542 uint64_t *l1 = (uint64_t *)((uint64_t)(gpt_l1_tbl) +
543 (GPT_L1_TABLE_SIZE(gpt_config.p) *
544 gpt_next_l1_tbl_idx));
545
546 /* Increment L1 counter. */
547 gpt_next_l1_tbl_idx++;
548
549 /* Initialize all GPIs to GPT_GPI_ANY */
550 for (unsigned int i = 0U; i < GPT_L1_ENTRY_COUNT(gpt_config.p); i++) {
551 l1[i] = GPT_BUILD_L1_DESC(GPT_GPI_ANY);
552 }
553
554 return l1;
555 }
556
557 /*
558 * When L1 tables are needed, this function creates the necessary L0 table
559 * descriptors and fills out the L1 table entries according to the supplied
560 * PAS range.
561 *
562 * Parameters
563 * *pas Pointer to the structure defining the PAS region.
564 */
gpt_generate_l0_tbl_desc(pas_region_t * pas)565 static void gpt_generate_l0_tbl_desc(pas_region_t *pas)
566 {
567 uintptr_t end_pa;
568 uintptr_t cur_pa;
569 uintptr_t last_gran_pa;
570 uint64_t *l0_gpt_base;
571 uint64_t *l1_gpt_arr;
572 unsigned int l0_idx;
573
574 assert(gpt_config.plat_gpt_l0_base != 0U);
575 assert(pas != NULL);
576
577 /*
578 * Checking of PAS parameters has already been done in
579 * gpt_validate_pas_mappings so no need to check the same things again.
580 */
581
582 end_pa = pas->base_pa + pas->size;
583 l0_gpt_base = (uint64_t *)gpt_config.plat_gpt_l0_base;
584
585 /* We start working from the granule at base PA */
586 cur_pa = pas->base_pa;
587
588 /* Iterate over each L0 region in this memory range. */
589 for (l0_idx = GPT_L0_IDX(pas->base_pa);
590 l0_idx <= GPT_L0_IDX(end_pa - 1U);
591 l0_idx++) {
592
593 /*
594 * See if the L0 entry is already a table descriptor or if we
595 * need to create one.
596 */
597 if (GPT_L0_TYPE(l0_gpt_base[l0_idx]) == GPT_L0_TYPE_TBL_DESC) {
598 /* Get the L1 array from the L0 entry. */
599 l1_gpt_arr = GPT_L0_TBLD_ADDR(l0_gpt_base[l0_idx]);
600 } else {
601 /* Get a new L1 table from the L1 memory space. */
602 l1_gpt_arr = gpt_get_new_l1_tbl();
603
604 /* Fill out the L0 descriptor and flush it. */
605 l0_gpt_base[l0_idx] = GPT_L0_TBL_DESC(l1_gpt_arr);
606 }
607
608 VERBOSE("[GPT] L0 entry (TABLE) index %u [%p] ==> L1 Addr 0x%llx (0x%" PRIx64 ")\n",
609 l0_idx, &l0_gpt_base[l0_idx],
610 (unsigned long long)(l1_gpt_arr),
611 l0_gpt_base[l0_idx]);
612
613 /*
614 * Determine the PA of the last granule in this L0 descriptor.
615 */
616 last_gran_pa = gpt_get_l1_end_pa(cur_pa, end_pa) -
617 GPT_PGS_ACTUAL_SIZE(gpt_config.p);
618
619 /*
620 * Fill up L1 GPT entries between these two addresses. This
621 * function needs the addresses of the first granule and last
622 * granule in the range.
623 */
624 gpt_fill_l1_tbl(GPT_PAS_ATTR_GPI(pas->attrs), l1_gpt_arr,
625 cur_pa, last_gran_pa);
626
627 /* Advance cur_pa to first granule in next L0 region. */
628 cur_pa = gpt_get_l1_end_pa(cur_pa, end_pa);
629 }
630 }
631
632 /*
633 * This function flushes a range of L0 descriptors used by a given PAS region
634 * array. There is a chance that some unmodified L0 descriptors would be flushed
635 * in the case that there are "holes" in an array of PAS regions but overall
636 * this should be faster than individually flushing each modified L0 descriptor
637 * as they are created.
638 *
639 * Parameters
640 * *pas Pointer to an array of PAS regions.
641 * pas_count Number of entries in the PAS array.
642 */
flush_l0_for_pas_array(pas_region_t * pas,unsigned int pas_count)643 static void flush_l0_for_pas_array(pas_region_t *pas, unsigned int pas_count)
644 {
645 unsigned int idx;
646 unsigned int start_idx;
647 unsigned int end_idx;
648 uint64_t *l0 = (uint64_t *)gpt_config.plat_gpt_l0_base;
649
650 assert(pas != NULL);
651 assert(pas_count > 0);
652
653 /* Initial start and end values. */
654 start_idx = GPT_L0_IDX(pas[0].base_pa);
655 end_idx = GPT_L0_IDX(pas[0].base_pa + pas[0].size - 1);
656
657 /* Find lowest and highest L0 indices used in this PAS array. */
658 for (idx = 1; idx < pas_count; idx++) {
659 if (GPT_L0_IDX(pas[idx].base_pa) < start_idx) {
660 start_idx = GPT_L0_IDX(pas[idx].base_pa);
661 }
662 if (GPT_L0_IDX(pas[idx].base_pa + pas[idx].size - 1) > end_idx) {
663 end_idx = GPT_L0_IDX(pas[idx].base_pa + pas[idx].size - 1);
664 }
665 }
666
667 /*
668 * Flush all covered L0 descriptors, add 1 because we need to include
669 * the end index value.
670 */
671 flush_dcache_range((uintptr_t)&l0[start_idx],
672 ((end_idx + 1) - start_idx) * sizeof(uint64_t));
673 }
674
675 /*
676 * Public API to enable granule protection checks once the tables have all been
677 * initialized. This function is called at first initialization and then again
678 * later during warm boots of CPU cores.
679 *
680 * Return
681 * Negative Linux error code in the event of a failure, 0 for success.
682 */
gpt_enable(void)683 int gpt_enable(void)
684 {
685 u_register_t gpccr_el3;
686
687 /*
688 * Granule tables must be initialised before enabling
689 * granule protection.
690 */
691 if (gpt_config.plat_gpt_l0_base == 0U) {
692 ERROR("[GPT] Tables have not been initialized!\n");
693 return -EPERM;
694 }
695
696 /* Write the base address of the L0 tables into GPTBR */
697 write_gptbr_el3(((gpt_config.plat_gpt_l0_base >> GPTBR_BADDR_VAL_SHIFT)
698 >> GPTBR_BADDR_SHIFT) & GPTBR_BADDR_MASK);
699
700 /* GPCCR_EL3.PPS */
701 gpccr_el3 = SET_GPCCR_PPS(gpt_config.pps);
702
703 /* GPCCR_EL3.PGS */
704 gpccr_el3 |= SET_GPCCR_PGS(gpt_config.pgs);
705
706 /*
707 * Since EL3 maps the L1 region as Inner shareable, use the same
708 * shareability attribute for GPC as well so that
709 * GPC fetches are visible to PEs
710 */
711 gpccr_el3 |= SET_GPCCR_SH(GPCCR_SH_IS);
712
713 /* Outer and Inner cacheability set to Normal memory, WB, RA, WA. */
714 gpccr_el3 |= SET_GPCCR_ORGN(GPCCR_ORGN_WB_RA_WA);
715 gpccr_el3 |= SET_GPCCR_IRGN(GPCCR_IRGN_WB_RA_WA);
716
717 /* Prepopulate GPCCR_EL3 but don't enable GPC yet */
718 write_gpccr_el3(gpccr_el3);
719 isb();
720
721 /* Invalidate any stale TLB entries and any cached register fields */
722 tlbipaallos();
723 dsb();
724 isb();
725
726 /* Enable GPT */
727 gpccr_el3 |= GPCCR_GPC_BIT;
728
729 /* TODO: Configure GPCCR_EL3_GPCP for Fault control. */
730 write_gpccr_el3(gpccr_el3);
731 isb();
732 tlbipaallos();
733 dsb();
734 isb();
735
736 return 0;
737 }
738
739 /*
740 * Public API to disable granule protection checks.
741 */
gpt_disable(void)742 void gpt_disable(void)
743 {
744 u_register_t gpccr_el3 = read_gpccr_el3();
745
746 write_gpccr_el3(gpccr_el3 & ~GPCCR_GPC_BIT);
747 dsbsy();
748 isb();
749 }
750
751 /*
752 * Public API that initializes the entire protected space to GPT_GPI_ANY using
753 * the L0 tables (block descriptors). Ideally, this function is invoked prior
754 * to DDR discovery and initialization. The MMU must be initialized before
755 * calling this function.
756 *
757 * Parameters
758 * pps PPS value to use for table generation
759 * l0_mem_base Base address of L0 tables in memory.
760 * l0_mem_size Total size of memory available for L0 tables.
761 *
762 * Return
763 * Negative Linux error code in the event of a failure, 0 for success.
764 */
gpt_init_l0_tables(gpccr_pps_e pps,uintptr_t l0_mem_base,size_t l0_mem_size)765 int gpt_init_l0_tables(gpccr_pps_e pps, uintptr_t l0_mem_base,
766 size_t l0_mem_size)
767 {
768 int ret;
769 uint64_t gpt_desc;
770
771 /* Ensure that MMU and Data caches are enabled. */
772 assert((read_sctlr_el3() & SCTLR_C_BIT) != 0U);
773
774 /* Validate other parameters. */
775 ret = gpt_validate_l0_params(pps, l0_mem_base, l0_mem_size);
776 if (ret != 0) {
777 return ret;
778 }
779
780 /* Create the descriptor to initialize L0 entries with. */
781 gpt_desc = GPT_L0_BLK_DESC(GPT_GPI_ANY);
782
783 /* Iterate through all L0 entries */
784 for (unsigned int i = 0U; i < GPT_L0_REGION_COUNT(gpt_config.t); i++) {
785 ((uint64_t *)l0_mem_base)[i] = gpt_desc;
786 }
787
788 /* Flush updated L0 tables to memory. */
789 flush_dcache_range((uintptr_t)l0_mem_base,
790 (size_t)GPT_L0_TABLE_SIZE(gpt_config.t));
791
792 /* Stash the L0 base address once initial setup is complete. */
793 gpt_config.plat_gpt_l0_base = l0_mem_base;
794
795 return 0;
796 }
797
798 /*
799 * Public API that carves out PAS regions from the L0 tables and builds any L1
800 * tables that are needed. This function ideally is run after DDR discovery and
801 * initialization. The L0 tables must have already been initialized to GPI_ANY
802 * when this function is called.
803 *
804 * This function can be called multiple times with different L1 memory ranges
805 * and PAS regions if it is desirable to place L1 tables in different locations
806 * in memory. (ex: you have multiple DDR banks and want to place the L1 tables
807 * in the DDR bank that they control)
808 *
809 * Parameters
810 * pgs PGS value to use for table generation.
811 * l1_mem_base Base address of memory used for L1 tables.
812 * l1_mem_size Total size of memory available for L1 tables.
813 * *pas_regions Pointer to PAS regions structure array.
814 * pas_count Total number of PAS regions.
815 *
816 * Return
817 * Negative Linux error code in the event of a failure, 0 for success.
818 */
gpt_init_pas_l1_tables(gpccr_pgs_e pgs,uintptr_t l1_mem_base,size_t l1_mem_size,pas_region_t * pas_regions,unsigned int pas_count)819 int gpt_init_pas_l1_tables(gpccr_pgs_e pgs, uintptr_t l1_mem_base,
820 size_t l1_mem_size, pas_region_t *pas_regions,
821 unsigned int pas_count)
822 {
823 int ret;
824 int l1_gpt_cnt;
825
826 /* Ensure that MMU and Data caches are enabled. */
827 assert((read_sctlr_el3() & SCTLR_C_BIT) != 0U);
828
829 /* PGS is needed for gpt_validate_pas_mappings so check it now. */
830 if (pgs > GPT_PGS_MAX) {
831 ERROR("[GPT] Invalid PGS: 0x%x\n", pgs);
832 return -EINVAL;
833 }
834 gpt_config.pgs = pgs;
835 gpt_config.p = gpt_p_lookup[pgs];
836
837 /* Make sure L0 tables have been initialized. */
838 if (gpt_config.plat_gpt_l0_base == 0U) {
839 ERROR("[GPT] L0 tables must be initialized first!\n");
840 return -EPERM;
841 }
842
843 /* Check if L1 GPTs are required and how many. */
844 l1_gpt_cnt = gpt_validate_pas_mappings(pas_regions, pas_count);
845 if (l1_gpt_cnt < 0) {
846 return l1_gpt_cnt;
847 }
848
849 VERBOSE("[GPT] %u L1 GPTs requested.\n", l1_gpt_cnt);
850
851 /* If L1 tables are needed then validate the L1 parameters. */
852 if (l1_gpt_cnt > 0) {
853 ret = gpt_validate_l1_params(l1_mem_base, l1_mem_size,
854 l1_gpt_cnt);
855 if (ret != 0) {
856 return ret;
857 }
858
859 /* Set up parameters for L1 table generation. */
860 gpt_l1_tbl = l1_mem_base;
861 gpt_next_l1_tbl_idx = 0U;
862 }
863
864 INFO("[GPT] Boot Configuration\n");
865 INFO(" PPS/T: 0x%x/%u\n", gpt_config.pps, gpt_config.t);
866 INFO(" PGS/P: 0x%x/%u\n", gpt_config.pgs, gpt_config.p);
867 INFO(" L0GPTSZ/S: 0x%x/%u\n", GPT_L0GPTSZ, GPT_S_VAL);
868 INFO(" PAS count: 0x%x\n", pas_count);
869 INFO(" L0 base: 0x%lx\n", gpt_config.plat_gpt_l0_base);
870
871 /* Generate the tables in memory. */
872 for (unsigned int idx = 0U; idx < pas_count; idx++) {
873 INFO("[GPT] PAS[%u]: base 0x%lx, size 0x%lx, GPI 0x%x, type 0x%x\n",
874 idx, pas_regions[idx].base_pa, pas_regions[idx].size,
875 GPT_PAS_ATTR_GPI(pas_regions[idx].attrs),
876 GPT_PAS_ATTR_MAP_TYPE(pas_regions[idx].attrs));
877
878 /* Check if a block or table descriptor is required */
879 if (GPT_PAS_ATTR_MAP_TYPE(pas_regions[idx].attrs) ==
880 GPT_PAS_ATTR_MAP_TYPE_BLOCK) {
881 gpt_generate_l0_blk_desc(&pas_regions[idx]);
882
883 } else {
884 gpt_generate_l0_tbl_desc(&pas_regions[idx]);
885 }
886 }
887
888 /* Flush modified L0 tables. */
889 flush_l0_for_pas_array(pas_regions, pas_count);
890
891 /* Flush L1 tables if needed. */
892 if (l1_gpt_cnt > 0) {
893 flush_dcache_range(l1_mem_base,
894 GPT_L1_TABLE_SIZE(gpt_config.p) *
895 l1_gpt_cnt);
896 }
897
898 /* Make sure that all the entries are written to the memory. */
899 dsbishst();
900 tlbipaallos();
901 dsb();
902 isb();
903
904 return 0;
905 }
906
907 /*
908 * Public API to initialize the runtime gpt_config structure based on the values
909 * present in the GPTBR_EL3 and GPCCR_EL3 registers. GPT initialization
910 * typically happens in a bootloader stage prior to setting up the EL3 runtime
911 * environment for the granule transition service so this function detects the
912 * initialization from a previous stage. Granule protection checks must be
913 * enabled already or this function will return an error.
914 *
915 * Return
916 * Negative Linux error code in the event of a failure, 0 for success.
917 */
gpt_runtime_init(void)918 int gpt_runtime_init(void)
919 {
920 u_register_t reg;
921
922 /* Ensure that MMU and Data caches are enabled. */
923 assert((read_sctlr_el3() & SCTLR_C_BIT) != 0U);
924
925 /* Ensure GPC are already enabled. */
926 if ((read_gpccr_el3() & GPCCR_GPC_BIT) == 0U) {
927 ERROR("[GPT] Granule protection checks are not enabled!\n");
928 return -EPERM;
929 }
930
931 /*
932 * Read the L0 table address from GPTBR, we don't need the L1 base
933 * address since those are included in the L0 tables as needed.
934 */
935 reg = read_gptbr_el3();
936 gpt_config.plat_gpt_l0_base = ((reg >> GPTBR_BADDR_SHIFT) &
937 GPTBR_BADDR_MASK) <<
938 GPTBR_BADDR_VAL_SHIFT;
939
940 /* Read GPCCR to get PGS and PPS values. */
941 reg = read_gpccr_el3();
942 gpt_config.pps = (reg >> GPCCR_PPS_SHIFT) & GPCCR_PPS_MASK;
943 gpt_config.t = gpt_t_lookup[gpt_config.pps];
944 gpt_config.pgs = (reg >> GPCCR_PGS_SHIFT) & GPCCR_PGS_MASK;
945 gpt_config.p = gpt_p_lookup[gpt_config.pgs];
946
947 VERBOSE("[GPT] Runtime Configuration\n");
948 VERBOSE(" PPS/T: 0x%x/%u\n", gpt_config.pps, gpt_config.t);
949 VERBOSE(" PGS/P: 0x%x/%u\n", gpt_config.pgs, gpt_config.p);
950 VERBOSE(" L0GPTSZ/S: 0x%x/%u\n", GPT_L0GPTSZ, GPT_S_VAL);
951 VERBOSE(" L0 base: 0x%lx\n", gpt_config.plat_gpt_l0_base);
952
953 return 0;
954 }
955
956 /*
957 * The L1 descriptors are protected by a spinlock to ensure that multiple
958 * CPUs do not attempt to change the descriptors at once. In the future it
959 * would be better to have separate spinlocks for each L1 descriptor.
960 */
961 static spinlock_t gpt_lock;
962
963 /*
964 * A helper to write the value (target_pas << gpi_shift) to the index of
965 * the gpt_l1_addr
966 */
write_gpt(uint64_t * gpt_l1_desc,uint64_t * gpt_l1_addr,unsigned int gpi_shift,unsigned int idx,unsigned int target_pas)967 static inline void write_gpt(uint64_t *gpt_l1_desc, uint64_t *gpt_l1_addr,
968 unsigned int gpi_shift, unsigned int idx,
969 unsigned int target_pas)
970 {
971 *gpt_l1_desc &= ~(GPT_L1_GRAN_DESC_GPI_MASK << gpi_shift);
972 *gpt_l1_desc |= ((uint64_t)target_pas << gpi_shift);
973 gpt_l1_addr[idx] = *gpt_l1_desc;
974 }
975
976 /*
977 * Helper to retrieve the gpt_l1_* information from the base address
978 * returned in gpi_info
979 */
get_gpi_params(uint64_t base,gpi_info_t * gpi_info)980 static int get_gpi_params(uint64_t base, gpi_info_t *gpi_info)
981 {
982 uint64_t gpt_l0_desc, *gpt_l0_base;
983
984 gpt_l0_base = (uint64_t *)gpt_config.plat_gpt_l0_base;
985 gpt_l0_desc = gpt_l0_base[GPT_L0_IDX(base)];
986 if (GPT_L0_TYPE(gpt_l0_desc) != GPT_L0_TYPE_TBL_DESC) {
987 VERBOSE("[GPT] Granule is not covered by a table descriptor!\n");
988 VERBOSE(" Base=0x%" PRIx64 "\n", base);
989 return -EINVAL;
990 }
991
992 /* Get the table index and GPI shift from PA. */
993 gpi_info->gpt_l1_addr = GPT_L0_TBLD_ADDR(gpt_l0_desc);
994 gpi_info->idx = GPT_L1_IDX(gpt_config.p, base);
995 gpi_info->gpi_shift = GPT_L1_GPI_IDX(gpt_config.p, base) << 2;
996
997 gpi_info->gpt_l1_desc = (gpi_info->gpt_l1_addr)[gpi_info->idx];
998 gpi_info->gpi = (gpi_info->gpt_l1_desc >> gpi_info->gpi_shift) &
999 GPT_L1_GRAN_DESC_GPI_MASK;
1000 return 0;
1001 }
1002
1003 /*
1004 * This function is the granule transition delegate service. When a granule
1005 * transition request occurs it is routed to this function to have the request,
1006 * if valid, fulfilled following A1.1.1 Delegate of RME supplement
1007 *
1008 * TODO: implement support for transitioning multiple granules at once.
1009 *
1010 * Parameters
1011 * base Base address of the region to transition, must be
1012 * aligned to granule size.
1013 * size Size of region to transition, must be aligned to granule
1014 * size.
1015 * src_sec_state Security state of the caller.
1016 *
1017 * Return
1018 * Negative Linux error code in the event of a failure, 0 for success.
1019 */
gpt_delegate_pas(uint64_t base,size_t size,unsigned int src_sec_state)1020 int gpt_delegate_pas(uint64_t base, size_t size, unsigned int src_sec_state)
1021 {
1022 gpi_info_t gpi_info;
1023 uint64_t nse;
1024 int res;
1025 unsigned int target_pas;
1026
1027 /* Ensure that the tables have been set up before taking requests. */
1028 assert(gpt_config.plat_gpt_l0_base != 0UL);
1029
1030 /* Ensure that caches are enabled. */
1031 assert((read_sctlr_el3() & SCTLR_C_BIT) != 0UL);
1032
1033 /* Delegate request can only come from REALM or SECURE */
1034 assert(src_sec_state == SMC_FROM_REALM ||
1035 src_sec_state == SMC_FROM_SECURE);
1036
1037 /* See if this is a single or a range of granule transition. */
1038 if (size != GPT_PGS_ACTUAL_SIZE(gpt_config.p)) {
1039 return -EINVAL;
1040 }
1041
1042 /* Check that base and size are valid */
1043 if ((ULONG_MAX - base) < size) {
1044 VERBOSE("[GPT] Transition request address overflow!\n");
1045 VERBOSE(" Base=0x%" PRIx64 "\n", base);
1046 VERBOSE(" Size=0x%lx\n", size);
1047 return -EINVAL;
1048 }
1049
1050 /* Make sure base and size are valid. */
1051 if (((base & (GPT_PGS_ACTUAL_SIZE(gpt_config.p) - 1)) != 0UL) ||
1052 ((size & (GPT_PGS_ACTUAL_SIZE(gpt_config.p) - 1)) != 0UL) ||
1053 (size == 0UL) ||
1054 ((base + size) >= GPT_PPS_ACTUAL_SIZE(gpt_config.t))) {
1055 VERBOSE("[GPT] Invalid granule transition address range!\n");
1056 VERBOSE(" Base=0x%" PRIx64 "\n", base);
1057 VERBOSE(" Size=0x%lx\n", size);
1058 return -EINVAL;
1059 }
1060
1061 target_pas = GPT_GPI_REALM;
1062 if (src_sec_state == SMC_FROM_SECURE) {
1063 target_pas = GPT_GPI_SECURE;
1064 }
1065
1066 /*
1067 * Access to L1 tables is controlled by a global lock to ensure
1068 * that no more than one CPU is allowed to make changes at any
1069 * given time.
1070 */
1071 spin_lock(&gpt_lock);
1072 res = get_gpi_params(base, &gpi_info);
1073 if (res != 0) {
1074 spin_unlock(&gpt_lock);
1075 return res;
1076 }
1077
1078 /* Check that the current address is in NS state */
1079 if (gpi_info.gpi != GPT_GPI_NS) {
1080 VERBOSE("[GPT] Only Granule in NS state can be delegated.\n");
1081 VERBOSE(" Caller: %u, Current GPI: %u\n", src_sec_state,
1082 gpi_info.gpi);
1083 spin_unlock(&gpt_lock);
1084 return -EPERM;
1085 }
1086
1087 if (src_sec_state == SMC_FROM_SECURE) {
1088 nse = (uint64_t)GPT_NSE_SECURE << GPT_NSE_SHIFT;
1089 } else {
1090 nse = (uint64_t)GPT_NSE_REALM << GPT_NSE_SHIFT;
1091 }
1092
1093 /*
1094 * In order to maintain mutual distrust between Realm and Secure
1095 * states, remove any data speculatively fetched into the target
1096 * physical address space. Issue DC CIPAPA over address range
1097 */
1098 flush_dcache_to_popa_range(nse | base,
1099 GPT_PGS_ACTUAL_SIZE(gpt_config.p));
1100
1101 write_gpt(&gpi_info.gpt_l1_desc, gpi_info.gpt_l1_addr,
1102 gpi_info.gpi_shift, gpi_info.idx, target_pas);
1103 dsboshst();
1104
1105 gpt_tlbi_by_pa_ll(base, GPT_PGS_ACTUAL_SIZE(gpt_config.p));
1106 dsbosh();
1107
1108 nse = (uint64_t)GPT_NSE_NS << GPT_NSE_SHIFT;
1109
1110 flush_dcache_to_popa_range(nse | base,
1111 GPT_PGS_ACTUAL_SIZE(gpt_config.p));
1112
1113 /* Unlock access to the L1 tables. */
1114 spin_unlock(&gpt_lock);
1115
1116 /*
1117 * The isb() will be done as part of context
1118 * synchronization when returning to lower EL
1119 */
1120 VERBOSE("[GPT] Granule 0x%" PRIx64 ", GPI 0x%x->0x%x\n",
1121 base, gpi_info.gpi, target_pas);
1122
1123 return 0;
1124 }
1125
1126 /*
1127 * This function is the granule transition undelegate service. When a granule
1128 * transition request occurs it is routed to this function where the request is
1129 * validated then fulfilled if possible.
1130 *
1131 * TODO: implement support for transitioning multiple granules at once.
1132 *
1133 * Parameters
1134 * base Base address of the region to transition, must be
1135 * aligned to granule size.
1136 * size Size of region to transition, must be aligned to granule
1137 * size.
1138 * src_sec_state Security state of the caller.
1139 *
1140 * Return
1141 * Negative Linux error code in the event of a failure, 0 for success.
1142 */
gpt_undelegate_pas(uint64_t base,size_t size,unsigned int src_sec_state)1143 int gpt_undelegate_pas(uint64_t base, size_t size, unsigned int src_sec_state)
1144 {
1145 gpi_info_t gpi_info;
1146 uint64_t nse;
1147 int res;
1148
1149 /* Ensure that the tables have been set up before taking requests. */
1150 assert(gpt_config.plat_gpt_l0_base != 0UL);
1151
1152 /* Ensure that MMU and caches are enabled. */
1153 assert((read_sctlr_el3() & SCTLR_C_BIT) != 0UL);
1154
1155 /* Delegate request can only come from REALM or SECURE */
1156 assert(src_sec_state == SMC_FROM_REALM ||
1157 src_sec_state == SMC_FROM_SECURE);
1158
1159 /* See if this is a single or a range of granule transition. */
1160 if (size != GPT_PGS_ACTUAL_SIZE(gpt_config.p)) {
1161 return -EINVAL;
1162 }
1163
1164 /* Check that base and size are valid */
1165 if ((ULONG_MAX - base) < size) {
1166 VERBOSE("[GPT] Transition request address overflow!\n");
1167 VERBOSE(" Base=0x%" PRIx64 "\n", base);
1168 VERBOSE(" Size=0x%lx\n", size);
1169 return -EINVAL;
1170 }
1171
1172 /* Make sure base and size are valid. */
1173 if (((base & (GPT_PGS_ACTUAL_SIZE(gpt_config.p) - 1)) != 0UL) ||
1174 ((size & (GPT_PGS_ACTUAL_SIZE(gpt_config.p) - 1)) != 0UL) ||
1175 (size == 0UL) ||
1176 ((base + size) >= GPT_PPS_ACTUAL_SIZE(gpt_config.t))) {
1177 VERBOSE("[GPT] Invalid granule transition address range!\n");
1178 VERBOSE(" Base=0x%" PRIx64 "\n", base);
1179 VERBOSE(" Size=0x%lx\n", size);
1180 return -EINVAL;
1181 }
1182
1183 /*
1184 * Access to L1 tables is controlled by a global lock to ensure
1185 * that no more than one CPU is allowed to make changes at any
1186 * given time.
1187 */
1188 spin_lock(&gpt_lock);
1189
1190 res = get_gpi_params(base, &gpi_info);
1191 if (res != 0) {
1192 spin_unlock(&gpt_lock);
1193 return res;
1194 }
1195
1196 /* Check that the current address is in the delegated state */
1197 if ((src_sec_state == SMC_FROM_REALM &&
1198 gpi_info.gpi != GPT_GPI_REALM) ||
1199 (src_sec_state == SMC_FROM_SECURE &&
1200 gpi_info.gpi != GPT_GPI_SECURE)) {
1201 VERBOSE("[GPT] Only Granule in REALM or SECURE state can be undelegated.\n");
1202 VERBOSE(" Caller: %u, Current GPI: %u\n", src_sec_state,
1203 gpi_info.gpi);
1204 spin_unlock(&gpt_lock);
1205 return -EPERM;
1206 }
1207
1208
1209 /* In order to maintain mutual distrust between Realm and Secure
1210 * states, remove access now, in order to guarantee that writes
1211 * to the currently-accessible physical address space will not
1212 * later become observable.
1213 */
1214 write_gpt(&gpi_info.gpt_l1_desc, gpi_info.gpt_l1_addr,
1215 gpi_info.gpi_shift, gpi_info.idx, GPT_GPI_NO_ACCESS);
1216 dsboshst();
1217
1218 gpt_tlbi_by_pa_ll(base, GPT_PGS_ACTUAL_SIZE(gpt_config.p));
1219 dsbosh();
1220
1221 if (src_sec_state == SMC_FROM_SECURE) {
1222 nse = (uint64_t)GPT_NSE_SECURE << GPT_NSE_SHIFT;
1223 } else {
1224 nse = (uint64_t)GPT_NSE_REALM << GPT_NSE_SHIFT;
1225 }
1226
1227 /* Ensure that the scrubbed data has made it past the PoPA */
1228 flush_dcache_to_popa_range(nse | base,
1229 GPT_PGS_ACTUAL_SIZE(gpt_config.p));
1230
1231 /*
1232 * Remove any data loaded speculatively
1233 * in NS space from before the scrubbing
1234 */
1235 nse = (uint64_t)GPT_NSE_NS << GPT_NSE_SHIFT;
1236
1237 flush_dcache_to_popa_range(nse | base,
1238 GPT_PGS_ACTUAL_SIZE(gpt_config.p));
1239
1240 /* Clear existing GPI encoding and transition granule. */
1241 write_gpt(&gpi_info.gpt_l1_desc, gpi_info.gpt_l1_addr,
1242 gpi_info.gpi_shift, gpi_info.idx, GPT_GPI_NS);
1243 dsboshst();
1244
1245 /* Ensure that all agents observe the new NS configuration */
1246 gpt_tlbi_by_pa_ll(base, GPT_PGS_ACTUAL_SIZE(gpt_config.p));
1247 dsbosh();
1248
1249 /* Unlock access to the L1 tables. */
1250 spin_unlock(&gpt_lock);
1251
1252 /*
1253 * The isb() will be done as part of context
1254 * synchronization when returning to lower EL
1255 */
1256 VERBOSE("[GPT] Granule 0x%" PRIx64 ", GPI 0x%x->0x%x\n",
1257 base, gpi_info.gpi, GPT_GPI_NS);
1258
1259 return 0;
1260 }
1261