| Message ID | 20220622134219.1596613-3-jens.wiklander@linaro.org (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Xen FF-A mediator | expand |
Hi Jens, I haven't checked whether the FFA driver is complaint with the spec. I mainly checked whether the code makes sense from Xen PoV. This is a fairly long patch to review. So I will split my review in multiple session/e-mail. On 22/06/2022 14:42, Jens Wiklander wrote: > Adds a FF-A version 1.1 [1] mediator to communicate with a Secure > Partition in secure world. > > The implementation is the bare minimum to be able to communicate with > OP-TEE running as an SPMC at S-EL1. > > This is loosely based on the TEE mediator framework and the OP-TEE > mediator. > > [1] https://developer.arm.com/documentation/den0077/latest > Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> > --- > SUPPORT.md | 7 + > tools/libs/light/libxl_arm.c | 3 + > tools/libs/light/libxl_types.idl | 1 + > tools/xl/xl_parse.c | 3 + These changes would need an ack from the toolstack maintainers. > xen/arch/arm/Kconfig | 11 + > xen/arch/arm/Makefile | 1 + > xen/arch/arm/domain.c | 10 + > xen/arch/arm/domain_build.c | 1 + > xen/arch/arm/ffa.c | 1683 +++++++++++++++++++++++++++++ > xen/arch/arm/include/asm/domain.h | 4 + > xen/arch/arm/include/asm/ffa.h | 71 ++ > xen/arch/arm/vsmc.c | 17 +- > xen/include/public/arch-arm.h | 2 + > 13 files changed, 1811 insertions(+), 3 deletions(-) > create mode 100644 xen/arch/arm/ffa.c > create mode 100644 xen/arch/arm/include/asm/ffa.h > > diff --git a/SUPPORT.md b/SUPPORT.md > index 70e98964cbc0..215bb3c9043b 100644 > --- a/SUPPORT.md > +++ b/SUPPORT.md > @@ -785,6 +785,13 @@ that covers the DMA of the device to be passed through. > > No support for QEMU backends in a 16K or 64K domain. > > +### ARM: Firmware Framework for Arm A-profile (FF-A) Mediator > + > + Status, Arm64: Tech Preview > + > +There are still some code paths where a vCPU may hog a pCPU longer than > +necessary. The FF-A mediator is not yet implemented for Arm32. > + > ### ARM: Guest Device Tree support > > Status: Supported > diff --git a/tools/libs/light/libxl_arm.c b/tools/libs/light/libxl_arm.c > index eef1de093914..a985609861c7 100644 > --- a/tools/libs/light/libxl_arm.c > +++ b/tools/libs/light/libxl_arm.c > @@ -101,6 +101,9 @@ int libxl__arch_domain_prepare_config(libxl__gc *gc, > return ERROR_FAIL; > } > > + config->arch.ffa_enabled = > + libxl_defbool_val(d_config->b_info.arch_arm.ffa_enabled); > + > return 0; > } > > diff --git a/tools/libs/light/libxl_types.idl b/tools/libs/light/libxl_types.idl > index 2a42da2f7d78..bf4544bef399 100644 > --- a/tools/libs/light/libxl_types.idl > +++ b/tools/libs/light/libxl_types.idl > @@ -646,6 +646,7 @@ libxl_domain_build_info = Struct("domain_build_info",[ > > ("arch_arm", Struct(None, [("gic_version", libxl_gic_version), > ("vuart", libxl_vuart_type), > + ("ffa_enabled", libxl_defbool), This needs to be accompagnied with a define LIBXL_HAVE_* in tools/include/libxl.h. Please see the examples in the header. > ])), > ("arch_x86", Struct(None, [("msr_relaxed", libxl_defbool), > ])), > diff --git a/tools/xl/xl_parse.c b/tools/xl/xl_parse.c > index b98c0de378b6..e0e99ed8d2b1 100644 > --- a/tools/xl/xl_parse.c > +++ b/tools/xl/xl_parse.c > @@ -2746,6 +2746,9 @@ skip_usbdev: > exit(-ERROR_FAIL); > } > } > + libxl_defbool_setdefault(&b_info->arch_arm.ffa_enabled, false); > + xlu_cfg_get_defbool(config, "ffa_enabled", > + &b_info->arch_arm.ffa_enabled, 0); This option needs to be documented in docs/man/xl.cfg.5.pod.in. > > parse_vkb_list(config, d_config); > > diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig > index be9eff014120..e57e1d3757e2 100644 > --- a/xen/arch/arm/Kconfig > +++ b/xen/arch/arm/Kconfig > @@ -139,6 +139,17 @@ config TEE > > source "arch/arm/tee/Kconfig" > > +config FFA > + bool "Enable FF-A mediator support" if EXPERT > + default n > + depends on ARM_64 > + help > + This option enables a minimal FF-A mediator. The mediator is > + generic as it follows the FF-A specification [1], but it only > + implements a small subset of the specification. Where would a user be able to find which subset of the specification that Xen implements? > + > + [1] https://developer.arm.com/documentation/den0077/latest > + > endmenu > > menu "ARM errata workaround via the alternative framework" > diff --git a/xen/arch/arm/Makefile b/xen/arch/arm/Makefile > index bb7a6151c13c..af0c69f793d4 100644 > --- a/xen/arch/arm/Makefile > +++ b/xen/arch/arm/Makefile > @@ -20,6 +20,7 @@ obj-y += domain_build.init.o > obj-y += domctl.o > obj-$(CONFIG_EARLY_PRINTK) += early_printk.o > obj-y += efi/ > +obj-$(CONFIG_FFA) += ffa.o > obj-y += gic.o > obj-y += gic-v2.o > obj-$(CONFIG_GICV3) += gic-v3.o > diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c > index 8110c1df8638..a3f00e7e234d 100644 > --- a/xen/arch/arm/domain.c > +++ b/xen/arch/arm/domain.c > @@ -27,6 +27,7 @@ > #include <asm/cpufeature.h> > #include <asm/current.h> > #include <asm/event.h> > +#include <asm/ffa.h> > #include <asm/gic.h> > #include <asm/guest_atomics.h> > #include <asm/irq.h> > @@ -756,6 +757,9 @@ int arch_domain_create(struct domain *d, > if ( (rc = tee_domain_init(d, config->arch.tee_type)) != 0 ) > goto fail; > > + if ( (rc = ffa_domain_init(d, config->arch.ffa_enabled)) != 0 ) > + goto fail; > + > update_domain_wallclock_time(d); > > /* > @@ -998,6 +1002,7 @@ static int relinquish_memory(struct domain *d, struct page_list_head *list) > enum { > PROG_pci = 1, > PROG_tee, > + PROG_ffa, > PROG_xen, > PROG_page, > PROG_mapping, > @@ -1043,6 +1048,11 @@ int domain_relinquish_resources(struct domain *d) > > PROGRESS(tee): > ret = tee_relinquish_resources(d); > + if ( ret ) > + return ret; > + > + PROGRESS(ffa): > + ret = ffa_relinquish_resources(d); > if (ret ) > return ret; > > diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c > index 7ddd16c26da5..d708f76356f7 100644 > --- a/xen/arch/arm/domain_build.c > +++ b/xen/arch/arm/domain_build.c > @@ -3450,6 +3450,7 @@ void __init create_dom0(void) > if ( gic_number_lines() > 992 ) > printk(XENLOG_WARNING "Maximum number of vGIC IRQs exceeded.\n"); > dom0_cfg.arch.tee_type = tee_get_type(); > + dom0_cfg.arch.ffa_enabled = true; AFAICT, ffa_enabled is a uint8_t. So we should use 1. However, I am not convinced that using a uint8_t for what looks like a boolean is warrant. I will detail more on the definition. > dom0_cfg.max_vcpus = dom0_max_vcpus(); > > if ( iommu_enabled ) > diff --git a/xen/arch/arm/ffa.c b/xen/arch/arm/ffa.c > new file mode 100644 > index 000000000000..3117ce5cec4d > --- /dev/null > +++ b/xen/arch/arm/ffa.c > @@ -0,0 +1,1683 @@ > +/* > + * xen/arch/arm/ffa.c > + * > + * Arm Firmware Framework for ARMv8-A (FF-A) mediator > + * > + * Copyright (C) 2022 Linaro Limited > + * > + * Permission is hereby granted, free of charge, to any person > + * obtaining a copy of this software and associated documentation > + * files (the "Software"), to deal in the Software without restriction, > + * including without limitation the rights to use, copy, modify, merge, > + * publish, distribute, sublicense, and/or sell copies of the Software, > + * and to permit persons to whom the Software is furnished to do so, > + * subject to the following conditions: > + * > + * The above copyright notice and this permission notice shall be > + * included in all copies or substantial portions of the Software. > + * > + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, > + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF > + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. > + * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY > + * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, > + * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE > + * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. This doesn't look like to be a GPLv2 license. Can you clarify which license you are using? > + */ > + > +#include <xen/domain_page.h> > +#include <xen/errno.h> > +#include <xen/init.h> > +#include <xen/lib.h> > +#include <xen/sched.h> > +#include <xen/types.h> > +#include <xen/sizes.h> > +#include <xen/bitops.h> > + > +#include <asm/smccc.h> > +#include <asm/event.h> > +#include <asm/ffa.h> > +#include <asm/regs.h> > + > +/* Error codes */ All the #define below are using hard tab. Please use soft tab. > +#define FFA_RET_OK 0 > +#define FFA_RET_NOT_SUPPORTED -1 > +#define FFA_RET_INVALID_PARAMETERS -2 > +#define FFA_RET_NO_MEMORY -3 > +#define FFA_RET_BUSY -4 > +#define FFA_RET_INTERRUPTED -5 > +#define FFA_RET_DENIED -6 > +#define FFA_RET_RETRY -7 > +#define FFA_RET_ABORTED -8 > + > +/* FFA_VERSION helpers */ > +#define FFA_VERSION_MAJOR _AC(1,U) NIT: The use of _AC() is a bit pointless given that you are only use the values in C code. > +#define FFA_VERSION_MAJOR_SHIFT _AC(16,U) > +#define FFA_VERSION_MAJOR_MASK _AC(0x7FFF,U) > +#define FFA_VERSION_MINOR _AC(1,U) > +#define FFA_VERSION_MINOR_SHIFT _AC(0,U) > +#define FFA_VERSION_MINOR_MASK _AC(0xFFFF,U) > +#define MAKE_FFA_VERSION(major, minor) \ > + ((((major) & FFA_VERSION_MAJOR_MASK) << FFA_VERSION_MAJOR_SHIFT) | \ > + ((minor) & FFA_VERSION_MINOR_MASK)) > + > +#define FFA_MIN_VERSION MAKE_FFA_VERSION(1, 0) > +#define FFA_VERSION_1_0 MAKE_FFA_VERSION(1, 0) > +#define FFA_VERSION_1_1 MAKE_FFA_VERSION(1, 1) > +#define FFA_MY_VERSION MAKE_FFA_VERSION(FFA_VERSION_MAJOR, \ > + FFA_VERSION_MINOR) NIT: I think it would be better that FFA_VERSION_MAJOR AND FFA_VERSION_MINOR are defined closer to FFA_MY_VERSION and they are renamed to FFA_MY_VERSION_*. I would also potentially move the 3 defines past all the definition related to the specification. This would make clearer that this is what Xen supports. > + > + > +#define FFA_HANDLE_HYP_FLAG BIT(63,ULL) Coding style: You seem to use a mix of FOO(... , ...) and FOO(...,...). At mimimum, please be consistent within the file. For Xen, we usually add a space after the comma. [...] > +/* > + * Our rx/rx buffer shared with the SPMC > + */ Hmmm... The comment seems to be misplaced. > +static uint32_t ffa_version; This probably can be __read_mostly. > +static uint16_t *subsr_vm_created; What subsr stand for? > +static unsigned int subsr_vm_created_count; > +static uint16_t *subsr_vm_destroyed; > +static unsigned int subsr_vm_destroyed_count; > +static void *ffa_rx; > +static void *ffa_tx; subsr_vm_created, subsr_vm_destroyed, ffa_rx and ffa_tx can probably be __read_mostly. > +static unsigned int ffa_page_count; Is this related to ffa_rx? > +static DEFINE_SPINLOCK(ffa_buffer_lock); > + > +static LIST_HEAD(ffa_mem_list); > +static DEFINE_SPINLOCK(ffa_mem_list_lock); > + > +static uint64_t next_handle = FFA_HANDLE_HYP_FLAG; next_handle only seems to be used handle_mem_share(). So I think it would be better to move the definition (as static) within the function. This will reduce the number of global variables. > + > +static inline uint64_t reg_pair_to_64(uint32_t reg0, uint32_t reg1) > +{ > + return (uint64_t)reg0 << 32 | reg1; > +} > + > +static void inline reg_pair_from_64(uint32_t *reg0, uint32_t *reg1, > + uint64_t val) > +{ > + *reg0 = val >> 32; > + *reg1 = val; > +} Those two functions are the same as optee.c but with a different. I would rather prefer if we avoid the duplication and provide generic helpers in a pre-requisite. > + > +static bool ffa_get_version(uint32_t *vers) > +{ > + const struct arm_smccc_1_2_regs arg = { > + .a0 = FFA_VERSION, .a1 = FFA_MY_VERSION, Coding sytle: Please set each field on their own line. > + }; > + struct arm_smccc_1_2_regs resp; > + > + arm_smccc_1_2_smc(&arg, &resp); > + if ( resp.a0 == FFA_RET_NOT_SUPPORTED ) > + { > + printk(XENLOG_ERR "ffa: FFA_VERSION returned not supported\n"); > + return false; > + } > + > + *vers = resp.a0; Coding style: We tend to add a newline before the last return. I am not necessarily going to comment about this on all the instances. So please have a look through the code. > + return true; > +} > + > +static uint32_t get_ffa_ret_code(const struct arm_smccc_1_2_regs *resp) FFA_RET_* will be negative, so shouldn't this return int32_t? > +{ > + switch ( resp->a0 ) > + { > + case FFA_ERROR: > + if ( resp->a2 ) > + return resp->a2; > + else > + return FFA_RET_NOT_SUPPORTED; > + case FFA_SUCCESS_32: > + case FFA_SUCCESS_64: > + return FFA_RET_OK; > + default: > + return FFA_RET_NOT_SUPPORTED; > + } > +} > + > +static uint32_t ffa_features(uint32_t id) > +{ > + const struct arm_smccc_1_2_regs arg = { .a0 = FFA_FEATURES, .a1 = id, }; Coding style. Please split each field on their own line. > + struct arm_smccc_1_2_regs resp; > + > + arm_smccc_1_2_smc(&arg, &resp); > + return get_ffa_ret_code(&resp); > +} > + > +static bool check_mandatory_feature(uint32_t id) > +{ > + uint32_t ret = ffa_features(id); > + > + if (ret) > + printk(XENLOG_ERR "ffa: mandatory feature id %#x missing\n", id); > + return !ret; > +} > + > +static uint32_t ffa_rxtx_map(register_t tx_addr, register_t rx_addr, > + uint32_t page_count) Aside the parameters, the helper looks very similar to ffa_features(), ffa_rxtx_unmap(). Can this be abstracted? Maybe using macro if you still want to have separate helper name. > +{ > + const struct arm_smccc_1_2_regs arg = { > +#ifdef CONFIG_ARM_64 > + .a0 = FFA_RXTX_MAP_64, > +#endif > +#ifdef CONFIG_ARM_32 > + .a0 = FFA_RXTX_MAP_32, > +#endif > + .a1 = tx_addr, .a2 = rx_addr, Coding: Please don't use hard tab and put each field on their own line. > + .a3 = page_count, > + }; > + struct arm_smccc_1_2_regs resp; > + > + arm_smccc_1_2_smc(&arg, &resp); > + > + return get_ffa_ret_code(&resp); > +} > + > +static uint32_t ffa_rxtx_unmap(uint16_t vm_id) > +{ > + const struct arm_smccc_1_2_regs arg = { > + .a0 = FFA_RXTX_UNMAP, .a1 = vm_id, Coding style. Please add each field on their own line. > + }; > + struct arm_smccc_1_2_regs resp; > + > + arm_smccc_1_2_smc(&arg, &resp); > + > + return get_ffa_ret_code(&resp); > +} > + > +static uint32_t ffa_partition_info_get(uint32_t w1, uint32_t w2, uint32_t w3, > + uint32_t w4, uint32_t w5, > + uint32_t *count) > +{ > + const struct arm_smccc_1_2_regs arg = { > + .a0 = FFA_PARTITION_INFO_GET, .a1 = w1, .a2 = w2, .a3 = w3, .a4 = w4, Ditto. > + .a5 = w5, > + }; > + struct arm_smccc_1_2_regs resp; > + uint32_t ret; > + > + arm_smccc_1_2_smc(&arg, &resp); > + > + ret = get_ffa_ret_code(&resp); > + if ( !ret ) > + *count = resp.a2; > + > + return ret; > +} > + > +static uint32_t ffa_rx_release(void) > +{ > + const struct arm_smccc_1_2_regs arg = { .a0 = FFA_RX_RELEASE, }; > + struct arm_smccc_1_2_regs resp; > + > + arm_smccc_1_2_smc(&arg, &resp); > + > + return get_ffa_ret_code(&resp); > +} > + > +static int32_t ffa_mem_share(uint32_t tot_len, uint32_t frag_len, > + register_t addr, uint32_t pg_count, > + uint64_t *handle) > +{ > + struct arm_smccc_1_2_regs arg = { > + .a0 = FFA_MEM_SHARE_32, .a1 = tot_len, .a2 = frag_len, .a3 = addr, Ditto. > + .a4 = pg_count, > + }; > + struct arm_smccc_1_2_regs resp; > + > + /* > + * For arm64 we must use 64-bit calling convention if the buffer isn't > + * passed in our tx buffer. > + */ Can you explain why we would want to use the 32-bit calling convention if addr is 0? > + if (sizeof(addr) > 4 && addr) sizeof(addr) > 4 is a bit odd to read. I think it would be better to check that CONFIG_ARM_64 is set (i.e. IS_ENABLED()). > + arg.a0 = FFA_MEM_SHARE_64; > + > + arm_smccc_1_2_smc(&arg, &resp); > + > + switch ( resp.a0 ) > + { > + case FFA_ERROR: > + if ( resp.a2 ) > + return resp.a2; > + else > + return FFA_RET_NOT_SUPPORTED; > + case FFA_SUCCESS_32: > + *handle = reg_pair_to_64(resp.a3, resp.a2); > + return FFA_RET_OK; > + case FFA_MEM_FRAG_RX: > + *handle = reg_pair_to_64(resp.a2, resp.a1); > + return resp.a3; > + default: > + return FFA_RET_NOT_SUPPORTED; > + } > +} > + > +static int32_t ffa_mem_frag_tx(uint64_t handle, uint32_t frag_len, > + uint16_t sender_id) > +{ > + struct arm_smccc_1_2_regs arg = { > + .a0 = FFA_MEM_FRAG_TX, .a1 = handle & UINT32_MAX, .a2 = handle >> 32, > + .a3 = frag_len, .a4 = (uint32_t)sender_id << 16, > + }; > + struct arm_smccc_1_2_regs resp; > + > + arm_smccc_1_2_smc(&arg, &resp); > + > + switch ( resp.a0 ) > + { > + case FFA_ERROR: > + if ( resp.a2 ) > + return resp.a2; > + else > + return FFA_RET_NOT_SUPPORTED; > + case FFA_SUCCESS_32: > + return FFA_RET_OK; > + case FFA_MEM_FRAG_RX: > + return resp.a3; > + default: > + return FFA_RET_NOT_SUPPORTED; > + } > +} > + > +static uint32_t ffa_mem_reclaim(uint32_t handle_lo, uint32_t handle_hi, > + uint32_t flags) > +{ > + const struct arm_smccc_1_2_regs arg = { > + .a0 = FFA_MEM_RECLAIM, .a1 = handle_lo, .a2 = handle_hi, .a3 = flags, > + }; > + struct arm_smccc_1_2_regs resp; > + > + arm_smccc_1_2_smc(&arg, &resp); > + > + return get_ffa_ret_code(&resp); > +} > + > +static int32_t ffa_direct_req_send_vm(uint16_t sp_id, uint16_t vm_id, OOI, why is this call returns int32_t when all the other use uint32_t (even if may returned negative values)? > + uint8_t msg) > +{ > + uint32_t exp_resp = FFA_MSG_FLAG_FRAMEWORK; > + int32_t res; > + > + if ( msg != FFA_MSG_SEND_VM_CREATED && msg !=FFA_MSG_SEND_VM_DESTROYED ) > + return FFA_RET_INVALID_PARAMETERS; > + > + if ( msg == FFA_MSG_SEND_VM_CREATED ) > + exp_resp |= FFA_MSG_RESP_VM_CREATED; > + else > + exp_resp |= FFA_MSG_RESP_VM_DESTROYED; NIT: I think it would be easier to read if you drop the first 'if' and instead write: if ( msg == ..._CREATED ) ... else if ( msg == ..._DESTROYED ) ... else return FFA_RET_INVALID_PARAMETERS. > + > + do { > + const struct arm_smccc_1_2_regs arg = { > + .a0 = FFA_MSG_SEND_DIRECT_REQ_32, > + .a1 = sp_id, > + .a2 = FFA_MSG_FLAG_FRAMEWORK | msg, > + .a5 = vm_id, > + }; > + struct arm_smccc_1_2_regs resp; > + > + arm_smccc_1_2_smc(&arg, &resp); > + if ( resp.a0 != FFA_MSG_SEND_DIRECT_RESP_32 || resp.a2 != exp_resp ) > + { > + /* > + * This is an invalid response, likely due to some error in the > + * implementation of the ABI. > + */ > + return FFA_RET_INVALID_PARAMETERS; > + } > + res = resp.a3; > + } while ( res == FFA_RET_INTERRUPTED || res == FFA_RET_RETRY ); > + > + return res; > +} > + > +static u16 get_vm_id(struct domain *d) d is not meant to be modified by the helper. So please use 'const'. > +{ > + /* +1 since 0 is reserved for the hypervisor in FF-A */ > + return d->domain_id + 1; > +} > + > +static void set_regs(struct cpu_user_regs *regs, register_t v0, register_t v1, > + register_t v2, register_t v3, register_t v4, register_t v5, > + register_t v6, register_t v7) > +{ > + set_user_reg(regs, 0, v0); > + set_user_reg(regs, 1, v1); > + set_user_reg(regs, 2, v2); > + set_user_reg(regs, 3, v3); > + set_user_reg(regs, 4, v4); > + set_user_reg(regs, 5, v5); > + set_user_reg(regs, 6, v6); > + set_user_reg(regs, 7, v7); > +} > + > +static void set_regs_error(struct cpu_user_regs *regs, uint32_t error_code) > +{ > + set_regs(regs, FFA_ERROR, 0, error_code, 0, 0, 0, 0, 0); > +} > + > +static void set_regs_success(struct cpu_user_regs *regs, uint32_t w2, > + uint32_t w3) > +{ > + set_regs(regs, FFA_SUCCESS_32, 0, w2, w3, 0, 0, 0, 0); > +} > + > +static void set_regs_frag_rx(struct cpu_user_regs *regs, uint32_t handle_lo, > + uint32_t handle_hi, uint32_t frag_offset, > + uint16_t sender_id) > +{ > + set_regs(regs, FFA_MEM_FRAG_RX, handle_lo, handle_hi, frag_offset, > + (uint32_t)sender_id << 16, 0, 0, 0); > +} > + > +static void handle_version(struct cpu_user_regs *regs) > +{ > + struct domain *d = current->domain; > + struct ffa_ctx *ctx = d->arch.ffa; > + uint32_t vers = get_user_reg(regs, 1); > + > + if ( vers < FFA_VERSION_1_1 ) > + vers = FFA_VERSION_1_0; > + else > + vers = FFA_VERSION_1_1; I find a bit strange to 'cap' the version provided by the user. Is this part of the spec? > + > + ctx->guest_vers = vers; > + set_regs(regs, vers, 0, 0, 0, 0, 0, 0, 0); > +} > + > +static uint32_t handle_rxtx_map(uint32_t fid, register_t tx_addr, > + register_t rx_addr, uint32_t page_count) Xen, Linux, and the firmware may use different page size. Below, you seem to have the page size will always be 4KB. Is this guaranteed by the spec? If not, how do all the 3 components agree on it? If yes, then I think this should be written down and we should have a BUILD_BUG_ON(PAGE_SIZE != SZ_4K). > +{ > + uint32_t ret = FFA_RET_INVALID_PARAMETERS; > + struct domain *d = current->domain; > + struct ffa_ctx *ctx = d->arch.ffa; > + struct page_info *tx_pg; > + struct page_info *rx_pg; > + p2m_type_t t; > + void *rx; > + void *tx; > + > + if ( !smccc_is_conv_64(fid) ) > + { > + tx_addr &= UINT32_MAX; > + rx_addr &= UINT32_MAX; > + } > + > + /* For now to keep things simple, only deal with a single page */ > + if ( page_count != 1 ) > + return FFA_RET_NOT_SUPPORTED; > + > + /* Already mapped */ > + if ( ctx->rx ) > + return FFA_RET_DENIED; > + > + tx_pg = get_page_from_gfn(d, gaddr_to_gfn(tx_addr), &t, P2M_ALLOC); > + if ( !tx_pg ) > + return FFA_RET_INVALID_PARAMETERS; > + /* Only normal RAM for now */ This comment suggests the check below should be p2m_is_ram() but you are using p2m_ram_rw. > + if (t != p2m_ram_rw) Coding style: if ( ... ) > + goto err_put_tx_pg; > + > + rx_pg = get_page_from_gfn(d, gaddr_to_gfn(rx_addr), &t, P2M_ALLOC); > + if ( !tx_pg ) > + goto err_put_tx_pg; > + /* Only normal RAM for now */ Same about the comment. > + if ( t != p2m_ram_rw ) > + goto err_put_rx_pg; > + > + tx = __map_domain_page_global(tx_pg); > + if ( !tx ) > + goto err_put_rx_pg; > + > + rx = __map_domain_page_global(rx_pg); > + if ( !rx ) > + goto err_unmap_tx; > + > + ctx->rx = rx; > + ctx->tx = tx; > + ctx->rx_pg = rx_pg; > + ctx->tx_pg = tx_pg; > + ctx->page_count = 1; > + ctx->tx_is_mine = true; > + return FFA_RET_OK; > + > +err_unmap_tx: > + unmap_domain_page_global(tx); > +err_put_rx_pg: > + put_page(rx_pg); > +err_put_tx_pg: > + put_page(tx_pg); > + return ret; > +} > + > +static uint32_t handle_rxtx_unmap(void) > +{ > + struct domain *d = current->domain; > + struct ffa_ctx *ctx = d->arch.ffa; > + uint32_t ret; > + > + if ( !ctx->rx ) > + return FFA_RET_INVALID_PARAMETERS; > + > + ret = ffa_rxtx_unmap(get_vm_id(d)); > + if ( ret ) > + return ret; > + > + unmap_domain_page_global(ctx->rx); > + unmap_domain_page_global(ctx->tx); > + put_page(ctx->rx_pg); > + put_page(ctx->tx_pg); > + ctx->rx = NULL; > + ctx->tx = NULL; > + ctx->rx_pg = NULL; > + ctx->tx_pg = NULL; > + ctx->page_count = 0; > + ctx->tx_is_mine = false; > + > + return FFA_RET_OK; > +} > + > +static uint32_t handle_partition_info_get(uint32_t w1, uint32_t w2, uint32_t w3, > + uint32_t w4, uint32_t w5, > + uint32_t *count) > +{ > + uint32_t ret = FFA_RET_DENIED; > + struct domain *d = current->domain; > + struct ffa_ctx *ctx = d->arch.ffa; > + > + if ( !ffa_page_count ) > + return FFA_RET_DENIED; > + > + spin_lock(&ctx->lock); > + if ( !ctx->page_count || !ctx->tx_is_mine ) > + goto out; > + ret = ffa_partition_info_get(w1, w2, w3, w4, w5, count); > + if ( ret ) > + goto out; > + if ( ctx->guest_vers == FFA_VERSION_1_0 ) > + { > + size_t n; > + struct ffa_partition_info_1_1 *src = ffa_rx; > + struct ffa_partition_info_1_0 *dst = ctx->rx; > + > + for ( n = 0; n < *count; n++ ) Who is going to sanitize 'count' and how do you make sure that... > + { > + dst[n].id = src[n].id; ... this will still be written within the page provided by the domain? > + dst[n].execution_context = src[n].execution_context; > + dst[n].partition_properties = src[n].partition_properties; > + } > + } > + else > + { > + size_t sz = *count * sizeof(struct ffa_partition_info_1_1); > + > + memcpy(ctx->rx, ffa_rx, sz); > + } > + ffa_rx_release(); I saw above that you are expecting the ffa_rx to be "locked". Will it be the firmware to block another thread that may need ffa_rx? > + ctx->tx_is_mine = false; > +out: > + spin_unlock(&ctx->lock); > + > + return ret; > +} > + > +static uint32_t handle_rx_release(void) > +{ > + uint32_t ret = FFA_RET_DENIED; > + struct domain *d = current->domain; > + struct ffa_ctx *ctx = d->arch.ffa; > + > + spin_lock(&ctx->lock); > + if ( !ctx->page_count || ctx->tx_is_mine ) > + goto out; > + ret = FFA_RET_OK; > + ctx->tx_is_mine = true; > +out: > + spin_unlock(&ctx->lock); > + > + return ret; > +} > + > +static void handle_msg_send_direct_req(struct cpu_user_regs *regs, uint32_t fid) > +{ > + struct arm_smccc_1_2_regs arg = { .a0 = fid, }; > + struct arm_smccc_1_2_regs resp = { }; > + struct domain *d = current->domain; > + struct ffa_ctx *ctx = d->arch.ffa; > + uint32_t src_dst; > + uint64_t mask; > + > + if ( smccc_is_conv_64(fid) ) > + mask = 0xffffffffffffffff; > + else > + mask = 0xffffffff; Please use GENMASK() (or similar). So it is easier to confirm the number of 'f' is correct. > + > + src_dst = get_user_reg(regs, 1); > + if ( (src_dst >> 16) != get_vm_id(d) ) > + { > + resp.a0 = FFA_ERROR; > + resp.a2 = FFA_RET_INVALID_PARAMETERS; > + goto out; > + } > + > + arg.a1 = src_dst; > + arg.a2 = get_user_reg(regs, 2) & mask; > + arg.a3 = get_user_reg(regs, 3) & mask; > + arg.a4 = get_user_reg(regs, 4) & mask; > + arg.a5 = get_user_reg(regs, 5) & mask; > + arg.a6 = get_user_reg(regs, 6) & mask; > + arg.a7 = get_user_reg(regs, 7) & mask; > + > + while ( true ) > + { > + arm_smccc_1_2_smc(&arg, &resp); > + > + switch ( resp.a0 ) > + { > + case FFA_INTERRUPT: > + ctx->interrupted = true; > + goto out; > + case FFA_ERROR: > + case FFA_SUCCESS_32: > + case FFA_SUCCESS_64: > + case FFA_MSG_SEND_DIRECT_RESP_32: > + case FFA_MSG_SEND_DIRECT_RESP_64: > + goto out; > + default: > + /* Bad fid, report back. */ > + memset(&arg, 0, sizeof(arg)); > + arg.a0 = FFA_ERROR; > + arg.a1 = src_dst; > + arg.a2 = FFA_RET_NOT_SUPPORTED; > + continue; > + } > + } > + > +out: > + set_user_reg(regs, 0, resp.a0); > + set_user_reg(regs, 1, resp.a1 & mask); > + set_user_reg(regs, 2, resp.a2 & mask); > + set_user_reg(regs, 3, resp.a3 & mask); > + set_user_reg(regs, 4, resp.a4 & mask); > + set_user_reg(regs, 5, resp.a5 & mask); > + set_user_reg(regs, 6, resp.a6 & mask); > + set_user_reg(regs, 7, resp.a7 & mask); You have already an helper to set all the registers. Why not using it? > +} I will continue the rest of the review at a later point. Cheers,
Hi Jens, This is the second part of the review. On 22/06/2022 14:42, Jens Wiklander wrote: > +static int get_shm_pages(struct domain *d, struct ffa_shm_mem *shm, > + struct ffa_address_range *range, uint32_t range_count, AFAICT, 'range' is not meant to be modified. So I would add 'const'. > + unsigned int start_page_idx, > + unsigned int *last_page_idx) > +{ > + unsigned int pg_idx = start_page_idx; > + unsigned long gfn; Below you are using gaddr_to_gfn() which will return gfn_t. This is using the typesafe infrastructure: gfn_t will be a structure with CONFIG_DEBUG=y to allow type checking and a plain 'unsigned long' when CONFIG_DEBUG=n. Please make sure to test build with CONFIG_DEBUG=y. As a side note, I would suggest to try booting as CONFIG_DEBUG as it enables extra check for the common pitfalls. > + unsigned int n; > + unsigned int m; > + p2m_type_t t; > + uint64_t addr; > + > + for ( n = 0; n < range_count; n++ ) > + { > + for ( m = 0; m < range[n].page_count; m++ ) > + { > + if ( pg_idx >= shm->page_count ) > + return FFA_RET_INVALID_PARAMETERS; Shouldn't we call put_page() to drop the references taken by get_page_from_gfn()? > + > + addr = read_atomic(&range[n].address); IIUC, range is part of the shared page with the guest. Where do you check that all the access will be within the shared page? > + gfn = gaddr_to_gfn(addr + m * PAGE_SIZE); Is addr meant to be page-aligned? Also, you are using the hypervisor page size here when AFAICT page_count is provided by the domain. How do you guarantee that both Xen and the domain agree on the page size? > + shm->pages[pg_idx] = get_page_from_gfn(d, gfn, &t, P2M_ALLOC); > + if ( !shm->pages[pg_idx] ) > + return FFA_RET_DENIED; > + pg_idx++; > + /* Only normal RAM for now */ Similar to my earlier remark, the comment doesn't match the check below. > + if ( t != p2m_ram_rw ) > + return FFA_RET_DENIED; > + } > + } > + > + *last_page_idx = pg_idx; > + > + return FFA_RET_OK; > +} > + > +static void put_shm_pages(struct ffa_shm_mem *shm) > +{ > + unsigned int n; > + > + for ( n = 0; n < shm->page_count && shm->pages[n]; n++ ) > + { > + put_page(shm->pages[n]); > + shm->pages[n] = NULL; > + } > +} > + > +static void init_range(struct ffa_address_range *addr_range, > + paddr_t pa) > +{ > + memset(addr_range, 0, sizeof(*addr_range)); > + addr_range->address = pa; > + addr_range->page_count = 1; > +} > + > +static int share_shm(struct ffa_shm_mem *shm) AFAIU, share_shm() cannot be concurrently called. You seem to use ffa_buffer_lock to guarantee that. So I would suggest to add: 1) an ASSERT(spin_is_Locked(&ffa_buffer_lock)) 2) a comment on top of share_shm() explaining that the function should be called with ffa_buffer_lock taken. > +{ > + uint32_t max_frag_len = ffa_page_count * PAGE_SIZE; > + struct ffa_mem_transaction_1_1 *descr = ffa_tx; > + struct ffa_mem_access *mem_access_array; > + struct ffa_mem_region *region_descr; > + struct ffa_address_range *addr_range; > + paddr_t pa; > + paddr_t last_pa; > + unsigned int n; > + uint32_t frag_len; > + uint32_t tot_len; > + int ret; > + unsigned int range_count; > + unsigned int range_base; > + bool first; > + > + memset(descr, 0, sizeof(*descr)); > + descr->sender_id = shm->sender_id; > + descr->global_handle = shm->handle; > + descr->mem_reg_attr = FFA_NORMAL_MEM_REG_ATTR; > + descr->mem_access_count = 1; > + descr->mem_access_size = sizeof(*mem_access_array); > + descr->mem_access_offs = sizeof(*descr); > + mem_access_array = (void *)(descr + 1); > + region_descr = (void *)(mem_access_array + 1); The (void *)(descr + 1) seems to be very common in your comment. Can you consider to add a wrapper? This will make easier to read the code? > + > + memset(mem_access_array, 0, sizeof(*mem_access_array)); > + mem_access_array[0].access_perm.endpoint_id = shm->ep_id; > + mem_access_array[0].access_perm.perm = FFA_MEM_ACC_RW; > + mem_access_array[0].region_offs = (vaddr_t)region_descr - (vaddr_t)ffa_tx; Same for calculating the offset. > + > + memset(region_descr, 0, sizeof(*region_descr)); > + region_descr->total_page_count = shm->page_count; > + > + region_descr->address_range_count = 1; > + last_pa = page_to_maddr(shm->pages[0]); For hardening purpose, I would suggest to check if shm->page_count is at least 1. If you think this could be a programming error then you could write: if ( .... ) { ASSERT_UNREACHABLE() return <error>; } > + for ( n = 1; n < shm->page_count; last_pa = pa, n++ ) > + { > + pa = page_to_maddr(shm->pages[n]); > + if ( last_pa + PAGE_SIZE == pa ) > + { Coding style: We usually avoid {} for single line. > + continue; > + } > + region_descr->address_range_count++; > + } > + > + tot_len = sizeof(*descr) + sizeof(*mem_access_array) + > + sizeof(*region_descr) + > + region_descr->address_range_count * sizeof(*addr_range); How do you make sure that you will not write past the end of ffa_tx? I think it would be worth to consider adding an helper that would allow you to allocate space in ffa_tx and zero it. This would return an error if there is not enough space. > + > + addr_range = region_descr->address_range_array; > + frag_len = (vaddr_t)(addr_range + 1) - (vaddr_t)ffa_tx; > + last_pa = page_to_maddr(shm->pages[0]); > + init_range(addr_range, last_pa); > + first = true; > + range_count = 1; > + range_base = 0; > + for ( n = 1; n < shm->page_count; last_pa = pa, n++ ) > + { > + pa = page_to_maddr(shm->pages[n]); > + if ( last_pa + PAGE_SIZE == pa ) > + { > + addr_range->page_count++; > + continue; > + } > + > + if ( frag_len == max_frag_len ) > + { > + if ( first ) > + { > + ret = ffa_mem_share(tot_len, frag_len, 0, 0, &shm->handle); > + first = false; > + } > + else > + { > + ret = ffa_mem_frag_tx(shm->handle, frag_len, shm->sender_id); > + } > + if ( ret <= 0) Coding style: Missing space before ). > + return ret; > + range_base = range_count; You set range_base but don't seem to read it > + range_count = 0; Same here. > + frag_len = sizeof(*addr_range); > + addr_range = ffa_tx; > + } > + else > + { > + frag_len += sizeof(*addr_range); > + addr_range++; > + } > + init_range(addr_range, pa); > + range_count++; > + } > + > + if ( first ) > + return ffa_mem_share(tot_len, frag_len, 0, 0, &shm->handle); > + else > + return ffa_mem_frag_tx(shm->handle, frag_len, shm->sender_id); > +} > + > +static int read_mem_transaction(uint32_t ffa_vers, void *buf, size_t blen, buf should be const if it is not meant to be modified by the function. > + struct ffa_mem_transaction_x *trans) > +{ > + uint16_t mem_reg_attr; > + uint32_t flags; > + uint32_t count; > + uint32_t offs; > + uint32_t size; > + > + if ( ffa_vers >= FFA_VERSION_1_1 ) > + { > + struct ffa_mem_transaction_1_1 *descr; > + > + if ( blen < sizeof(*descr) ) > + return FFA_RET_INVALID_PARAMETERS; > + > + descr = buf; > + trans->sender_id = read_atomic(&descr->sender_id); AFAIU, descr point to guest data. If yes, then we can't trust input. In which case, is this really necessary to use read_atomic() for every access? The reason I am asking is read_atomic() is quite a hammer when a compiler barrier should be sufficient. > + mem_reg_attr = read_atomic(&descr->mem_reg_attr); > + flags = read_atomic(&descr->flags); > + trans->global_handle = read_atomic(&descr->global_handle); > + trans->tag = read_atomic(&descr->tag); > + > + count = read_atomic(&descr->mem_access_count); > + size = read_atomic(&descr->mem_access_size); > + offs = read_atomic(&descr->mem_access_offs); > + } > + else > + { > + struct ffa_mem_transaction_1_0 *descr; > + > + if ( blen < sizeof(*descr) ) > + return FFA_RET_INVALID_PARAMETERS; > + > + descr = buf; > + trans->sender_id = read_atomic(&descr->sender_id); > + mem_reg_attr = read_atomic(&descr->mem_reg_attr); > + flags = read_atomic(&descr->flags); > + trans->global_handle = read_atomic(&descr->global_handle); > + trans->tag = read_atomic(&descr->tag); > + > + count = read_atomic(&descr->mem_access_count); > + size = sizeof(struct ffa_mem_access); > + offs = offsetof(struct ffa_mem_transaction_1_0, mem_access_array); > + } > + > + if ( mem_reg_attr > UINT8_MAX || flags > UINT8_MAX || size > UINT8_MAX || AFAIU, these checks are to ensure that the fields fit in your structure below. However, it is not clear to me why we are capping the values provided by the domain. I think this would be good to explain it in a comment. > + count > UINT8_MAX || offs > UINT16_MAX ) > + return FFA_RET_INVALID_PARAMETERS; > + > + /* Check that the endpoint memory access descriptor array fits */ > + if ( size * count + offs > blen ) > + return FFA_RET_INVALID_PARAMETERS; > + > + trans->mem_reg_attr = mem_reg_attr; > + trans->flags = flags; > + trans->mem_access_size = size; > + trans->mem_access_count = count; > + trans->mem_access_offs = offs; > + return 0; > +} > + > +static int add_mem_share_frag(struct mem_frag_state *s, unsigned int offs, > + unsigned int frag_len) > +{ > + struct domain *d = current->domain; > + unsigned int o = offs; > + unsigned int l; > + int ret; > + > + if ( frag_len < o ) > + return FFA_RET_INVALID_PARAMETERS; > + > + /* Fill up the first struct ffa_address_range */ > + l = min_t(unsigned int, frag_len - o, sizeof(s->range) - s->range_offset); > + memcpy((uint8_t *)&s->range + s->range_offset, s->buf + o, l); > + s->range_offset += l; > + o += l; > + if ( s->range_offset != sizeof(s->range) ) > + goto out; > + s->range_offset = 0; > + > + while ( true ) > + { > + ret = get_shm_pages(d, s->shm, &s->range, 1, s->current_page_idx, > + &s->current_page_idx); > + if ( ret ) > + return ret; > + if ( s->range_count == 1 ) > + return 0; > + s->range_count--; > + if ( frag_len - o < sizeof(s->range) ) > + break; > + memcpy(&s->range, s->buf + o, sizeof(s->range)); > + o += sizeof(s->range); > + } > + > + /* Collect any remaining bytes for the next struct ffa_address_range */ > + s->range_offset = frag_len - o; > + memcpy(&s->range, s->buf + o, frag_len - o); > +out: > + s->frag_offset += frag_len; > + return s->frag_offset; > +} > + > +static void handle_mem_share(struct cpu_user_regs *regs) > +{ > + uint32_t tot_len = get_user_reg(regs, 1); > + uint32_t frag_len = get_user_reg(regs, 2); > + uint64_t addr = get_user_reg(regs, 3); > + uint32_t page_count = get_user_reg(regs, 4); > + struct ffa_mem_transaction_x trans; > + struct ffa_mem_access *mem_access; > + struct ffa_mem_region *region_descr; > + struct domain *d = current->domain; > + struct ffa_ctx *ctx = d->arch.ffa; > + struct ffa_shm_mem *shm = NULL; > + unsigned int last_page_idx = 0; > + uint32_t range_count; > + uint32_t region_offs; > + int ret = FFA_RET_DENIED; > + uint32_t handle_hi = 0; > + uint32_t handle_lo = 0; > + > + /* > + * We're only accepting memory transaction descriptors via the rx/tx > + * buffer. > + */ > + if ( addr ) > + { > + ret = FFA_RET_NOT_SUPPORTED; > + goto out_unlock; > + } > + > + /* Check that fragment legnth doesn't exceed total length */ Typo: s/legnth/length/ > + if ( frag_len > tot_len ) > + { > + ret = FFA_RET_INVALID_PARAMETERS; > + goto out_unlock; > + } > + > + spin_lock(&ctx->lock); > + > + if ( frag_len > ctx->page_count * PAGE_SIZE ) > + goto out_unlock; > + > + if ( !ffa_page_count ) > + { > + ret = FFA_RET_NO_MEMORY; > + goto out_unlock; > + } > + > + ret = read_mem_transaction(ctx->guest_vers, ctx->tx, frag_len, &trans); > + if ( ret ) > + goto out_unlock; > + > + if ( trans.mem_reg_attr != FFA_NORMAL_MEM_REG_ATTR ) > + { > + ret = FFA_RET_NOT_SUPPORTED; > + goto out; > + } > + > + /* Only supports sharing it with one SP for now */ > + if ( trans.mem_access_count != 1 ) > + { > + ret = FFA_RET_NOT_SUPPORTED; > + goto out_unlock; > + } > + > + if ( trans.sender_id != get_vm_id(d) ) > + { > + ret = FFA_RET_INVALID_PARAMETERS; > + goto out_unlock; > + } > + > + /* Check that it fits in the supplied data */ > + if ( trans.mem_access_offs + trans.mem_access_size > frag_len ) > + goto out_unlock; > + > + mem_access = (void *)((vaddr_t)ctx->tx + trans.mem_access_offs); There are a bit too much open-cast in this series. Please try to reduce the numbers. In this case, the two casts are unnecessary because tx is already a void pointer. In addition to that, ctx->tx could be a "const void *" because it is not meant to be written by Xen. The const would also needs to be propagated to mem_access & co. > + if ( read_atomic(&mem_access->access_perm.perm) != FFA_MEM_ACC_RW ) > + { > + ret = FFA_RET_NOT_SUPPORTED; > + goto out_unlock; > + } > + > + region_offs = read_atomic(&mem_access->region_offs); > + if ( sizeof(*region_descr) + region_offs > frag_len ) > + { > + ret = FFA_RET_NOT_SUPPORTED; > + goto out_unlock; > + } > + > + region_descr = (void *)((vaddr_t)ctx->tx + region_offs); > + range_count = read_atomic(®ion_descr->address_range_count); > + page_count = read_atomic(®ion_descr->total_page_count); > + > + shm = xzalloc_flex_struct(struct ffa_shm_mem, pages, page_count) This will allow a guest to allocate an arbitrarily large array in Xen. So please sanitize page_count before using it. > + if ( !shm ) > + { > + ret = FFA_RET_NO_MEMORY; > + goto out; > + } > + shm->sender_id = trans.sender_id; > + shm->ep_id = read_atomic(&mem_access->access_perm.endpoint_id); > + shm->page_count = page_count; > + > + if ( frag_len != tot_len ) > + { > + struct mem_frag_state *s = xzalloc(struct mem_frag_state); > + > + if ( !s ) > + { > + ret = FFA_RET_NO_MEMORY; > + goto out; > + } > + s->shm = shm; > + s->range_count = range_count; > + s->buf = ctx->tx; > + s->buf_size = ffa_page_count * PAGE_SIZE; > + ret = add_mem_share_frag(s, sizeof(*region_descr) + region_offs, > + frag_len); > + if ( ret <= 0 ) > + { > + xfree(s); > + if ( ret < 0 ) > + goto out; > + } > + else > + { > + shm->handle = next_handle++; > + reg_pair_from_64(&handle_hi, &handle_lo, shm->handle); > + list_add_tail(&s->list, &ctx->frag_list); > + } > + goto out_unlock; > + } > + > + /* > + * Check that the Composite memory region descriptor fits. > + */ > + if ( sizeof(*region_descr) + region_offs + > + range_count * sizeof(struct ffa_address_range) > frag_len ) > + { > + ret = FFA_RET_INVALID_PARAMETERS; > + goto out; > + } > + > + ret = get_shm_pages(d, shm, region_descr->address_range_array, range_count, > + 0, &last_page_idx); > + if ( ret ) > + goto out; > + if ( last_page_idx != shm->page_count ) > + { > + ret = FFA_RET_INVALID_PARAMETERS; > + goto out; > + } > + > + /* Note that share_shm() uses our tx buffer */ > + spin_lock(&ffa_buffer_lock); > + ret = share_shm(shm); > + spin_unlock(&ffa_buffer_lock); > + if ( ret ) > + goto out; > + > + spin_lock(&ffa_mem_list_lock); > + list_add_tail(&shm->list, &ffa_mem_list); A couple of questions: - What is the maximum size of the list? - Why is the list is global rather than per domain? In fact, looking at handle_mem_reclaim() it looks like a domain could potentially reclaim in memory (we don't seem to sanitize the input other than checking the handle is used). So it seems to me the list should be per-domain. > + spin_unlock(&ffa_mem_list_lock); > + > + reg_pair_from_64(&handle_hi, &handle_lo, shm->handle); > + > +out: > + if ( ret && shm ) > + { > + put_shm_pages(shm); > + xfree(shm); > + } > +out_unlock: > + spin_unlock(&ctx->lock); > + > + if ( ret > 0 ) > + set_regs_frag_rx(regs, handle_lo, handle_hi, ret, trans.sender_id); > + else if ( ret == 0) Coding style: missing space before ). > + set_regs_success(regs, handle_lo, handle_hi); > + else > + set_regs_error(regs, ret); > +} > + I will continue the review later on.
Hi Jens, Just to let you know, I am currently going through the spec in order to properly review your implementation but this might take a bit of time as it is quite long :-) Cheers Bertrand > On 22 Jun 2022, at 14:42, Jens Wiklander <jens.wiklander@linaro.org> wrote: > > Adds a FF-A version 1.1 [1] mediator to communicate with a Secure > Partition in secure world. > > The implementation is the bare minimum to be able to communicate with > OP-TEE running as an SPMC at S-EL1. > > This is loosely based on the TEE mediator framework and the OP-TEE > mediator. > > [1] https://developer.arm.com/documentation/den0077/latest > Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> > --- > SUPPORT.md | 7 + > tools/libs/light/libxl_arm.c | 3 + > tools/libs/light/libxl_types.idl | 1 + > tools/xl/xl_parse.c | 3 + > xen/arch/arm/Kconfig | 11 + > xen/arch/arm/Makefile | 1 + > xen/arch/arm/domain.c | 10 + > xen/arch/arm/domain_build.c | 1 + > xen/arch/arm/ffa.c | 1683 +++++++++++++++++++++++++++++ > xen/arch/arm/include/asm/domain.h | 4 + > xen/arch/arm/include/asm/ffa.h | 71 ++ > xen/arch/arm/vsmc.c | 17 +- > xen/include/public/arch-arm.h | 2 + > 13 files changed, 1811 insertions(+), 3 deletions(-) > create mode 100644 xen/arch/arm/ffa.c > create mode 100644 xen/arch/arm/include/asm/ffa.h > > diff --git a/SUPPORT.md b/SUPPORT.md > index 70e98964cbc0..215bb3c9043b 100644 > --- a/SUPPORT.md > +++ b/SUPPORT.md > @@ -785,6 +785,13 @@ that covers the DMA of the device to be passed through. > > No support for QEMU backends in a 16K or 64K domain. > > +### ARM: Firmware Framework for Arm A-profile (FF-A) Mediator > + > + Status, Arm64: Tech Preview > + > +There are still some code paths where a vCPU may hog a pCPU longer than > +necessary. The FF-A mediator is not yet implemented for Arm32. > + > ### ARM: Guest Device Tree support > > Status: Supported > diff --git a/tools/libs/light/libxl_arm.c b/tools/libs/light/libxl_arm.c > index eef1de093914..a985609861c7 100644 > --- a/tools/libs/light/libxl_arm.c > +++ b/tools/libs/light/libxl_arm.c > @@ -101,6 +101,9 @@ int libxl__arch_domain_prepare_config(libxl__gc *gc, > return ERROR_FAIL; > } > > + config->arch.ffa_enabled = > + libxl_defbool_val(d_config->b_info.arch_arm.ffa_enabled); > + > return 0; > } > > diff --git a/tools/libs/light/libxl_types.idl b/tools/libs/light/libxl_types.idl > index 2a42da2f7d78..bf4544bef399 100644 > --- a/tools/libs/light/libxl_types.idl > +++ b/tools/libs/light/libxl_types.idl > @@ -646,6 +646,7 @@ libxl_domain_build_info = Struct("domain_build_info",[ > > ("arch_arm", Struct(None, [("gic_version", libxl_gic_version), > ("vuart", libxl_vuart_type), > + ("ffa_enabled", libxl_defbool), > ])), > ("arch_x86", Struct(None, [("msr_relaxed", libxl_defbool), > ])), > diff --git a/tools/xl/xl_parse.c b/tools/xl/xl_parse.c > index b98c0de378b6..e0e99ed8d2b1 100644 > --- a/tools/xl/xl_parse.c > +++ b/tools/xl/xl_parse.c > @@ -2746,6 +2746,9 @@ skip_usbdev: > exit(-ERROR_FAIL); > } > } > + libxl_defbool_setdefault(&b_info->arch_arm.ffa_enabled, false); > + xlu_cfg_get_defbool(config, "ffa_enabled", > + &b_info->arch_arm.ffa_enabled, 0); > > parse_vkb_list(config, d_config); > > diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig > index be9eff014120..e57e1d3757e2 100644 > --- a/xen/arch/arm/Kconfig > +++ b/xen/arch/arm/Kconfig > @@ -139,6 +139,17 @@ config TEE > > source "arch/arm/tee/Kconfig" > > +config FFA > + bool "Enable FF-A mediator support" if EXPERT > + default n > + depends on ARM_64 > + help > + This option enables a minimal FF-A mediator. The mediator is > + generic as it follows the FF-A specification [1], but it only > + implements a small subset of the specification. > + > + [1] https://developer.arm.com/documentation/den0077/latest > + > endmenu > > menu "ARM errata workaround via the alternative framework" > diff --git a/xen/arch/arm/Makefile b/xen/arch/arm/Makefile > index bb7a6151c13c..af0c69f793d4 100644 > --- a/xen/arch/arm/Makefile > +++ b/xen/arch/arm/Makefile > @@ -20,6 +20,7 @@ obj-y += domain_build.init.o > obj-y += domctl.o > obj-$(CONFIG_EARLY_PRINTK) += early_printk.o > obj-y += efi/ > +obj-$(CONFIG_FFA) += ffa.o > obj-y += gic.o > obj-y += gic-v2.o > obj-$(CONFIG_GICV3) += gic-v3.o > diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c > index 8110c1df8638..a3f00e7e234d 100644 > --- a/xen/arch/arm/domain.c > +++ b/xen/arch/arm/domain.c > @@ -27,6 +27,7 @@ > #include <asm/cpufeature.h> > #include <asm/current.h> > #include <asm/event.h> > +#include <asm/ffa.h> > #include <asm/gic.h> > #include <asm/guest_atomics.h> > #include <asm/irq.h> > @@ -756,6 +757,9 @@ int arch_domain_create(struct domain *d, > if ( (rc = tee_domain_init(d, config->arch.tee_type)) != 0 ) > goto fail; > > + if ( (rc = ffa_domain_init(d, config->arch.ffa_enabled)) != 0 ) > + goto fail; > + > update_domain_wallclock_time(d); > > /* > @@ -998,6 +1002,7 @@ static int relinquish_memory(struct domain *d, struct page_list_head *list) > enum { > PROG_pci = 1, > PROG_tee, > + PROG_ffa, > PROG_xen, > PROG_page, > PROG_mapping, > @@ -1043,6 +1048,11 @@ int domain_relinquish_resources(struct domain *d) > > PROGRESS(tee): > ret = tee_relinquish_resources(d); > + if ( ret ) > + return ret; > + > + PROGRESS(ffa): > + ret = ffa_relinquish_resources(d); > if (ret ) > return ret; > > diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c > index 7ddd16c26da5..d708f76356f7 100644 > --- a/xen/arch/arm/domain_build.c > +++ b/xen/arch/arm/domain_build.c > @@ -3450,6 +3450,7 @@ void __init create_dom0(void) > if ( gic_number_lines() > 992 ) > printk(XENLOG_WARNING "Maximum number of vGIC IRQs exceeded.\n"); > dom0_cfg.arch.tee_type = tee_get_type(); > + dom0_cfg.arch.ffa_enabled = true; > dom0_cfg.max_vcpus = dom0_max_vcpus(); > > if ( iommu_enabled ) > diff --git a/xen/arch/arm/ffa.c b/xen/arch/arm/ffa.c > new file mode 100644 > index 000000000000..3117ce5cec4d > --- /dev/null > +++ b/xen/arch/arm/ffa.c > @@ -0,0 +1,1683 @@ > +/* > + * xen/arch/arm/ffa.c > + * > + * Arm Firmware Framework for ARMv8-A (FF-A) mediator > + * > + * Copyright (C) 2022 Linaro Limited > + * > + * Permission is hereby granted, free of charge, to any person > + * obtaining a copy of this software and associated documentation > + * files (the "Software"), to deal in the Software without restriction, > + * including without limitation the rights to use, copy, modify, merge, > + * publish, distribute, sublicense, and/or sell copies of the Software, > + * and to permit persons to whom the Software is furnished to do so, > + * subject to the following conditions: > + * > + * The above copyright notice and this permission notice shall be > + * included in all copies or substantial portions of the Software. > + * > + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, > + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF > + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. > + * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY > + * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, > + * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE > + * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. > + */ > + > +#include <xen/domain_page.h> > +#include <xen/errno.h> > +#include <xen/init.h> > +#include <xen/lib.h> > +#include <xen/sched.h> > +#include <xen/types.h> > +#include <xen/sizes.h> > +#include <xen/bitops.h> > + > +#include <asm/smccc.h> > +#include <asm/event.h> > +#include <asm/ffa.h> > +#include <asm/regs.h> > + > +/* Error codes */ > +#define FFA_RET_OK 0 > +#define FFA_RET_NOT_SUPPORTED -1 > +#define FFA_RET_INVALID_PARAMETERS -2 > +#define FFA_RET_NO_MEMORY -3 > +#define FFA_RET_BUSY -4 > +#define FFA_RET_INTERRUPTED -5 > +#define FFA_RET_DENIED -6 > +#define FFA_RET_RETRY -7 > +#define FFA_RET_ABORTED -8 > + > +/* FFA_VERSION helpers */ > +#define FFA_VERSION_MAJOR _AC(1,U) > +#define FFA_VERSION_MAJOR_SHIFT _AC(16,U) > +#define FFA_VERSION_MAJOR_MASK _AC(0x7FFF,U) > +#define FFA_VERSION_MINOR _AC(1,U) > +#define FFA_VERSION_MINOR_SHIFT _AC(0,U) > +#define FFA_VERSION_MINOR_MASK _AC(0xFFFF,U) > +#define MAKE_FFA_VERSION(major, minor) \ > + ((((major) & FFA_VERSION_MAJOR_MASK) << FFA_VERSION_MAJOR_SHIFT) | \ > + ((minor) & FFA_VERSION_MINOR_MASK)) > + > +#define FFA_MIN_VERSION MAKE_FFA_VERSION(1, 0) > +#define FFA_VERSION_1_0 MAKE_FFA_VERSION(1, 0) > +#define FFA_VERSION_1_1 MAKE_FFA_VERSION(1, 1) > +#define FFA_MY_VERSION MAKE_FFA_VERSION(FFA_VERSION_MAJOR, \ > + FFA_VERSION_MINOR) > + > + > +#define FFA_HANDLE_HYP_FLAG BIT(63,ULL) > + > +/* Memory attributes: Normal memory, Write-Back cacheable, Inner shareable */ > +#define FFA_NORMAL_MEM_REG_ATTR _AC(0x2f,U) > + > +/* Memory access permissions: Read-write */ > +#define FFA_MEM_ACC_RW _AC(0x2,U) > + > +/* Clear memory before mapping in receiver */ > +#define FFA_MEMORY_REGION_FLAG_CLEAR BIT(0, U) > +/* Relayer may time slice this operation */ > +#define FFA_MEMORY_REGION_FLAG_TIME_SLICE BIT(1, U) > +/* Clear memory after receiver relinquishes it */ > +#define FFA_MEMORY_REGION_FLAG_CLEAR_RELINQUISH BIT(2, U) > + > +/* Share memory transaction */ > +#define FFA_MEMORY_REGION_TRANSACTION_TYPE_SHARE (_AC(1,U) << 3) > + > +#define FFA_HANDLE_INVALID _AC(0xffffffffffffffff,ULL) > + > +/* Framework direct request/response */ > +#define FFA_MSG_FLAG_FRAMEWORK BIT(31, U) > +#define FFA_MSG_TYPE_MASK _AC(0xFF,U); > +#define FFA_MSG_PSCI _AC(0x0,U) > +#define FFA_MSG_SEND_VM_CREATED _AC(0x4,U) > +#define FFA_MSG_RESP_VM_CREATED _AC(0x5,U) > +#define FFA_MSG_SEND_VM_DESTROYED _AC(0x6,U) > +#define FFA_MSG_RESP_VM_DESTROYED _AC(0x7,U) > + > +/* > + * Flags used for the FFA_PARTITION_INFO_GET return message: > + * BIT(0): Supports receipt of direct requests > + * BIT(1): Can send direct requests > + * BIT(2): Can send and receive indirect messages > + * BIT(3): Supports receipt of notifications > + * BIT(4-5): Partition ID is a PE endpoint ID > + */ > +#define FFA_PART_PROP_DIRECT_REQ_RECV BIT(0,U) > +#define FFA_PART_PROP_DIRECT_REQ_SEND BIT(1,U) > +#define FFA_PART_PROP_INDIRECT_MSGS BIT(2,U) > +#define FFA_PART_PROP_RECV_NOTIF BIT(3,U) > +#define FFA_PART_PROP_IS_PE_ID (_AC(0,U) << 4) > +#define FFA_PART_PROP_IS_SEPID_INDEP (_AC(1,U) << 4) > +#define FFA_PART_PROP_IS_SEPID_DEP (_AC(2,U) << 4) > +#define FFA_PART_PROP_IS_AUX_ID (_AC(3,U) << 4) > +#define FFA_PART_PROP_NOTIF_CREATED BIT(6,U) > +#define FFA_PART_PROP_NOTIF_DESTROYED BIT(7,U) > +#define FFA_PART_PROP_AARCH64_STATE BIT(8,U) > + > +/* Function IDs */ > +#define FFA_ERROR _AC(0x84000060,U) > +#define FFA_SUCCESS_32 _AC(0x84000061,U) > +#define FFA_SUCCESS_64 _AC(0xC4000061,U) > +#define FFA_INTERRUPT _AC(0x84000062,U) > +#define FFA_VERSION _AC(0x84000063,U) > +#define FFA_FEATURES _AC(0x84000064,U) > +#define FFA_RX_ACQUIRE _AC(0x84000084,U) > +#define FFA_RX_RELEASE _AC(0x84000065,U) > +#define FFA_RXTX_MAP_32 _AC(0x84000066,U) > +#define FFA_RXTX_MAP_64 _AC(0xC4000066,U) > +#define FFA_RXTX_UNMAP _AC(0x84000067,U) > +#define FFA_PARTITION_INFO_GET _AC(0x84000068,U) > +#define FFA_ID_GET _AC(0x84000069,U) > +#define FFA_SPM_ID_GET _AC(0x84000085,U) > +#define FFA_MSG_WAIT _AC(0x8400006B,U) > +#define FFA_MSG_YIELD _AC(0x8400006C,U) > +#define FFA_MSG_RUN _AC(0x8400006D,U) > +#define FFA_MSG_SEND2 _AC(0x84000086,U) > +#define FFA_MSG_SEND_DIRECT_REQ_32 _AC(0x8400006F,U) > +#define FFA_MSG_SEND_DIRECT_REQ_64 _AC(0xC400006F,U) > +#define FFA_MSG_SEND_DIRECT_RESP_32 _AC(0x84000070,U) > +#define FFA_MSG_SEND_DIRECT_RESP_64 _AC(0xC4000070,U) > +#define FFA_MEM_DONATE_32 _AC(0x84000071,U) > +#define FFA_MEM_DONATE_64 _AC(0xC4000071,U) > +#define FFA_MEM_LEND_32 _AC(0x84000072,U) > +#define FFA_MEM_LEND_64 _AC(0xC4000072,U) > +#define FFA_MEM_SHARE_32 _AC(0x84000073,U) > +#define FFA_MEM_SHARE_64 _AC(0xC4000073,U) > +#define FFA_MEM_RETRIEVE_REQ_32 _AC(0x84000074,U) > +#define FFA_MEM_RETRIEVE_REQ_64 _AC(0xC4000074,U) > +#define FFA_MEM_RETRIEVE_RESP _AC(0x84000075,U) > +#define FFA_MEM_RELINQUISH _AC(0x84000076,U) > +#define FFA_MEM_RECLAIM _AC(0x84000077,U) > +#define FFA_MEM_FRAG_RX _AC(0x8400007A,U) > +#define FFA_MEM_FRAG_TX _AC(0x8400007B,U) > +#define FFA_MSG_SEND _AC(0x8400006E,U) > +#define FFA_MSG_POLL _AC(0x8400006A,U) > + > +/* Partition information descriptor */ > +struct ffa_partition_info_1_0 { > + uint16_t id; > + uint16_t execution_context; > + uint32_t partition_properties; > +}; > + > +struct ffa_partition_info_1_1 { > + uint16_t id; > + uint16_t execution_context; > + uint32_t partition_properties; > + uint8_t uuid[16]; > +}; > + > +/* Constituent memory region descriptor */ > +struct ffa_address_range { > + uint64_t address; > + uint32_t page_count; > + uint32_t reserved; > +}; > + > +/* Composite memory region descriptor */ > +struct ffa_mem_region { > + uint32_t total_page_count; > + uint32_t address_range_count; > + uint64_t reserved; > + struct ffa_address_range address_range_array[]; > +}; > + > +/* Memory access permissions descriptor */ > +struct ffa_mem_access_perm { > + uint16_t endpoint_id; > + uint8_t perm; > + uint8_t flags; > +}; > + > +/* Endpoint memory access descriptor */ > +struct ffa_mem_access { > + struct ffa_mem_access_perm access_perm; > + uint32_t region_offs; > + uint64_t reserved; > +}; > + > +/* Lend, donate or share memory transaction descriptor */ > +struct ffa_mem_transaction_1_0 { > + uint16_t sender_id; > + uint8_t mem_reg_attr; > + uint8_t reserved0; > + uint32_t flags; > + uint64_t global_handle; > + uint64_t tag; > + uint32_t reserved1; > + uint32_t mem_access_count; > + struct ffa_mem_access mem_access_array[]; > +}; > + > +struct ffa_mem_transaction_1_1 { > + uint16_t sender_id; > + uint16_t mem_reg_attr; > + uint32_t flags; > + uint64_t global_handle; > + uint64_t tag; > + uint32_t mem_access_size; > + uint32_t mem_access_count; > + uint32_t mem_access_offs; > + uint8_t reserved[12]; > +}; > + > +/* > + * The parts needed from struct ffa_mem_transaction_1_0 or struct > + * ffa_mem_transaction_1_1, used to provide an abstraction of difference in > + * data structures between version 1.0 and 1.1. This is just an internal > + * interface and can be changed without changing any ABI. > + */ > +struct ffa_mem_transaction_x { > + uint16_t sender_id; > + uint8_t mem_reg_attr; > + uint8_t flags; > + uint8_t mem_access_size; > + uint8_t mem_access_count; > + uint16_t mem_access_offs; > + uint64_t global_handle; > + uint64_t tag; > +}; > + > +/* Endpoint RX/TX descriptor */ > +struct ffa_endpoint_rxtx_descriptor_1_0 { > + uint16_t sender_id; > + uint16_t reserved; > + uint32_t rx_range_count; > + uint32_t tx_range_count; > +}; > + > +struct ffa_endpoint_rxtx_descriptor_1_1 { > + uint16_t sender_id; > + uint16_t reserved; > + uint32_t rx_region_offs; > + uint32_t tx_region_offs; > +}; > + > +struct ffa_ctx { > + void *rx; > + void *tx; > + struct page_info *rx_pg; > + struct page_info *tx_pg; > + unsigned int page_count; > + uint32_t guest_vers; > + bool tx_is_mine; > + bool interrupted; > + struct list_head frag_list; > + spinlock_t lock; > +}; > + > +struct ffa_shm_mem { > + struct list_head list; > + uint16_t sender_id; > + uint16_t ep_id; /* endpoint, the one lending */ > + uint64_t handle; /* FFA_HANDLE_INVALID if not set yet */ > + unsigned int page_count; > + struct page_info *pages[]; > +}; > + > +struct mem_frag_state { > + struct list_head list; > + struct ffa_shm_mem *shm; > + uint32_t range_count; > + unsigned int current_page_idx; > + unsigned int frag_offset; > + unsigned int range_offset; > + uint8_t *buf; > + unsigned int buf_size; > + struct ffa_address_range range; > +}; > + > +/* > + * Our rx/rx buffer shared with the SPMC > + */ > +static uint32_t ffa_version; > +static uint16_t *subsr_vm_created; > +static unsigned int subsr_vm_created_count; > +static uint16_t *subsr_vm_destroyed; > +static unsigned int subsr_vm_destroyed_count; > +static void *ffa_rx; > +static void *ffa_tx; > +static unsigned int ffa_page_count; > +static DEFINE_SPINLOCK(ffa_buffer_lock); > + > +static LIST_HEAD(ffa_mem_list); > +static DEFINE_SPINLOCK(ffa_mem_list_lock); > + > +static uint64_t next_handle = FFA_HANDLE_HYP_FLAG; > + > +static inline uint64_t reg_pair_to_64(uint32_t reg0, uint32_t reg1) > +{ > + return (uint64_t)reg0 << 32 | reg1; > +} > + > +static void inline reg_pair_from_64(uint32_t *reg0, uint32_t *reg1, > + uint64_t val) > +{ > + *reg0 = val >> 32; > + *reg1 = val; > +} > + > +static bool ffa_get_version(uint32_t *vers) > +{ > + const struct arm_smccc_1_2_regs arg = { > + .a0 = FFA_VERSION, .a1 = FFA_MY_VERSION, > + }; > + struct arm_smccc_1_2_regs resp; > + > + arm_smccc_1_2_smc(&arg, &resp); > + if ( resp.a0 == FFA_RET_NOT_SUPPORTED ) > + { > + printk(XENLOG_ERR "ffa: FFA_VERSION returned not supported\n"); > + return false; > + } > + > + *vers = resp.a0; > + return true; > +} > + > +static uint32_t get_ffa_ret_code(const struct arm_smccc_1_2_regs *resp) > +{ > + switch ( resp->a0 ) > + { > + case FFA_ERROR: > + if ( resp->a2 ) > + return resp->a2; > + else > + return FFA_RET_NOT_SUPPORTED; > + case FFA_SUCCESS_32: > + case FFA_SUCCESS_64: > + return FFA_RET_OK; > + default: > + return FFA_RET_NOT_SUPPORTED; > + } > +} > + > +static uint32_t ffa_features(uint32_t id) > +{ > + const struct arm_smccc_1_2_regs arg = { .a0 = FFA_FEATURES, .a1 = id, }; > + struct arm_smccc_1_2_regs resp; > + > + arm_smccc_1_2_smc(&arg, &resp); > + return get_ffa_ret_code(&resp); > +} > + > +static bool check_mandatory_feature(uint32_t id) > +{ > + uint32_t ret = ffa_features(id); > + > + if (ret) > + printk(XENLOG_ERR "ffa: mandatory feature id %#x missing\n", id); > + return !ret; > +} > + > +static uint32_t ffa_rxtx_map(register_t tx_addr, register_t rx_addr, > + uint32_t page_count) > +{ > + const struct arm_smccc_1_2_regs arg = { > +#ifdef CONFIG_ARM_64 > + .a0 = FFA_RXTX_MAP_64, > +#endif > +#ifdef CONFIG_ARM_32 > + .a0 = FFA_RXTX_MAP_32, > +#endif > + .a1 = tx_addr, .a2 = rx_addr, > + .a3 = page_count, > + }; > + struct arm_smccc_1_2_regs resp; > + > + arm_smccc_1_2_smc(&arg, &resp); > + > + return get_ffa_ret_code(&resp); > +} > + > +static uint32_t ffa_rxtx_unmap(uint16_t vm_id) > +{ > + const struct arm_smccc_1_2_regs arg = { > + .a0 = FFA_RXTX_UNMAP, .a1 = vm_id, > + }; > + struct arm_smccc_1_2_regs resp; > + > + arm_smccc_1_2_smc(&arg, &resp); > + > + return get_ffa_ret_code(&resp); > +} > + > +static uint32_t ffa_partition_info_get(uint32_t w1, uint32_t w2, uint32_t w3, > + uint32_t w4, uint32_t w5, > + uint32_t *count) > +{ > + const struct arm_smccc_1_2_regs arg = { > + .a0 = FFA_PARTITION_INFO_GET, .a1 = w1, .a2 = w2, .a3 = w3, .a4 = w4, > + .a5 = w5, > + }; > + struct arm_smccc_1_2_regs resp; > + uint32_t ret; > + > + arm_smccc_1_2_smc(&arg, &resp); > + > + ret = get_ffa_ret_code(&resp); > + if ( !ret ) > + *count = resp.a2; > + > + return ret; > +} > + > +static uint32_t ffa_rx_release(void) > +{ > + const struct arm_smccc_1_2_regs arg = { .a0 = FFA_RX_RELEASE, }; > + struct arm_smccc_1_2_regs resp; > + > + arm_smccc_1_2_smc(&arg, &resp); > + > + return get_ffa_ret_code(&resp); > +} > + > +static int32_t ffa_mem_share(uint32_t tot_len, uint32_t frag_len, > + register_t addr, uint32_t pg_count, > + uint64_t *handle) > +{ > + struct arm_smccc_1_2_regs arg = { > + .a0 = FFA_MEM_SHARE_32, .a1 = tot_len, .a2 = frag_len, .a3 = addr, > + .a4 = pg_count, > + }; > + struct arm_smccc_1_2_regs resp; > + > + /* > + * For arm64 we must use 64-bit calling convention if the buffer isn't > + * passed in our tx buffer. > + */ > + if (sizeof(addr) > 4 && addr) > + arg.a0 = FFA_MEM_SHARE_64; > + > + arm_smccc_1_2_smc(&arg, &resp); > + > + switch ( resp.a0 ) > + { > + case FFA_ERROR: > + if ( resp.a2 ) > + return resp.a2; > + else > + return FFA_RET_NOT_SUPPORTED; > + case FFA_SUCCESS_32: > + *handle = reg_pair_to_64(resp.a3, resp.a2); > + return FFA_RET_OK; > + case FFA_MEM_FRAG_RX: > + *handle = reg_pair_to_64(resp.a2, resp.a1); > + return resp.a3; > + default: > + return FFA_RET_NOT_SUPPORTED; > + } > +} > + > +static int32_t ffa_mem_frag_tx(uint64_t handle, uint32_t frag_len, > + uint16_t sender_id) > +{ > + struct arm_smccc_1_2_regs arg = { > + .a0 = FFA_MEM_FRAG_TX, .a1 = handle & UINT32_MAX, .a2 = handle >> 32, > + .a3 = frag_len, .a4 = (uint32_t)sender_id << 16, > + }; > + struct arm_smccc_1_2_regs resp; > + > + arm_smccc_1_2_smc(&arg, &resp); > + > + switch ( resp.a0 ) > + { > + case FFA_ERROR: > + if ( resp.a2 ) > + return resp.a2; > + else > + return FFA_RET_NOT_SUPPORTED; > + case FFA_SUCCESS_32: > + return FFA_RET_OK; > + case FFA_MEM_FRAG_RX: > + return resp.a3; > + default: > + return FFA_RET_NOT_SUPPORTED; > + } > +} > + > +static uint32_t ffa_mem_reclaim(uint32_t handle_lo, uint32_t handle_hi, > + uint32_t flags) > +{ > + const struct arm_smccc_1_2_regs arg = { > + .a0 = FFA_MEM_RECLAIM, .a1 = handle_lo, .a2 = handle_hi, .a3 = flags, > + }; > + struct arm_smccc_1_2_regs resp; > + > + arm_smccc_1_2_smc(&arg, &resp); > + > + return get_ffa_ret_code(&resp); > +} > + > +static int32_t ffa_direct_req_send_vm(uint16_t sp_id, uint16_t vm_id, > + uint8_t msg) > +{ > + uint32_t exp_resp = FFA_MSG_FLAG_FRAMEWORK; > + int32_t res; > + > + if ( msg != FFA_MSG_SEND_VM_CREATED && msg !=FFA_MSG_SEND_VM_DESTROYED ) > + return FFA_RET_INVALID_PARAMETERS; > + > + if ( msg == FFA_MSG_SEND_VM_CREATED ) > + exp_resp |= FFA_MSG_RESP_VM_CREATED; > + else > + exp_resp |= FFA_MSG_RESP_VM_DESTROYED; > + > + do { > + const struct arm_smccc_1_2_regs arg = { > + .a0 = FFA_MSG_SEND_DIRECT_REQ_32, > + .a1 = sp_id, > + .a2 = FFA_MSG_FLAG_FRAMEWORK | msg, > + .a5 = vm_id, > + }; > + struct arm_smccc_1_2_regs resp; > + > + arm_smccc_1_2_smc(&arg, &resp); > + if ( resp.a0 != FFA_MSG_SEND_DIRECT_RESP_32 || resp.a2 != exp_resp ) > + { > + /* > + * This is an invalid response, likely due to some error in the > + * implementation of the ABI. > + */ > + return FFA_RET_INVALID_PARAMETERS; > + } > + res = resp.a3; > + } while ( res == FFA_RET_INTERRUPTED || res == FFA_RET_RETRY ); > + > + return res; > +} > + > +static u16 get_vm_id(struct domain *d) > +{ > + /* +1 since 0 is reserved for the hypervisor in FF-A */ > + return d->domain_id + 1; > +} > + > +static void set_regs(struct cpu_user_regs *regs, register_t v0, register_t v1, > + register_t v2, register_t v3, register_t v4, register_t v5, > + register_t v6, register_t v7) > +{ > + set_user_reg(regs, 0, v0); > + set_user_reg(regs, 1, v1); > + set_user_reg(regs, 2, v2); > + set_user_reg(regs, 3, v3); > + set_user_reg(regs, 4, v4); > + set_user_reg(regs, 5, v5); > + set_user_reg(regs, 6, v6); > + set_user_reg(regs, 7, v7); > +} > + > +static void set_regs_error(struct cpu_user_regs *regs, uint32_t error_code) > +{ > + set_regs(regs, FFA_ERROR, 0, error_code, 0, 0, 0, 0, 0); > +} > + > +static void set_regs_success(struct cpu_user_regs *regs, uint32_t w2, > + uint32_t w3) > +{ > + set_regs(regs, FFA_SUCCESS_32, 0, w2, w3, 0, 0, 0, 0); > +} > + > +static void set_regs_frag_rx(struct cpu_user_regs *regs, uint32_t handle_lo, > + uint32_t handle_hi, uint32_t frag_offset, > + uint16_t sender_id) > +{ > + set_regs(regs, FFA_MEM_FRAG_RX, handle_lo, handle_hi, frag_offset, > + (uint32_t)sender_id << 16, 0, 0, 0); > +} > + > +static void handle_version(struct cpu_user_regs *regs) > +{ > + struct domain *d = current->domain; > + struct ffa_ctx *ctx = d->arch.ffa; > + uint32_t vers = get_user_reg(regs, 1); > + > + if ( vers < FFA_VERSION_1_1 ) > + vers = FFA_VERSION_1_0; > + else > + vers = FFA_VERSION_1_1; > + > + ctx->guest_vers = vers; > + set_regs(regs, vers, 0, 0, 0, 0, 0, 0, 0); > +} > + > +static uint32_t handle_rxtx_map(uint32_t fid, register_t tx_addr, > + register_t rx_addr, uint32_t page_count) > +{ > + uint32_t ret = FFA_RET_INVALID_PARAMETERS; > + struct domain *d = current->domain; > + struct ffa_ctx *ctx = d->arch.ffa; > + struct page_info *tx_pg; > + struct page_info *rx_pg; > + p2m_type_t t; > + void *rx; > + void *tx; > + > + if ( !smccc_is_conv_64(fid) ) > + { > + tx_addr &= UINT32_MAX; > + rx_addr &= UINT32_MAX; > + } > + > + /* For now to keep things simple, only deal with a single page */ > + if ( page_count != 1 ) > + return FFA_RET_NOT_SUPPORTED; > + > + /* Already mapped */ > + if ( ctx->rx ) > + return FFA_RET_DENIED; > + > + tx_pg = get_page_from_gfn(d, gaddr_to_gfn(tx_addr), &t, P2M_ALLOC); > + if ( !tx_pg ) > + return FFA_RET_INVALID_PARAMETERS; > + /* Only normal RAM for now */ > + if (t != p2m_ram_rw) > + goto err_put_tx_pg; > + > + rx_pg = get_page_from_gfn(d, gaddr_to_gfn(rx_addr), &t, P2M_ALLOC); > + if ( !tx_pg ) > + goto err_put_tx_pg; > + /* Only normal RAM for now */ > + if ( t != p2m_ram_rw ) > + goto err_put_rx_pg; > + > + tx = __map_domain_page_global(tx_pg); > + if ( !tx ) > + goto err_put_rx_pg; > + > + rx = __map_domain_page_global(rx_pg); > + if ( !rx ) > + goto err_unmap_tx; > + > + ctx->rx = rx; > + ctx->tx = tx; > + ctx->rx_pg = rx_pg; > + ctx->tx_pg = tx_pg; > + ctx->page_count = 1; > + ctx->tx_is_mine = true; > + return FFA_RET_OK; > + > +err_unmap_tx: > + unmap_domain_page_global(tx); > +err_put_rx_pg: > + put_page(rx_pg); > +err_put_tx_pg: > + put_page(tx_pg); > + return ret; > +} > + > +static uint32_t handle_rxtx_unmap(void) > +{ > + struct domain *d = current->domain; > + struct ffa_ctx *ctx = d->arch.ffa; > + uint32_t ret; > + > + if ( !ctx->rx ) > + return FFA_RET_INVALID_PARAMETERS; > + > + ret = ffa_rxtx_unmap(get_vm_id(d)); > + if ( ret ) > + return ret; > + > + unmap_domain_page_global(ctx->rx); > + unmap_domain_page_global(ctx->tx); > + put_page(ctx->rx_pg); > + put_page(ctx->tx_pg); > + ctx->rx = NULL; > + ctx->tx = NULL; > + ctx->rx_pg = NULL; > + ctx->tx_pg = NULL; > + ctx->page_count = 0; > + ctx->tx_is_mine = false; > + > + return FFA_RET_OK; > +} > + > +static uint32_t handle_partition_info_get(uint32_t w1, uint32_t w2, uint32_t w3, > + uint32_t w4, uint32_t w5, > + uint32_t *count) > +{ > + uint32_t ret = FFA_RET_DENIED; > + struct domain *d = current->domain; > + struct ffa_ctx *ctx = d->arch.ffa; > + > + if ( !ffa_page_count ) > + return FFA_RET_DENIED; > + > + spin_lock(&ctx->lock); > + if ( !ctx->page_count || !ctx->tx_is_mine ) > + goto out; > + ret = ffa_partition_info_get(w1, w2, w3, w4, w5, count); > + if ( ret ) > + goto out; > + if ( ctx->guest_vers == FFA_VERSION_1_0 ) > + { > + size_t n; > + struct ffa_partition_info_1_1 *src = ffa_rx; > + struct ffa_partition_info_1_0 *dst = ctx->rx; > + > + for ( n = 0; n < *count; n++ ) > + { > + dst[n].id = src[n].id; > + dst[n].execution_context = src[n].execution_context; > + dst[n].partition_properties = src[n].partition_properties; > + } > + } > + else > + { > + size_t sz = *count * sizeof(struct ffa_partition_info_1_1); > + > + memcpy(ctx->rx, ffa_rx, sz); > + } > + ffa_rx_release(); > + ctx->tx_is_mine = false; > +out: > + spin_unlock(&ctx->lock); > + > + return ret; > +} > + > +static uint32_t handle_rx_release(void) > +{ > + uint32_t ret = FFA_RET_DENIED; > + struct domain *d = current->domain; > + struct ffa_ctx *ctx = d->arch.ffa; > + > + spin_lock(&ctx->lock); > + if ( !ctx->page_count || ctx->tx_is_mine ) > + goto out; > + ret = FFA_RET_OK; > + ctx->tx_is_mine = true; > +out: > + spin_unlock(&ctx->lock); > + > + return ret; > +} > + > +static void handle_msg_send_direct_req(struct cpu_user_regs *regs, uint32_t fid) > +{ > + struct arm_smccc_1_2_regs arg = { .a0 = fid, }; > + struct arm_smccc_1_2_regs resp = { }; > + struct domain *d = current->domain; > + struct ffa_ctx *ctx = d->arch.ffa; > + uint32_t src_dst; > + uint64_t mask; > + > + if ( smccc_is_conv_64(fid) ) > + mask = 0xffffffffffffffff; > + else > + mask = 0xffffffff; > + > + src_dst = get_user_reg(regs, 1); > + if ( (src_dst >> 16) != get_vm_id(d) ) > + { > + resp.a0 = FFA_ERROR; > + resp.a2 = FFA_RET_INVALID_PARAMETERS; > + goto out; > + } > + > + arg.a1 = src_dst; > + arg.a2 = get_user_reg(regs, 2) & mask; > + arg.a3 = get_user_reg(regs, 3) & mask; > + arg.a4 = get_user_reg(regs, 4) & mask; > + arg.a5 = get_user_reg(regs, 5) & mask; > + arg.a6 = get_user_reg(regs, 6) & mask; > + arg.a7 = get_user_reg(regs, 7) & mask; > + > + while ( true ) > + { > + arm_smccc_1_2_smc(&arg, &resp); > + > + switch ( resp.a0 ) > + { > + case FFA_INTERRUPT: > + ctx->interrupted = true; > + goto out; > + case FFA_ERROR: > + case FFA_SUCCESS_32: > + case FFA_SUCCESS_64: > + case FFA_MSG_SEND_DIRECT_RESP_32: > + case FFA_MSG_SEND_DIRECT_RESP_64: > + goto out; > + default: > + /* Bad fid, report back. */ > + memset(&arg, 0, sizeof(arg)); > + arg.a0 = FFA_ERROR; > + arg.a1 = src_dst; > + arg.a2 = FFA_RET_NOT_SUPPORTED; > + continue; > + } > + } > + > +out: > + set_user_reg(regs, 0, resp.a0); > + set_user_reg(regs, 1, resp.a1 & mask); > + set_user_reg(regs, 2, resp.a2 & mask); > + set_user_reg(regs, 3, resp.a3 & mask); > + set_user_reg(regs, 4, resp.a4 & mask); > + set_user_reg(regs, 5, resp.a5 & mask); > + set_user_reg(regs, 6, resp.a6 & mask); > + set_user_reg(regs, 7, resp.a7 & mask); > +} > + > +static int get_shm_pages(struct domain *d, struct ffa_shm_mem *shm, > + struct ffa_address_range *range, uint32_t range_count, > + unsigned int start_page_idx, > + unsigned int *last_page_idx) > +{ > + unsigned int pg_idx = start_page_idx; > + unsigned long gfn; > + unsigned int n; > + unsigned int m; > + p2m_type_t t; > + uint64_t addr; > + > + for ( n = 0; n < range_count; n++ ) > + { > + for ( m = 0; m < range[n].page_count; m++ ) > + { > + if ( pg_idx >= shm->page_count ) > + return FFA_RET_INVALID_PARAMETERS; > + > + addr = read_atomic(&range[n].address); > + gfn = gaddr_to_gfn(addr + m * PAGE_SIZE); > + shm->pages[pg_idx] = get_page_from_gfn(d, gfn, &t, P2M_ALLOC); > + if ( !shm->pages[pg_idx] ) > + return FFA_RET_DENIED; > + pg_idx++; > + /* Only normal RAM for now */ > + if ( t != p2m_ram_rw ) > + return FFA_RET_DENIED; > + } > + } > + > + *last_page_idx = pg_idx; > + > + return FFA_RET_OK; > +} > + > +static void put_shm_pages(struct ffa_shm_mem *shm) > +{ > + unsigned int n; > + > + for ( n = 0; n < shm->page_count && shm->pages[n]; n++ ) > + { > + put_page(shm->pages[n]); > + shm->pages[n] = NULL; > + } > +} > + > +static void init_range(struct ffa_address_range *addr_range, > + paddr_t pa) > +{ > + memset(addr_range, 0, sizeof(*addr_range)); > + addr_range->address = pa; > + addr_range->page_count = 1; > +} > + > +static int share_shm(struct ffa_shm_mem *shm) > +{ > + uint32_t max_frag_len = ffa_page_count * PAGE_SIZE; > + struct ffa_mem_transaction_1_1 *descr = ffa_tx; > + struct ffa_mem_access *mem_access_array; > + struct ffa_mem_region *region_descr; > + struct ffa_address_range *addr_range; > + paddr_t pa; > + paddr_t last_pa; > + unsigned int n; > + uint32_t frag_len; > + uint32_t tot_len; > + int ret; > + unsigned int range_count; > + unsigned int range_base; > + bool first; > + > + memset(descr, 0, sizeof(*descr)); > + descr->sender_id = shm->sender_id; > + descr->global_handle = shm->handle; > + descr->mem_reg_attr = FFA_NORMAL_MEM_REG_ATTR; > + descr->mem_access_count = 1; > + descr->mem_access_size = sizeof(*mem_access_array); > + descr->mem_access_offs = sizeof(*descr); > + mem_access_array = (void *)(descr + 1); > + region_descr = (void *)(mem_access_array + 1); > + > + memset(mem_access_array, 0, sizeof(*mem_access_array)); > + mem_access_array[0].access_perm.endpoint_id = shm->ep_id; > + mem_access_array[0].access_perm.perm = FFA_MEM_ACC_RW; > + mem_access_array[0].region_offs = (vaddr_t)region_descr - (vaddr_t)ffa_tx; > + > + memset(region_descr, 0, sizeof(*region_descr)); > + region_descr->total_page_count = shm->page_count; > + > + region_descr->address_range_count = 1; > + last_pa = page_to_maddr(shm->pages[0]); > + for ( n = 1; n < shm->page_count; last_pa = pa, n++ ) > + { > + pa = page_to_maddr(shm->pages[n]); > + if ( last_pa + PAGE_SIZE == pa ) > + { > + continue; > + } > + region_descr->address_range_count++; > + } > + > + tot_len = sizeof(*descr) + sizeof(*mem_access_array) + > + sizeof(*region_descr) + > + region_descr->address_range_count * sizeof(*addr_range); > + > + addr_range = region_descr->address_range_array; > + frag_len = (vaddr_t)(addr_range + 1) - (vaddr_t)ffa_tx; > + last_pa = page_to_maddr(shm->pages[0]); > + init_range(addr_range, last_pa); > + first = true; > + range_count = 1; > + range_base = 0; > + for ( n = 1; n < shm->page_count; last_pa = pa, n++ ) > + { > + pa = page_to_maddr(shm->pages[n]); > + if ( last_pa + PAGE_SIZE == pa ) > + { > + addr_range->page_count++; > + continue; > + } > + > + if ( frag_len == max_frag_len ) > + { > + if ( first ) > + { > + ret = ffa_mem_share(tot_len, frag_len, 0, 0, &shm->handle); > + first = false; > + } > + else > + { > + ret = ffa_mem_frag_tx(shm->handle, frag_len, shm->sender_id); > + } > + if ( ret <= 0) > + return ret; > + range_base = range_count; > + range_count = 0; > + frag_len = sizeof(*addr_range); > + addr_range = ffa_tx; > + } > + else > + { > + frag_len += sizeof(*addr_range); > + addr_range++; > + } > + init_range(addr_range, pa); > + range_count++; > + } > + > + if ( first ) > + return ffa_mem_share(tot_len, frag_len, 0, 0, &shm->handle); > + else > + return ffa_mem_frag_tx(shm->handle, frag_len, shm->sender_id); > +} > + > +static int read_mem_transaction(uint32_t ffa_vers, void *buf, size_t blen, > + struct ffa_mem_transaction_x *trans) > +{ > + uint16_t mem_reg_attr; > + uint32_t flags; > + uint32_t count; > + uint32_t offs; > + uint32_t size; > + > + if ( ffa_vers >= FFA_VERSION_1_1 ) > + { > + struct ffa_mem_transaction_1_1 *descr; > + > + if ( blen < sizeof(*descr) ) > + return FFA_RET_INVALID_PARAMETERS; > + > + descr = buf; > + trans->sender_id = read_atomic(&descr->sender_id); > + mem_reg_attr = read_atomic(&descr->mem_reg_attr); > + flags = read_atomic(&descr->flags); > + trans->global_handle = read_atomic(&descr->global_handle); > + trans->tag = read_atomic(&descr->tag); > + > + count = read_atomic(&descr->mem_access_count); > + size = read_atomic(&descr->mem_access_size); > + offs = read_atomic(&descr->mem_access_offs); > + } > + else > + { > + struct ffa_mem_transaction_1_0 *descr; > + > + if ( blen < sizeof(*descr) ) > + return FFA_RET_INVALID_PARAMETERS; > + > + descr = buf; > + trans->sender_id = read_atomic(&descr->sender_id); > + mem_reg_attr = read_atomic(&descr->mem_reg_attr); > + flags = read_atomic(&descr->flags); > + trans->global_handle = read_atomic(&descr->global_handle); > + trans->tag = read_atomic(&descr->tag); > + > + count = read_atomic(&descr->mem_access_count); > + size = sizeof(struct ffa_mem_access); > + offs = offsetof(struct ffa_mem_transaction_1_0, mem_access_array); > + } > + > + if ( mem_reg_attr > UINT8_MAX || flags > UINT8_MAX || size > UINT8_MAX || > + count > UINT8_MAX || offs > UINT16_MAX ) > + return FFA_RET_INVALID_PARAMETERS; > + > + /* Check that the endpoint memory access descriptor array fits */ > + if ( size * count + offs > blen ) > + return FFA_RET_INVALID_PARAMETERS; > + > + trans->mem_reg_attr = mem_reg_attr; > + trans->flags = flags; > + trans->mem_access_size = size; > + trans->mem_access_count = count; > + trans->mem_access_offs = offs; > + return 0; > +} > + > +static int add_mem_share_frag(struct mem_frag_state *s, unsigned int offs, > + unsigned int frag_len) > +{ > + struct domain *d = current->domain; > + unsigned int o = offs; > + unsigned int l; > + int ret; > + > + if ( frag_len < o ) > + return FFA_RET_INVALID_PARAMETERS; > + > + /* Fill up the first struct ffa_address_range */ > + l = min_t(unsigned int, frag_len - o, sizeof(s->range) - s->range_offset); > + memcpy((uint8_t *)&s->range + s->range_offset, s->buf + o, l); > + s->range_offset += l; > + o += l; > + if ( s->range_offset != sizeof(s->range) ) > + goto out; > + s->range_offset = 0; > + > + while ( true ) > + { > + ret = get_shm_pages(d, s->shm, &s->range, 1, s->current_page_idx, > + &s->current_page_idx); > + if ( ret ) > + return ret; > + if ( s->range_count == 1 ) > + return 0; > + s->range_count--; > + if ( frag_len - o < sizeof(s->range) ) > + break; > + memcpy(&s->range, s->buf + o, sizeof(s->range)); > + o += sizeof(s->range); > + } > + > + /* Collect any remaining bytes for the next struct ffa_address_range */ > + s->range_offset = frag_len - o; > + memcpy(&s->range, s->buf + o, frag_len - o); > +out: > + s->frag_offset += frag_len; > + return s->frag_offset; > +} > + > +static void handle_mem_share(struct cpu_user_regs *regs) > +{ > + uint32_t tot_len = get_user_reg(regs, 1); > + uint32_t frag_len = get_user_reg(regs, 2); > + uint64_t addr = get_user_reg(regs, 3); > + uint32_t page_count = get_user_reg(regs, 4); > + struct ffa_mem_transaction_x trans; > + struct ffa_mem_access *mem_access; > + struct ffa_mem_region *region_descr; > + struct domain *d = current->domain; > + struct ffa_ctx *ctx = d->arch.ffa; > + struct ffa_shm_mem *shm = NULL; > + unsigned int last_page_idx = 0; > + uint32_t range_count; > + uint32_t region_offs; > + int ret = FFA_RET_DENIED; > + uint32_t handle_hi = 0; > + uint32_t handle_lo = 0; > + > + /* > + * We're only accepting memory transaction descriptors via the rx/tx > + * buffer. > + */ > + if ( addr ) > + { > + ret = FFA_RET_NOT_SUPPORTED; > + goto out_unlock; > + } > + > + /* Check that fragment legnth doesn't exceed total length */ > + if ( frag_len > tot_len ) > + { > + ret = FFA_RET_INVALID_PARAMETERS; > + goto out_unlock; > + } > + > + spin_lock(&ctx->lock); > + > + if ( frag_len > ctx->page_count * PAGE_SIZE ) > + goto out_unlock; > + > + if ( !ffa_page_count ) > + { > + ret = FFA_RET_NO_MEMORY; > + goto out_unlock; > + } > + > + ret = read_mem_transaction(ctx->guest_vers, ctx->tx, frag_len, &trans); > + if ( ret ) > + goto out_unlock; > + > + if ( trans.mem_reg_attr != FFA_NORMAL_MEM_REG_ATTR ) > + { > + ret = FFA_RET_NOT_SUPPORTED; > + goto out; > + } > + > + /* Only supports sharing it with one SP for now */ > + if ( trans.mem_access_count != 1 ) > + { > + ret = FFA_RET_NOT_SUPPORTED; > + goto out_unlock; > + } > + > + if ( trans.sender_id != get_vm_id(d) ) > + { > + ret = FFA_RET_INVALID_PARAMETERS; > + goto out_unlock; > + } > + > + /* Check that it fits in the supplied data */ > + if ( trans.mem_access_offs + trans.mem_access_size > frag_len ) > + goto out_unlock; > + > + mem_access = (void *)((vaddr_t)ctx->tx + trans.mem_access_offs); > + if ( read_atomic(&mem_access->access_perm.perm) != FFA_MEM_ACC_RW ) > + { > + ret = FFA_RET_NOT_SUPPORTED; > + goto out_unlock; > + } > + > + region_offs = read_atomic(&mem_access->region_offs); > + if ( sizeof(*region_descr) + region_offs > frag_len ) > + { > + ret = FFA_RET_NOT_SUPPORTED; > + goto out_unlock; > + } > + > + region_descr = (void *)((vaddr_t)ctx->tx + region_offs); > + range_count = read_atomic(®ion_descr->address_range_count); > + page_count = read_atomic(®ion_descr->total_page_count); > + > + shm = xzalloc_flex_struct(struct ffa_shm_mem, pages, page_count); > + if ( !shm ) > + { > + ret = FFA_RET_NO_MEMORY; > + goto out; > + } > + shm->sender_id = trans.sender_id; > + shm->ep_id = read_atomic(&mem_access->access_perm.endpoint_id); > + shm->page_count = page_count; > + > + if ( frag_len != tot_len ) > + { > + struct mem_frag_state *s = xzalloc(struct mem_frag_state); > + > + if ( !s ) > + { > + ret = FFA_RET_NO_MEMORY; > + goto out; > + } > + s->shm = shm; > + s->range_count = range_count; > + s->buf = ctx->tx; > + s->buf_size = ffa_page_count * PAGE_SIZE; > + ret = add_mem_share_frag(s, sizeof(*region_descr) + region_offs, > + frag_len); > + if ( ret <= 0 ) > + { > + xfree(s); > + if ( ret < 0 ) > + goto out; > + } > + else > + { > + shm->handle = next_handle++; > + reg_pair_from_64(&handle_hi, &handle_lo, shm->handle); > + list_add_tail(&s->list, &ctx->frag_list); > + } > + goto out_unlock; > + } > + > + /* > + * Check that the Composite memory region descriptor fits. > + */ > + if ( sizeof(*region_descr) + region_offs + > + range_count * sizeof(struct ffa_address_range) > frag_len ) > + { > + ret = FFA_RET_INVALID_PARAMETERS; > + goto out; > + } > + > + ret = get_shm_pages(d, shm, region_descr->address_range_array, range_count, > + 0, &last_page_idx); > + if ( ret ) > + goto out; > + if ( last_page_idx != shm->page_count ) > + { > + ret = FFA_RET_INVALID_PARAMETERS; > + goto out; > + } > + > + /* Note that share_shm() uses our tx buffer */ > + spin_lock(&ffa_buffer_lock); > + ret = share_shm(shm); > + spin_unlock(&ffa_buffer_lock); > + if ( ret ) > + goto out; > + > + spin_lock(&ffa_mem_list_lock); > + list_add_tail(&shm->list, &ffa_mem_list); > + spin_unlock(&ffa_mem_list_lock); > + > + reg_pair_from_64(&handle_hi, &handle_lo, shm->handle); > + > +out: > + if ( ret && shm ) > + { > + put_shm_pages(shm); > + xfree(shm); > + } > +out_unlock: > + spin_unlock(&ctx->lock); > + > + if ( ret > 0 ) > + set_regs_frag_rx(regs, handle_lo, handle_hi, ret, trans.sender_id); > + else if ( ret == 0) > + set_regs_success(regs, handle_lo, handle_hi); > + else > + set_regs_error(regs, ret); > +} > + > +static struct mem_frag_state *find_frag_state(struct ffa_ctx *ctx, > + uint64_t handle) > +{ > + struct mem_frag_state *s; > + > + list_for_each_entry(s, &ctx->frag_list, list) > + if ( s->shm->handle == handle ) > + return s; > + > + return NULL; > +} > + > +static void handle_mem_frag_tx(struct cpu_user_regs *regs) > +{ > + struct domain *d = current->domain; > + struct ffa_ctx *ctx = d->arch.ffa; > + uint32_t frag_len = get_user_reg(regs, 3); > + uint32_t handle_lo = get_user_reg(regs, 1); > + uint32_t handle_hi = get_user_reg(regs, 2); > + uint64_t handle = reg_pair_to_64(handle_hi, handle_lo); > + struct mem_frag_state *s; > + uint16_t sender_id = 0; > + int ret; > + > + spin_lock(&ctx->lock); > + s = find_frag_state(ctx, handle); > + if ( !s ) > + { > + ret = FFA_RET_INVALID_PARAMETERS; > + goto out; > + } > + sender_id = s->shm->sender_id; > + > + if ( frag_len > s->buf_size ) > + { > + ret = FFA_RET_INVALID_PARAMETERS; > + goto out; > + } > + > + ret = add_mem_share_frag(s, 0, frag_len); > + if ( ret == 0 ) > + { > + /* Note that share_shm() uses our tx buffer */ > + spin_lock(&ffa_buffer_lock); > + ret = share_shm(s->shm); > + spin_unlock(&ffa_buffer_lock); > + if ( ret == 0 ) > + { > + spin_lock(&ffa_mem_list_lock); > + list_add_tail(&s->shm->list, &ffa_mem_list); > + spin_unlock(&ffa_mem_list_lock); > + } > + else > + { > + put_shm_pages(s->shm); > + xfree(s->shm); > + } > + list_del(&s->list); > + xfree(s); > + } > + else if ( ret < 0 ) > + { > + put_shm_pages(s->shm); > + xfree(s->shm); > + list_del(&s->list); > + xfree(s); > + } > +out: > + spin_unlock(&ctx->lock); > + > + if ( ret > 0 ) > + set_regs_frag_rx(regs, handle_lo, handle_hi, ret, sender_id); > + else if ( ret == 0) > + set_regs_success(regs, handle_lo, handle_hi); > + else > + set_regs_error(regs, ret); > +} > + > +static int handle_mem_reclaim(uint64_t handle, uint32_t flags) > +{ > + struct ffa_shm_mem *shm; > + uint32_t handle_hi; > + uint32_t handle_lo; > + int ret; > + > + spin_lock(&ffa_mem_list_lock); > + list_for_each_entry(shm, &ffa_mem_list, list) > + { > + if ( shm->handle == handle ) > + goto found_it; > + } > + shm = NULL; > +found_it: > + spin_unlock(&ffa_mem_list_lock); > + > + if ( !shm ) > + return FFA_RET_INVALID_PARAMETERS; > + > + reg_pair_from_64(&handle_hi, &handle_lo, handle); > + ret = ffa_mem_reclaim(handle_lo, handle_hi, flags); > + if ( ret ) > + return ret; > + > + spin_lock(&ffa_mem_list_lock); > + list_del(&shm->list); > + spin_unlock(&ffa_mem_list_lock); > + > + put_shm_pages(shm); > + xfree(shm); > + > + return ret; > +} > + > +bool ffa_handle_call(struct cpu_user_regs *regs, uint32_t fid) > +{ > + struct domain *d = current->domain; > + struct ffa_ctx *ctx = d->arch.ffa; > + uint32_t count; > + uint32_t e; > + > + if ( !ctx ) > + return false; > + > + switch ( fid ) > + { > + case FFA_VERSION: > + handle_version(regs); > + return true; > + case FFA_ID_GET: > + set_regs_success(regs, get_vm_id(d), 0); > + return true; > + case FFA_RXTX_MAP_32: > +#ifdef CONFIG_ARM_64 > + case FFA_RXTX_MAP_64: > +#endif > + e = handle_rxtx_map(fid, get_user_reg(regs, 1), get_user_reg(regs, 2), > + get_user_reg(regs, 3)); > + if ( e ) > + set_regs_error(regs, e); > + else > + set_regs_success(regs, 0, 0); > + return true; > + case FFA_RXTX_UNMAP: > + e = handle_rxtx_unmap(); > + if ( e ) > + set_regs_error(regs, e); > + else > + set_regs_success(regs, 0, 0); > + return true; > + case FFA_PARTITION_INFO_GET: > + e = handle_partition_info_get(get_user_reg(regs, 1), > + get_user_reg(regs, 2), > + get_user_reg(regs, 3), > + get_user_reg(regs, 4), > + get_user_reg(regs, 5), &count); > + if ( e ) > + set_regs_error(regs, e); > + else > + set_regs_success(regs, count, 0); > + return true; > + case FFA_RX_RELEASE: > + e = handle_rx_release(); > + if ( e ) > + set_regs_error(regs, e); > + else > + set_regs_success(regs, 0, 0); > + return true; > + case FFA_MSG_SEND_DIRECT_REQ_32: > +#ifdef CONFIG_ARM_64 > + case FFA_MSG_SEND_DIRECT_REQ_64: > +#endif > + handle_msg_send_direct_req(regs, fid); > + return true; > + case FFA_MEM_SHARE_32: > +#ifdef CONFIG_ARM_64 > + case FFA_MEM_SHARE_64: > +#endif > + handle_mem_share(regs); > + return true; > + case FFA_MEM_RECLAIM: > + e = handle_mem_reclaim(reg_pair_to_64(get_user_reg(regs, 2), > + get_user_reg(regs, 1)), > + get_user_reg(regs, 3)); > + if ( e ) > + set_regs_error(regs, e); > + else > + set_regs_success(regs, 0, 0); > + return true; > + case FFA_MEM_FRAG_TX: > + handle_mem_frag_tx(regs); > + return true; > + > + default: > + printk(XENLOG_ERR "ffa: unhandled fid 0x%x\n", fid); > + return false; > + } > +} > + > +int ffa_domain_init(struct domain *d, bool ffa_enabled) > +{ > + struct ffa_ctx *ctx; > + unsigned int n; > + unsigned int m; > + unsigned int c_pos; > + int32_t res; > + > + if ( !ffa_version || !ffa_enabled ) > + return 0; > + > + ctx = xzalloc(struct ffa_ctx); > + if ( !ctx ) > + return -ENOMEM; > + > + for ( n = 0; n < subsr_vm_created_count; n++ ) > + { > + res = ffa_direct_req_send_vm(subsr_vm_created[n], get_vm_id(d), > + FFA_MSG_SEND_VM_CREATED); > + if ( res ) > + { > + printk(XENLOG_ERR "ffa: Failed to report creation of vm_id %u to %u: res %d\n", > + get_vm_id(d), subsr_vm_created[n], res); > + c_pos = n; > + goto err; > + } > + } > + > + INIT_LIST_HEAD(&ctx->frag_list); > + > + d->arch.ffa = ctx; > + > + return 0; > + > +err: > + /* Undo any already sent vm created messaged */ > + for ( n = 0; n < c_pos; n++ ) > + for ( m = 0; m < subsr_vm_destroyed_count; m++ ) > + if ( subsr_vm_destroyed[m] == subsr_vm_created[n] ) > + ffa_direct_req_send_vm(subsr_vm_destroyed[n], get_vm_id(d), > + FFA_MSG_SEND_VM_DESTROYED); > + return -ENOMEM; > +} > + > +int ffa_relinquish_resources(struct domain *d) > +{ > + struct ffa_ctx *ctx = d->arch.ffa; > + unsigned int n; > + int32_t res; > + > + if ( !ctx ) > + return 0; > + > + for ( n = 0; n < subsr_vm_destroyed_count; n++ ) > + { > + res = ffa_direct_req_send_vm(subsr_vm_destroyed[n], get_vm_id(d), > + FFA_MSG_SEND_VM_DESTROYED); > + > + if ( res ) > + printk(XENLOG_ERR "ffa: Failed to report destruction of vm_id %u to %u: res %d\n", > + get_vm_id(d), subsr_vm_destroyed[n], res); > + } > + > + XFREE(d->arch.ffa); > + > + return 0; > +} > + > +static bool __init init_subscribers(void) > +{ > + struct ffa_partition_info_1_1 *fpi; > + bool ret = false; > + uint32_t count; > + uint32_t e; > + uint32_t n; > + uint32_t c_pos; > + uint32_t d_pos; > + > + if ( ffa_version < FFA_VERSION_1_1 ) > + return true; > + > + e = ffa_partition_info_get(0, 0, 0, 0, 1, &count); > + ffa_rx_release(); > + if ( e ) > + { > + printk(XENLOG_ERR "ffa: Failed to get list of SPs: %d\n", (int)e); > + goto out; > + } > + > + fpi = ffa_rx; > + subsr_vm_created_count = 0; > + subsr_vm_destroyed_count = 0; > + for ( n = 0; n < count; n++ ) > + { > + if (fpi[n].partition_properties & FFA_PART_PROP_NOTIF_CREATED) > + subsr_vm_created_count++; > + if (fpi[n].partition_properties & FFA_PART_PROP_NOTIF_DESTROYED) > + subsr_vm_destroyed_count++; > + } > + > + if ( subsr_vm_created_count ) > + subsr_vm_created = xzalloc_array(uint16_t, subsr_vm_created_count); > + if ( subsr_vm_destroyed_count ) > + subsr_vm_destroyed = xzalloc_array(uint16_t, subsr_vm_destroyed_count); > + if ( (subsr_vm_created_count && !subsr_vm_created) || > + (subsr_vm_destroyed_count && !subsr_vm_destroyed) ) > + { > + printk(XENLOG_ERR "ffa: Failed to allocate subscription lists\n"); > + subsr_vm_created_count = 0; > + subsr_vm_destroyed_count = 0; > + XFREE(subsr_vm_created); > + XFREE(subsr_vm_destroyed); > + goto out; > + } > + > + for ( c_pos = 0, d_pos = 0, n = 0; n < count; n++ ) > + { > + if ( fpi[n].partition_properties & FFA_PART_PROP_NOTIF_CREATED ) > + subsr_vm_created[c_pos++] = fpi[n].id; > + if ( fpi[n].partition_properties & FFA_PART_PROP_NOTIF_DESTROYED ) > + subsr_vm_destroyed[d_pos++] = fpi[n].id; > + } > + > + ret = true; > +out: > + ffa_rx_release(); > + return ret; > +} > + > +static int __init ffa_init(void) > +{ > + uint32_t vers; > + uint32_t e; > + unsigned int major_vers; > + unsigned int minor_vers; > + > + /* > + * psci_init_smccc() updates this value with what's reported by EL-3 > + * or secure world. > + */ > + if ( smccc_ver < ARM_SMCCC_VERSION_1_2 ) > + { > + printk(XENLOG_ERR > + "ffa: unsupported SMCCC version %#x (need at least %#x)\n", > + smccc_ver, ARM_SMCCC_VERSION_1_2); > + return 0; > + } > + > + if ( !ffa_get_version(&vers) ) > + return 0; > + > + if ( vers < FFA_MIN_VERSION || vers > FFA_MY_VERSION ) > + { > + printk(XENLOG_ERR "ffa: Incompatible version %#x found\n", vers); > + return 0; > + } > + > + major_vers = (vers >> FFA_VERSION_MAJOR_SHIFT) & FFA_VERSION_MAJOR_MASK; > + minor_vers = vers & FFA_VERSION_MINOR_MASK; > + printk(XENLOG_INFO "ARM FF-A Mediator version %u.%u\n", > + FFA_VERSION_MAJOR, FFA_VERSION_MINOR); > + printk(XENLOG_INFO "ARM FF-A Firmware version %u.%u\n", > + major_vers, minor_vers); > + > + if ( !check_mandatory_feature(FFA_PARTITION_INFO_GET) || > + !check_mandatory_feature(FFA_RX_RELEASE) || > +#ifdef CONFIG_ARM_64 > + !check_mandatory_feature(FFA_RXTX_MAP_64) || > + !check_mandatory_feature(FFA_MEM_SHARE_64) || > +#endif > +#ifdef CONFIG_ARM_32 > + !check_mandatory_feature(FFA_RXTX_MAP_32) || > +#endif > + !check_mandatory_feature(FFA_RXTX_UNMAP) || > + !check_mandatory_feature(FFA_MEM_SHARE_32) || > + !check_mandatory_feature(FFA_MEM_FRAG_TX) || > + !check_mandatory_feature(FFA_MEM_RECLAIM) || > + !check_mandatory_feature(FFA_MSG_SEND_DIRECT_REQ_32) ) > + return 0; > + > + ffa_rx = alloc_xenheap_pages(0, 0); > + if ( !ffa_rx ) > + return 0; > + > + ffa_tx = alloc_xenheap_pages(0, 0); > + if ( !ffa_tx ) > + goto err_free_ffa_rx; > + > + e = ffa_rxtx_map(__pa(ffa_tx), __pa(ffa_rx), 1); > + if ( e ) > + { > + printk(XENLOG_ERR "ffa: Failed to map rxtx: error %d\n", (int)e); > + goto err_free_ffa_tx; > + } > + ffa_page_count = 1; > + ffa_version = vers; > + > + if ( !init_subscribers() ) > + goto err_free_ffa_tx; > + > + return 0; > + > +err_free_ffa_tx: > + free_xenheap_pages(ffa_tx, 0); > + ffa_tx = NULL; > +err_free_ffa_rx: > + free_xenheap_pages(ffa_rx, 0); > + ffa_rx = NULL; > + ffa_page_count = 0; > + ffa_version = 0; > + XFREE(subsr_vm_created); > + subsr_vm_created_count = 0; > + XFREE(subsr_vm_destroyed); > + subsr_vm_destroyed_count = 0; > + return 0; > +} > + > +__initcall(ffa_init); > diff --git a/xen/arch/arm/include/asm/domain.h b/xen/arch/arm/include/asm/domain.h > index ed63c2b6f91f..b3dee269bced 100644 > --- a/xen/arch/arm/include/asm/domain.h > +++ b/xen/arch/arm/include/asm/domain.h > @@ -103,6 +103,10 @@ struct arch_domain > void *tee; > #endif > > +#ifdef CONFIG_FFA > + void *ffa; > +#endif > + > bool directmap; > } __cacheline_aligned; > > diff --git a/xen/arch/arm/include/asm/ffa.h b/xen/arch/arm/include/asm/ffa.h > new file mode 100644 > index 000000000000..4f4a739345bd > --- /dev/null > +++ b/xen/arch/arm/include/asm/ffa.h > @@ -0,0 +1,71 @@ > +/* > + * xen/arch/arm/ffa.c > + * > + * Arm Firmware Framework for ARMv8-A(FFA) mediator > + * > + * Copyright (C) 2021 Linaro Limited > + * > + * Permission is hereby granted, free of charge, to any person > + * obtaining a copy of this software and associated documentation > + * files (the "Software"), to deal in the Software without restriction, > + * including without limitation the rights to use, copy, modify, merge, > + * publish, distribute, sublicense, and/or sell copies of the Software, > + * and to permit persons to whom the Software is furnished to do so, > + * subject to the following conditions: > + * > + * The above copyright notice and this permission notice shall be > + * included in all copies or substantial portions of the Software. > + * > + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, > + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF > + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. > + * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY > + * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, > + * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE > + * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. > + */ > + > +#ifndef __ASM_ARM_FFA_H__ > +#define __ASM_ARM_FFA_H__ > + > +#include <xen/const.h> > + > +#include <asm/smccc.h> > +#include <asm/types.h> > + > +#define FFA_FNUM_MIN_VALUE _AC(0x60,U) > +#define FFA_FNUM_MAX_VALUE _AC(0x86,U) > + > +static inline bool is_ffa_fid(uint32_t fid) > +{ > + uint32_t fn = fid & ARM_SMCCC_FUNC_MASK; > + > + return fn >= FFA_FNUM_MIN_VALUE && fn <= FFA_FNUM_MAX_VALUE; > +} > + > +#ifdef CONFIG_FFA > +#define FFA_NR_FUNCS 11 > + > +bool ffa_handle_call(struct cpu_user_regs *regs, uint32_t fid); > +int ffa_domain_init(struct domain *d, bool ffa_enabled); > +int ffa_relinquish_resources(struct domain *d); > +#else > +#define FFA_NR_FUNCS 0 > + > +static inline bool ffa_handle_call(struct cpu_user_regs *regs, uint32_t fid) > +{ > + return false; > +} > + > +static inline int ffa_domain_init(struct domain *d, bool ffa_enabled) > +{ > + return 0; > +} > + > +static inline int ffa_relinquish_resources(struct domain *d) > +{ > + return 0; > +} > +#endif > + > +#endif /*__ASM_ARM_FFA_H__*/ > diff --git a/xen/arch/arm/vsmc.c b/xen/arch/arm/vsmc.c > index 6f90c08a6304..34586025eff8 100644 > --- a/xen/arch/arm/vsmc.c > +++ b/xen/arch/arm/vsmc.c > @@ -20,6 +20,7 @@ > #include <public/arch-arm/smccc.h> > #include <asm/cpuerrata.h> > #include <asm/cpufeature.h> > +#include <asm/ffa.h> > #include <asm/monitor.h> > #include <asm/regs.h> > #include <asm/smccc.h> > @@ -32,7 +33,7 @@ > #define XEN_SMCCC_FUNCTION_COUNT 3 > > /* Number of functions currently supported by Standard Service Service Calls. */ > -#define SSSC_SMCCC_FUNCTION_COUNT (3 + VPSCI_NR_FUNCS) > +#define SSSC_SMCCC_FUNCTION_COUNT (3 + VPSCI_NR_FUNCS + FFA_NR_FUNCS) > > static bool fill_uid(struct cpu_user_regs *regs, xen_uuid_t uuid) > { > @@ -196,13 +197,23 @@ static bool handle_existing_apis(struct cpu_user_regs *regs) > return do_vpsci_0_1_call(regs, fid); > } > > +static bool is_psci_fid(uint32_t fid) > +{ > + uint32_t fn = fid & ARM_SMCCC_FUNC_MASK; > + > + return fn >= 0 && fn <= 0x1fU; > +} > + > /* PSCI 0.2 interface and other Standard Secure Calls */ > static bool handle_sssc(struct cpu_user_regs *regs) > { > uint32_t fid = (uint32_t)get_user_reg(regs, 0); > > - if ( do_vpsci_0_2_call(regs, fid) ) > - return true; > + if ( is_psci_fid(fid) ) > + return do_vpsci_0_2_call(regs, fid); > + > + if ( is_ffa_fid(fid) ) > + return ffa_handle_call(regs, fid); > > switch ( fid ) > { > diff --git a/xen/include/public/arch-arm.h b/xen/include/public/arch-arm.h > index ab05fe12b0de..53f8d44a6a8e 100644 > --- a/xen/include/public/arch-arm.h > +++ b/xen/include/public/arch-arm.h > @@ -318,6 +318,8 @@ struct xen_arch_domainconfig { > /* IN/OUT */ > uint8_t gic_version; > /* IN */ > + uint8_t ffa_enabled; > + /* IN */ > uint16_t tee_type; > /* IN */ > uint32_t nr_spis; > -- > 2.31.1 >
Hi Jens, > On 22 Jun 2022, at 14:42, Jens Wiklander <jens.wiklander@linaro.org> wrote: > > Adds a FF-A version 1.1 [1] mediator to communicate with a Secure > Partition in secure world. > > The implementation is the bare minimum to be able to communicate with > OP-TEE running as an SPMC at S-EL1. > > This is loosely based on the TEE mediator framework and the OP-TEE > mediator. > > [1] https://developer.arm.com/documentation/den0077/latest > Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> I spent quite some time on this patch and on the spec and there are far to much code and concepts introduced here to be able to do a review in one go. Could you try to split the patch to introduce each concept in a specific patch ? I would suggest something like introducing each call in its own patch, having a specific patch for the tool support, etc. At this stage I am not convinced that there is no issue here where a guest could access information from an other guest and reviewing smaller patches will help me following the spec for each subject and ask questions along the way. Cheers Bertrand > --- > SUPPORT.md | 7 + > tools/libs/light/libxl_arm.c | 3 + > tools/libs/light/libxl_types.idl | 1 + > tools/xl/xl_parse.c | 3 + > xen/arch/arm/Kconfig | 11 + > xen/arch/arm/Makefile | 1 + > xen/arch/arm/domain.c | 10 + > xen/arch/arm/domain_build.c | 1 + > xen/arch/arm/ffa.c | 1683 +++++++++++++++++++++++++++++ > xen/arch/arm/include/asm/domain.h | 4 + > xen/arch/arm/include/asm/ffa.h | 71 ++ > xen/arch/arm/vsmc.c | 17 +- > xen/include/public/arch-arm.h | 2 + > 13 files changed, 1811 insertions(+), 3 deletions(-) > create mode 100644 xen/arch/arm/ffa.c > create mode 100644 xen/arch/arm/include/asm/ffa.h > > diff --git a/SUPPORT.md b/SUPPORT.md > index 70e98964cbc0..215bb3c9043b 100644 > --- a/SUPPORT.md > +++ b/SUPPORT.md > @@ -785,6 +785,13 @@ that covers the DMA of the device to be passed through. > > No support for QEMU backends in a 16K or 64K domain. > > +### ARM: Firmware Framework for Arm A-profile (FF-A) Mediator > + > + Status, Arm64: Tech Preview > + > +There are still some code paths where a vCPU may hog a pCPU longer than > +necessary. The FF-A mediator is not yet implemented for Arm32. > + > ### ARM: Guest Device Tree support > > Status: Supported > diff --git a/tools/libs/light/libxl_arm.c b/tools/libs/light/libxl_arm.c > index eef1de093914..a985609861c7 100644 > --- a/tools/libs/light/libxl_arm.c > +++ b/tools/libs/light/libxl_arm.c > @@ -101,6 +101,9 @@ int libxl__arch_domain_prepare_config(libxl__gc *gc, > return ERROR_FAIL; > } > > + config->arch.ffa_enabled = > + libxl_defbool_val(d_config->b_info.arch_arm.ffa_enabled); > + > return 0; > } > > diff --git a/tools/libs/light/libxl_types.idl b/tools/libs/light/libxl_types.idl > index 2a42da2f7d78..bf4544bef399 100644 > --- a/tools/libs/light/libxl_types.idl > +++ b/tools/libs/light/libxl_types.idl > @@ -646,6 +646,7 @@ libxl_domain_build_info = Struct("domain_build_info",[ > > ("arch_arm", Struct(None, [("gic_version", libxl_gic_version), > ("vuart", libxl_vuart_type), > + ("ffa_enabled", libxl_defbool), > ])), > ("arch_x86", Struct(None, [("msr_relaxed", libxl_defbool), > ])), > diff --git a/tools/xl/xl_parse.c b/tools/xl/xl_parse.c > index b98c0de378b6..e0e99ed8d2b1 100644 > --- a/tools/xl/xl_parse.c > +++ b/tools/xl/xl_parse.c > @@ -2746,6 +2746,9 @@ skip_usbdev: > exit(-ERROR_FAIL); > } > } > + libxl_defbool_setdefault(&b_info->arch_arm.ffa_enabled, false); > + xlu_cfg_get_defbool(config, "ffa_enabled", > + &b_info->arch_arm.ffa_enabled, 0); > > parse_vkb_list(config, d_config); > > diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig > index be9eff014120..e57e1d3757e2 100644 > --- a/xen/arch/arm/Kconfig > +++ b/xen/arch/arm/Kconfig > @@ -139,6 +139,17 @@ config TEE > > source "arch/arm/tee/Kconfig" > > +config FFA > + bool "Enable FF-A mediator support" if EXPERT > + default n > + depends on ARM_64 > + help > + This option enables a minimal FF-A mediator. The mediator is > + generic as it follows the FF-A specification [1], but it only > + implements a small subset of the specification. > + > + [1] https://developer.arm.com/documentation/den0077/latest > + > endmenu > > menu "ARM errata workaround via the alternative framework" > diff --git a/xen/arch/arm/Makefile b/xen/arch/arm/Makefile > index bb7a6151c13c..af0c69f793d4 100644 > --- a/xen/arch/arm/Makefile > +++ b/xen/arch/arm/Makefile > @@ -20,6 +20,7 @@ obj-y += domain_build.init.o > obj-y += domctl.o > obj-$(CONFIG_EARLY_PRINTK) += early_printk.o > obj-y += efi/ > +obj-$(CONFIG_FFA) += ffa.o > obj-y += gic.o > obj-y += gic-v2.o > obj-$(CONFIG_GICV3) += gic-v3.o > diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c > index 8110c1df8638..a3f00e7e234d 100644 > --- a/xen/arch/arm/domain.c > +++ b/xen/arch/arm/domain.c > @@ -27,6 +27,7 @@ > #include <asm/cpufeature.h> > #include <asm/current.h> > #include <asm/event.h> > +#include <asm/ffa.h> > #include <asm/gic.h> > #include <asm/guest_atomics.h> > #include <asm/irq.h> > @@ -756,6 +757,9 @@ int arch_domain_create(struct domain *d, > if ( (rc = tee_domain_init(d, config->arch.tee_type)) != 0 ) > goto fail; > > + if ( (rc = ffa_domain_init(d, config->arch.ffa_enabled)) != 0 ) > + goto fail; > + > update_domain_wallclock_time(d); > > /* > @@ -998,6 +1002,7 @@ static int relinquish_memory(struct domain *d, struct page_list_head *list) > enum { > PROG_pci = 1, > PROG_tee, > + PROG_ffa, > PROG_xen, > PROG_page, > PROG_mapping, > @@ -1043,6 +1048,11 @@ int domain_relinquish_resources(struct domain *d) > > PROGRESS(tee): > ret = tee_relinquish_resources(d); > + if ( ret ) > + return ret; > + > + PROGRESS(ffa): > + ret = ffa_relinquish_resources(d); > if (ret ) > return ret; > > diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c > index 7ddd16c26da5..d708f76356f7 100644 > --- a/xen/arch/arm/domain_build.c > +++ b/xen/arch/arm/domain_build.c > @@ -3450,6 +3450,7 @@ void __init create_dom0(void) > if ( gic_number_lines() > 992 ) > printk(XENLOG_WARNING "Maximum number of vGIC IRQs exceeded.\n"); > dom0_cfg.arch.tee_type = tee_get_type(); > + dom0_cfg.arch.ffa_enabled = true; > dom0_cfg.max_vcpus = dom0_max_vcpus(); > > if ( iommu_enabled ) > diff --git a/xen/arch/arm/ffa.c b/xen/arch/arm/ffa.c > new file mode 100644 > index 000000000000..3117ce5cec4d > --- /dev/null > +++ b/xen/arch/arm/ffa.c > @@ -0,0 +1,1683 @@ > +/* > + * xen/arch/arm/ffa.c > + * > + * Arm Firmware Framework for ARMv8-A (FF-A) mediator > + * > + * Copyright (C) 2022 Linaro Limited > + * > + * Permission is hereby granted, free of charge, to any person > + * obtaining a copy of this software and associated documentation > + * files (the "Software"), to deal in the Software without restriction, > + * including without limitation the rights to use, copy, modify, merge, > + * publish, distribute, sublicense, and/or sell copies of the Software, > + * and to permit persons to whom the Software is furnished to do so, > + * subject to the following conditions: > + * > + * The above copyright notice and this permission notice shall be > + * included in all copies or substantial portions of the Software. > + * > + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, > + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF > + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. > + * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY > + * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, > + * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE > + * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. > + */ > + > +#include <xen/domain_page.h> > +#include <xen/errno.h> > +#include <xen/init.h> > +#include <xen/lib.h> > +#include <xen/sched.h> > +#include <xen/types.h> > +#include <xen/sizes.h> > +#include <xen/bitops.h> > + > +#include <asm/smccc.h> > +#include <asm/event.h> > +#include <asm/ffa.h> > +#include <asm/regs.h> > + > +/* Error codes */ > +#define FFA_RET_OK 0 > +#define FFA_RET_NOT_SUPPORTED -1 > +#define FFA_RET_INVALID_PARAMETERS -2 > +#define FFA_RET_NO_MEMORY -3 > +#define FFA_RET_BUSY -4 > +#define FFA_RET_INTERRUPTED -5 > +#define FFA_RET_DENIED -6 > +#define FFA_RET_RETRY -7 > +#define FFA_RET_ABORTED -8 > + > +/* FFA_VERSION helpers */ > +#define FFA_VERSION_MAJOR _AC(1,U) > +#define FFA_VERSION_MAJOR_SHIFT _AC(16,U) > +#define FFA_VERSION_MAJOR_MASK _AC(0x7FFF,U) > +#define FFA_VERSION_MINOR _AC(1,U) > +#define FFA_VERSION_MINOR_SHIFT _AC(0,U) > +#define FFA_VERSION_MINOR_MASK _AC(0xFFFF,U) > +#define MAKE_FFA_VERSION(major, minor) \ > + ((((major) & FFA_VERSION_MAJOR_MASK) << FFA_VERSION_MAJOR_SHIFT) | \ > + ((minor) & FFA_VERSION_MINOR_MASK)) > + > +#define FFA_MIN_VERSION MAKE_FFA_VERSION(1, 0) > +#define FFA_VERSION_1_0 MAKE_FFA_VERSION(1, 0) > +#define FFA_VERSION_1_1 MAKE_FFA_VERSION(1, 1) > +#define FFA_MY_VERSION MAKE_FFA_VERSION(FFA_VERSION_MAJOR, \ > + FFA_VERSION_MINOR) > + > + > +#define FFA_HANDLE_HYP_FLAG BIT(63,ULL) > + > +/* Memory attributes: Normal memory, Write-Back cacheable, Inner shareable */ > +#define FFA_NORMAL_MEM_REG_ATTR _AC(0x2f,U) > + > +/* Memory access permissions: Read-write */ > +#define FFA_MEM_ACC_RW _AC(0x2,U) > + > +/* Clear memory before mapping in receiver */ > +#define FFA_MEMORY_REGION_FLAG_CLEAR BIT(0, U) > +/* Relayer may time slice this operation */ > +#define FFA_MEMORY_REGION_FLAG_TIME_SLICE BIT(1, U) > +/* Clear memory after receiver relinquishes it */ > +#define FFA_MEMORY_REGION_FLAG_CLEAR_RELINQUISH BIT(2, U) > + > +/* Share memory transaction */ > +#define FFA_MEMORY_REGION_TRANSACTION_TYPE_SHARE (_AC(1,U) << 3) > + > +#define FFA_HANDLE_INVALID _AC(0xffffffffffffffff,ULL) > + > +/* Framework direct request/response */ > +#define FFA_MSG_FLAG_FRAMEWORK BIT(31, U) > +#define FFA_MSG_TYPE_MASK _AC(0xFF,U); > +#define FFA_MSG_PSCI _AC(0x0,U) > +#define FFA_MSG_SEND_VM_CREATED _AC(0x4,U) > +#define FFA_MSG_RESP_VM_CREATED _AC(0x5,U) > +#define FFA_MSG_SEND_VM_DESTROYED _AC(0x6,U) > +#define FFA_MSG_RESP_VM_DESTROYED _AC(0x7,U) > + > +/* > + * Flags used for the FFA_PARTITION_INFO_GET return message: > + * BIT(0): Supports receipt of direct requests > + * BIT(1): Can send direct requests > + * BIT(2): Can send and receive indirect messages > + * BIT(3): Supports receipt of notifications > + * BIT(4-5): Partition ID is a PE endpoint ID > + */ > +#define FFA_PART_PROP_DIRECT_REQ_RECV BIT(0,U) > +#define FFA_PART_PROP_DIRECT_REQ_SEND BIT(1,U) > +#define FFA_PART_PROP_INDIRECT_MSGS BIT(2,U) > +#define FFA_PART_PROP_RECV_NOTIF BIT(3,U) > +#define FFA_PART_PROP_IS_PE_ID (_AC(0,U) << 4) > +#define FFA_PART_PROP_IS_SEPID_INDEP (_AC(1,U) << 4) > +#define FFA_PART_PROP_IS_SEPID_DEP (_AC(2,U) << 4) > +#define FFA_PART_PROP_IS_AUX_ID (_AC(3,U) << 4) > +#define FFA_PART_PROP_NOTIF_CREATED BIT(6,U) > +#define FFA_PART_PROP_NOTIF_DESTROYED BIT(7,U) > +#define FFA_PART_PROP_AARCH64_STATE BIT(8,U) > + > +/* Function IDs */ > +#define FFA_ERROR _AC(0x84000060,U) > +#define FFA_SUCCESS_32 _AC(0x84000061,U) > +#define FFA_SUCCESS_64 _AC(0xC4000061,U) > +#define FFA_INTERRUPT _AC(0x84000062,U) > +#define FFA_VERSION _AC(0x84000063,U) > +#define FFA_FEATURES _AC(0x84000064,U) > +#define FFA_RX_ACQUIRE _AC(0x84000084,U) > +#define FFA_RX_RELEASE _AC(0x84000065,U) > +#define FFA_RXTX_MAP_32 _AC(0x84000066,U) > +#define FFA_RXTX_MAP_64 _AC(0xC4000066,U) > +#define FFA_RXTX_UNMAP _AC(0x84000067,U) > +#define FFA_PARTITION_INFO_GET _AC(0x84000068,U) > +#define FFA_ID_GET _AC(0x84000069,U) > +#define FFA_SPM_ID_GET _AC(0x84000085,U) > +#define FFA_MSG_WAIT _AC(0x8400006B,U) > +#define FFA_MSG_YIELD _AC(0x8400006C,U) > +#define FFA_MSG_RUN _AC(0x8400006D,U) > +#define FFA_MSG_SEND2 _AC(0x84000086,U) > +#define FFA_MSG_SEND_DIRECT_REQ_32 _AC(0x8400006F,U) > +#define FFA_MSG_SEND_DIRECT_REQ_64 _AC(0xC400006F,U) > +#define FFA_MSG_SEND_DIRECT_RESP_32 _AC(0x84000070,U) > +#define FFA_MSG_SEND_DIRECT_RESP_64 _AC(0xC4000070,U) > +#define FFA_MEM_DONATE_32 _AC(0x84000071,U) > +#define FFA_MEM_DONATE_64 _AC(0xC4000071,U) > +#define FFA_MEM_LEND_32 _AC(0x84000072,U) > +#define FFA_MEM_LEND_64 _AC(0xC4000072,U) > +#define FFA_MEM_SHARE_32 _AC(0x84000073,U) > +#define FFA_MEM_SHARE_64 _AC(0xC4000073,U) > +#define FFA_MEM_RETRIEVE_REQ_32 _AC(0x84000074,U) > +#define FFA_MEM_RETRIEVE_REQ_64 _AC(0xC4000074,U) > +#define FFA_MEM_RETRIEVE_RESP _AC(0x84000075,U) > +#define FFA_MEM_RELINQUISH _AC(0x84000076,U) > +#define FFA_MEM_RECLAIM _AC(0x84000077,U) > +#define FFA_MEM_FRAG_RX _AC(0x8400007A,U) > +#define FFA_MEM_FRAG_TX _AC(0x8400007B,U) > +#define FFA_MSG_SEND _AC(0x8400006E,U) > +#define FFA_MSG_POLL _AC(0x8400006A,U) > + > +/* Partition information descriptor */ > +struct ffa_partition_info_1_0 { > + uint16_t id; > + uint16_t execution_context; > + uint32_t partition_properties; > +}; > + > +struct ffa_partition_info_1_1 { > + uint16_t id; > + uint16_t execution_context; > + uint32_t partition_properties; > + uint8_t uuid[16]; > +}; > + > +/* Constituent memory region descriptor */ > +struct ffa_address_range { > + uint64_t address; > + uint32_t page_count; > + uint32_t reserved; > +}; > + > +/* Composite memory region descriptor */ > +struct ffa_mem_region { > + uint32_t total_page_count; > + uint32_t address_range_count; > + uint64_t reserved; > + struct ffa_address_range address_range_array[]; > +}; > + > +/* Memory access permissions descriptor */ > +struct ffa_mem_access_perm { > + uint16_t endpoint_id; > + uint8_t perm; > + uint8_t flags; > +}; > + > +/* Endpoint memory access descriptor */ > +struct ffa_mem_access { > + struct ffa_mem_access_perm access_perm; > + uint32_t region_offs; > + uint64_t reserved; > +}; > + > +/* Lend, donate or share memory transaction descriptor */ > +struct ffa_mem_transaction_1_0 { > + uint16_t sender_id; > + uint8_t mem_reg_attr; > + uint8_t reserved0; > + uint32_t flags; > + uint64_t global_handle; > + uint64_t tag; > + uint32_t reserved1; > + uint32_t mem_access_count; > + struct ffa_mem_access mem_access_array[]; > +}; > + > +struct ffa_mem_transaction_1_1 { > + uint16_t sender_id; > + uint16_t mem_reg_attr; > + uint32_t flags; > + uint64_t global_handle; > + uint64_t tag; > + uint32_t mem_access_size; > + uint32_t mem_access_count; > + uint32_t mem_access_offs; > + uint8_t reserved[12]; > +}; > + > +/* > + * The parts needed from struct ffa_mem_transaction_1_0 or struct > + * ffa_mem_transaction_1_1, used to provide an abstraction of difference in > + * data structures between version 1.0 and 1.1. This is just an internal > + * interface and can be changed without changing any ABI. > + */ > +struct ffa_mem_transaction_x { > + uint16_t sender_id; > + uint8_t mem_reg_attr; > + uint8_t flags; > + uint8_t mem_access_size; > + uint8_t mem_access_count; > + uint16_t mem_access_offs; > + uint64_t global_handle; > + uint64_t tag; > +}; > + > +/* Endpoint RX/TX descriptor */ > +struct ffa_endpoint_rxtx_descriptor_1_0 { > + uint16_t sender_id; > + uint16_t reserved; > + uint32_t rx_range_count; > + uint32_t tx_range_count; > +}; > + > +struct ffa_endpoint_rxtx_descriptor_1_1 { > + uint16_t sender_id; > + uint16_t reserved; > + uint32_t rx_region_offs; > + uint32_t tx_region_offs; > +}; > + > +struct ffa_ctx { > + void *rx; > + void *tx; > + struct page_info *rx_pg; > + struct page_info *tx_pg; > + unsigned int page_count; > + uint32_t guest_vers; > + bool tx_is_mine; > + bool interrupted; > + struct list_head frag_list; > + spinlock_t lock; > +}; > + > +struct ffa_shm_mem { > + struct list_head list; > + uint16_t sender_id; > + uint16_t ep_id; /* endpoint, the one lending */ > + uint64_t handle; /* FFA_HANDLE_INVALID if not set yet */ > + unsigned int page_count; > + struct page_info *pages[]; > +}; > + > +struct mem_frag_state { > + struct list_head list; > + struct ffa_shm_mem *shm; > + uint32_t range_count; > + unsigned int current_page_idx; > + unsigned int frag_offset; > + unsigned int range_offset; > + uint8_t *buf; > + unsigned int buf_size; > + struct ffa_address_range range; > +}; > + > +/* > + * Our rx/rx buffer shared with the SPMC > + */ > +static uint32_t ffa_version; > +static uint16_t *subsr_vm_created; > +static unsigned int subsr_vm_created_count; > +static uint16_t *subsr_vm_destroyed; > +static unsigned int subsr_vm_destroyed_count; > +static void *ffa_rx; > +static void *ffa_tx; > +static unsigned int ffa_page_count; > +static DEFINE_SPINLOCK(ffa_buffer_lock); > + > +static LIST_HEAD(ffa_mem_list); > +static DEFINE_SPINLOCK(ffa_mem_list_lock); > + > +static uint64_t next_handle = FFA_HANDLE_HYP_FLAG; > + > +static inline uint64_t reg_pair_to_64(uint32_t reg0, uint32_t reg1) > +{ > + return (uint64_t)reg0 << 32 | reg1; > +} > + > +static void inline reg_pair_from_64(uint32_t *reg0, uint32_t *reg1, > + uint64_t val) > +{ > + *reg0 = val >> 32; > + *reg1 = val; > +} > + > +static bool ffa_get_version(uint32_t *vers) > +{ > + const struct arm_smccc_1_2_regs arg = { > + .a0 = FFA_VERSION, .a1 = FFA_MY_VERSION, > + }; > + struct arm_smccc_1_2_regs resp; > + > + arm_smccc_1_2_smc(&arg, &resp); > + if ( resp.a0 == FFA_RET_NOT_SUPPORTED ) > + { > + printk(XENLOG_ERR "ffa: FFA_VERSION returned not supported\n"); > + return false; > + } > + > + *vers = resp.a0; > + return true; > +} > + > +static uint32_t get_ffa_ret_code(const struct arm_smccc_1_2_regs *resp) > +{ > + switch ( resp->a0 ) > + { > + case FFA_ERROR: > + if ( resp->a2 ) > + return resp->a2; > + else > + return FFA_RET_NOT_SUPPORTED; > + case FFA_SUCCESS_32: > + case FFA_SUCCESS_64: > + return FFA_RET_OK; > + default: > + return FFA_RET_NOT_SUPPORTED; > + } > +} > + > +static uint32_t ffa_features(uint32_t id) > +{ > + const struct arm_smccc_1_2_regs arg = { .a0 = FFA_FEATURES, .a1 = id, }; > + struct arm_smccc_1_2_regs resp; > + > + arm_smccc_1_2_smc(&arg, &resp); > + return get_ffa_ret_code(&resp); > +} > + > +static bool check_mandatory_feature(uint32_t id) > +{ > + uint32_t ret = ffa_features(id); > + > + if (ret) > + printk(XENLOG_ERR "ffa: mandatory feature id %#x missing\n", id); > + return !ret; > +} > + > +static uint32_t ffa_rxtx_map(register_t tx_addr, register_t rx_addr, > + uint32_t page_count) > +{ > + const struct arm_smccc_1_2_regs arg = { > +#ifdef CONFIG_ARM_64 > + .a0 = FFA_RXTX_MAP_64, > +#endif > +#ifdef CONFIG_ARM_32 > + .a0 = FFA_RXTX_MAP_32, > +#endif > + .a1 = tx_addr, .a2 = rx_addr, > + .a3 = page_count, > + }; > + struct arm_smccc_1_2_regs resp; > + > + arm_smccc_1_2_smc(&arg, &resp); > + > + return get_ffa_ret_code(&resp); > +} > + > +static uint32_t ffa_rxtx_unmap(uint16_t vm_id) > +{ > + const struct arm_smccc_1_2_regs arg = { > + .a0 = FFA_RXTX_UNMAP, .a1 = vm_id, > + }; > + struct arm_smccc_1_2_regs resp; > + > + arm_smccc_1_2_smc(&arg, &resp); > + > + return get_ffa_ret_code(&resp); > +} > + > +static uint32_t ffa_partition_info_get(uint32_t w1, uint32_t w2, uint32_t w3, > + uint32_t w4, uint32_t w5, > + uint32_t *count) > +{ > + const struct arm_smccc_1_2_regs arg = { > + .a0 = FFA_PARTITION_INFO_GET, .a1 = w1, .a2 = w2, .a3 = w3, .a4 = w4, > + .a5 = w5, > + }; > + struct arm_smccc_1_2_regs resp; > + uint32_t ret; > + > + arm_smccc_1_2_smc(&arg, &resp); > + > + ret = get_ffa_ret_code(&resp); > + if ( !ret ) > + *count = resp.a2; > + > + return ret; > +} > + > +static uint32_t ffa_rx_release(void) > +{ > + const struct arm_smccc_1_2_regs arg = { .a0 = FFA_RX_RELEASE, }; > + struct arm_smccc_1_2_regs resp; > + > + arm_smccc_1_2_smc(&arg, &resp); > + > + return get_ffa_ret_code(&resp); > +} > + > +static int32_t ffa_mem_share(uint32_t tot_len, uint32_t frag_len, > + register_t addr, uint32_t pg_count, > + uint64_t *handle) > +{ > + struct arm_smccc_1_2_regs arg = { > + .a0 = FFA_MEM_SHARE_32, .a1 = tot_len, .a2 = frag_len, .a3 = addr, > + .a4 = pg_count, > + }; > + struct arm_smccc_1_2_regs resp; > + > + /* > + * For arm64 we must use 64-bit calling convention if the buffer isn't > + * passed in our tx buffer. > + */ > + if (sizeof(addr) > 4 && addr) > + arg.a0 = FFA_MEM_SHARE_64; > + > + arm_smccc_1_2_smc(&arg, &resp); > + > + switch ( resp.a0 ) > + { > + case FFA_ERROR: > + if ( resp.a2 ) > + return resp.a2; > + else > + return FFA_RET_NOT_SUPPORTED; > + case FFA_SUCCESS_32: > + *handle = reg_pair_to_64(resp.a3, resp.a2); > + return FFA_RET_OK; > + case FFA_MEM_FRAG_RX: > + *handle = reg_pair_to_64(resp.a2, resp.a1); > + return resp.a3; > + default: > + return FFA_RET_NOT_SUPPORTED; > + } > +} > + > +static int32_t ffa_mem_frag_tx(uint64_t handle, uint32_t frag_len, > + uint16_t sender_id) > +{ > + struct arm_smccc_1_2_regs arg = { > + .a0 = FFA_MEM_FRAG_TX, .a1 = handle & UINT32_MAX, .a2 = handle >> 32, > + .a3 = frag_len, .a4 = (uint32_t)sender_id << 16, > + }; > + struct arm_smccc_1_2_regs resp; > + > + arm_smccc_1_2_smc(&arg, &resp); > + > + switch ( resp.a0 ) > + { > + case FFA_ERROR: > + if ( resp.a2 ) > + return resp.a2; > + else > + return FFA_RET_NOT_SUPPORTED; > + case FFA_SUCCESS_32: > + return FFA_RET_OK; > + case FFA_MEM_FRAG_RX: > + return resp.a3; > + default: > + return FFA_RET_NOT_SUPPORTED; > + } > +} > + > +static uint32_t ffa_mem_reclaim(uint32_t handle_lo, uint32_t handle_hi, > + uint32_t flags) > +{ > + const struct arm_smccc_1_2_regs arg = { > + .a0 = FFA_MEM_RECLAIM, .a1 = handle_lo, .a2 = handle_hi, .a3 = flags, > + }; > + struct arm_smccc_1_2_regs resp; > + > + arm_smccc_1_2_smc(&arg, &resp); > + > + return get_ffa_ret_code(&resp); > +} > + > +static int32_t ffa_direct_req_send_vm(uint16_t sp_id, uint16_t vm_id, > + uint8_t msg) > +{ > + uint32_t exp_resp = FFA_MSG_FLAG_FRAMEWORK; > + int32_t res; > + > + if ( msg != FFA_MSG_SEND_VM_CREATED && msg !=FFA_MSG_SEND_VM_DESTROYED ) > + return FFA_RET_INVALID_PARAMETERS; > + > + if ( msg == FFA_MSG_SEND_VM_CREATED ) > + exp_resp |= FFA_MSG_RESP_VM_CREATED; > + else > + exp_resp |= FFA_MSG_RESP_VM_DESTROYED; > + > + do { > + const struct arm_smccc_1_2_regs arg = { > + .a0 = FFA_MSG_SEND_DIRECT_REQ_32, > + .a1 = sp_id, > + .a2 = FFA_MSG_FLAG_FRAMEWORK | msg, > + .a5 = vm_id, > + }; > + struct arm_smccc_1_2_regs resp; > + > + arm_smccc_1_2_smc(&arg, &resp); > + if ( resp.a0 != FFA_MSG_SEND_DIRECT_RESP_32 || resp.a2 != exp_resp ) > + { > + /* > + * This is an invalid response, likely due to some error in the > + * implementation of the ABI. > + */ > + return FFA_RET_INVALID_PARAMETERS; > + } > + res = resp.a3; > + } while ( res == FFA_RET_INTERRUPTED || res == FFA_RET_RETRY ); > + > + return res; > +} > + > +static u16 get_vm_id(struct domain *d) > +{ > + /* +1 since 0 is reserved for the hypervisor in FF-A */ > + return d->domain_id + 1; > +} > + > +static void set_regs(struct cpu_user_regs *regs, register_t v0, register_t v1, > + register_t v2, register_t v3, register_t v4, register_t v5, > + register_t v6, register_t v7) > +{ > + set_user_reg(regs, 0, v0); > + set_user_reg(regs, 1, v1); > + set_user_reg(regs, 2, v2); > + set_user_reg(regs, 3, v3); > + set_user_reg(regs, 4, v4); > + set_user_reg(regs, 5, v5); > + set_user_reg(regs, 6, v6); > + set_user_reg(regs, 7, v7); > +} > + > +static void set_regs_error(struct cpu_user_regs *regs, uint32_t error_code) > +{ > + set_regs(regs, FFA_ERROR, 0, error_code, 0, 0, 0, 0, 0); > +} > + > +static void set_regs_success(struct cpu_user_regs *regs, uint32_t w2, > + uint32_t w3) > +{ > + set_regs(regs, FFA_SUCCESS_32, 0, w2, w3, 0, 0, 0, 0); > +} > + > +static void set_regs_frag_rx(struct cpu_user_regs *regs, uint32_t handle_lo, > + uint32_t handle_hi, uint32_t frag_offset, > + uint16_t sender_id) > +{ > + set_regs(regs, FFA_MEM_FRAG_RX, handle_lo, handle_hi, frag_offset, > + (uint32_t)sender_id << 16, 0, 0, 0); > +} > + > +static void handle_version(struct cpu_user_regs *regs) > +{ > + struct domain *d = current->domain; > + struct ffa_ctx *ctx = d->arch.ffa; > + uint32_t vers = get_user_reg(regs, 1); > + > + if ( vers < FFA_VERSION_1_1 ) > + vers = FFA_VERSION_1_0; > + else > + vers = FFA_VERSION_1_1; > + > + ctx->guest_vers = vers; > + set_regs(regs, vers, 0, 0, 0, 0, 0, 0, 0); > +} > + > +static uint32_t handle_rxtx_map(uint32_t fid, register_t tx_addr, > + register_t rx_addr, uint32_t page_count) > +{ > + uint32_t ret = FFA_RET_INVALID_PARAMETERS; > + struct domain *d = current->domain; > + struct ffa_ctx *ctx = d->arch.ffa; > + struct page_info *tx_pg; > + struct page_info *rx_pg; > + p2m_type_t t; > + void *rx; > + void *tx; > + > + if ( !smccc_is_conv_64(fid) ) > + { > + tx_addr &= UINT32_MAX; > + rx_addr &= UINT32_MAX; > + } > + > + /* For now to keep things simple, only deal with a single page */ > + if ( page_count != 1 ) > + return FFA_RET_NOT_SUPPORTED; > + > + /* Already mapped */ > + if ( ctx->rx ) > + return FFA_RET_DENIED; > + > + tx_pg = get_page_from_gfn(d, gaddr_to_gfn(tx_addr), &t, P2M_ALLOC); > + if ( !tx_pg ) > + return FFA_RET_INVALID_PARAMETERS; > + /* Only normal RAM for now */ > + if (t != p2m_ram_rw) > + goto err_put_tx_pg; > + > + rx_pg = get_page_from_gfn(d, gaddr_to_gfn(rx_addr), &t, P2M_ALLOC); > + if ( !tx_pg ) > + goto err_put_tx_pg; > + /* Only normal RAM for now */ > + if ( t != p2m_ram_rw ) > + goto err_put_rx_pg; > + > + tx = __map_domain_page_global(tx_pg); > + if ( !tx ) > + goto err_put_rx_pg; > + > + rx = __map_domain_page_global(rx_pg); > + if ( !rx ) > + goto err_unmap_tx; > + > + ctx->rx = rx; > + ctx->tx = tx; > + ctx->rx_pg = rx_pg; > + ctx->tx_pg = tx_pg; > + ctx->page_count = 1; > + ctx->tx_is_mine = true; > + return FFA_RET_OK; > + > +err_unmap_tx: > + unmap_domain_page_global(tx); > +err_put_rx_pg: > + put_page(rx_pg); > +err_put_tx_pg: > + put_page(tx_pg); > + return ret; > +} > + > +static uint32_t handle_rxtx_unmap(void) > +{ > + struct domain *d = current->domain; > + struct ffa_ctx *ctx = d->arch.ffa; > + uint32_t ret; > + > + if ( !ctx->rx ) > + return FFA_RET_INVALID_PARAMETERS; > + > + ret = ffa_rxtx_unmap(get_vm_id(d)); > + if ( ret ) > + return ret; > + > + unmap_domain_page_global(ctx->rx); > + unmap_domain_page_global(ctx->tx); > + put_page(ctx->rx_pg); > + put_page(ctx->tx_pg); > + ctx->rx = NULL; > + ctx->tx = NULL; > + ctx->rx_pg = NULL; > + ctx->tx_pg = NULL; > + ctx->page_count = 0; > + ctx->tx_is_mine = false; > + > + return FFA_RET_OK; > +} > + > +static uint32_t handle_partition_info_get(uint32_t w1, uint32_t w2, uint32_t w3, > + uint32_t w4, uint32_t w5, > + uint32_t *count) > +{ > + uint32_t ret = FFA_RET_DENIED; > + struct domain *d = current->domain; > + struct ffa_ctx *ctx = d->arch.ffa; > + > + if ( !ffa_page_count ) > + return FFA_RET_DENIED; > + > + spin_lock(&ctx->lock); > + if ( !ctx->page_count || !ctx->tx_is_mine ) > + goto out; > + ret = ffa_partition_info_get(w1, w2, w3, w4, w5, count); > + if ( ret ) > + goto out; > + if ( ctx->guest_vers == FFA_VERSION_1_0 ) > + { > + size_t n; > + struct ffa_partition_info_1_1 *src = ffa_rx; > + struct ffa_partition_info_1_0 *dst = ctx->rx; > + > + for ( n = 0; n < *count; n++ ) > + { > + dst[n].id = src[n].id; > + dst[n].execution_context = src[n].execution_context; > + dst[n].partition_properties = src[n].partition_properties; > + } > + } > + else > + { > + size_t sz = *count * sizeof(struct ffa_partition_info_1_1); > + > + memcpy(ctx->rx, ffa_rx, sz); > + } > + ffa_rx_release(); > + ctx->tx_is_mine = false; > +out: > + spin_unlock(&ctx->lock); > + > + return ret; > +} > + > +static uint32_t handle_rx_release(void) > +{ > + uint32_t ret = FFA_RET_DENIED; > + struct domain *d = current->domain; > + struct ffa_ctx *ctx = d->arch.ffa; > + > + spin_lock(&ctx->lock); > + if ( !ctx->page_count || ctx->tx_is_mine ) > + goto out; > + ret = FFA_RET_OK; > + ctx->tx_is_mine = true; > +out: > + spin_unlock(&ctx->lock); > + > + return ret; > +} > + > +static void handle_msg_send_direct_req(struct cpu_user_regs *regs, uint32_t fid) > +{ > + struct arm_smccc_1_2_regs arg = { .a0 = fid, }; > + struct arm_smccc_1_2_regs resp = { }; > + struct domain *d = current->domain; > + struct ffa_ctx *ctx = d->arch.ffa; > + uint32_t src_dst; > + uint64_t mask; > + > + if ( smccc_is_conv_64(fid) ) > + mask = 0xffffffffffffffff; > + else > + mask = 0xffffffff; > + > + src_dst = get_user_reg(regs, 1); > + if ( (src_dst >> 16) != get_vm_id(d) ) > + { > + resp.a0 = FFA_ERROR; > + resp.a2 = FFA_RET_INVALID_PARAMETERS; > + goto out; > + } > + > + arg.a1 = src_dst; > + arg.a2 = get_user_reg(regs, 2) & mask; > + arg.a3 = get_user_reg(regs, 3) & mask; > + arg.a4 = get_user_reg(regs, 4) & mask; > + arg.a5 = get_user_reg(regs, 5) & mask; > + arg.a6 = get_user_reg(regs, 6) & mask; > + arg.a7 = get_user_reg(regs, 7) & mask; > + > + while ( true ) > + { > + arm_smccc_1_2_smc(&arg, &resp); > + > + switch ( resp.a0 ) > + { > + case FFA_INTERRUPT: > + ctx->interrupted = true; > + goto out; > + case FFA_ERROR: > + case FFA_SUCCESS_32: > + case FFA_SUCCESS_64: > + case FFA_MSG_SEND_DIRECT_RESP_32: > + case FFA_MSG_SEND_DIRECT_RESP_64: > + goto out; > + default: > + /* Bad fid, report back. */ > + memset(&arg, 0, sizeof(arg)); > + arg.a0 = FFA_ERROR; > + arg.a1 = src_dst; > + arg.a2 = FFA_RET_NOT_SUPPORTED; > + continue; > + } > + } > + > +out: > + set_user_reg(regs, 0, resp.a0); > + set_user_reg(regs, 1, resp.a1 & mask); > + set_user_reg(regs, 2, resp.a2 & mask); > + set_user_reg(regs, 3, resp.a3 & mask); > + set_user_reg(regs, 4, resp.a4 & mask); > + set_user_reg(regs, 5, resp.a5 & mask); > + set_user_reg(regs, 6, resp.a6 & mask); > + set_user_reg(regs, 7, resp.a7 & mask); > +} > + > +static int get_shm_pages(struct domain *d, struct ffa_shm_mem *shm, > + struct ffa_address_range *range, uint32_t range_count, > + unsigned int start_page_idx, > + unsigned int *last_page_idx) > +{ > + unsigned int pg_idx = start_page_idx; > + unsigned long gfn; > + unsigned int n; > + unsigned int m; > + p2m_type_t t; > + uint64_t addr; > + > + for ( n = 0; n < range_count; n++ ) > + { > + for ( m = 0; m < range[n].page_count; m++ ) > + { > + if ( pg_idx >= shm->page_count ) > + return FFA_RET_INVALID_PARAMETERS; > + > + addr = read_atomic(&range[n].address); > + gfn = gaddr_to_gfn(addr + m * PAGE_SIZE); > + shm->pages[pg_idx] = get_page_from_gfn(d, gfn, &t, P2M_ALLOC); > + if ( !shm->pages[pg_idx] ) > + return FFA_RET_DENIED; > + pg_idx++; > + /* Only normal RAM for now */ > + if ( t != p2m_ram_rw ) > + return FFA_RET_DENIED; > + } > + } > + > + *last_page_idx = pg_idx; > + > + return FFA_RET_OK; > +} > + > +static void put_shm_pages(struct ffa_shm_mem *shm) > +{ > + unsigned int n; > + > + for ( n = 0; n < shm->page_count && shm->pages[n]; n++ ) > + { > + put_page(shm->pages[n]); > + shm->pages[n] = NULL; > + } > +} > + > +static void init_range(struct ffa_address_range *addr_range, > + paddr_t pa) > +{ > + memset(addr_range, 0, sizeof(*addr_range)); > + addr_range->address = pa; > + addr_range->page_count = 1; > +} > + > +static int share_shm(struct ffa_shm_mem *shm) > +{ > + uint32_t max_frag_len = ffa_page_count * PAGE_SIZE; > + struct ffa_mem_transaction_1_1 *descr = ffa_tx; > + struct ffa_mem_access *mem_access_array; > + struct ffa_mem_region *region_descr; > + struct ffa_address_range *addr_range; > + paddr_t pa; > + paddr_t last_pa; > + unsigned int n; > + uint32_t frag_len; > + uint32_t tot_len; > + int ret; > + unsigned int range_count; > + unsigned int range_base; > + bool first; > + > + memset(descr, 0, sizeof(*descr)); > + descr->sender_id = shm->sender_id; > + descr->global_handle = shm->handle; > + descr->mem_reg_attr = FFA_NORMAL_MEM_REG_ATTR; > + descr->mem_access_count = 1; > + descr->mem_access_size = sizeof(*mem_access_array); > + descr->mem_access_offs = sizeof(*descr); > + mem_access_array = (void *)(descr + 1); > + region_descr = (void *)(mem_access_array + 1); > + > + memset(mem_access_array, 0, sizeof(*mem_access_array)); > + mem_access_array[0].access_perm.endpoint_id = shm->ep_id; > + mem_access_array[0].access_perm.perm = FFA_MEM_ACC_RW; > + mem_access_array[0].region_offs = (vaddr_t)region_descr - (vaddr_t)ffa_tx; > + > + memset(region_descr, 0, sizeof(*region_descr)); > + region_descr->total_page_count = shm->page_count; > + > + region_descr->address_range_count = 1; > + last_pa = page_to_maddr(shm->pages[0]); > + for ( n = 1; n < shm->page_count; last_pa = pa, n++ ) > + { > + pa = page_to_maddr(shm->pages[n]); > + if ( last_pa + PAGE_SIZE == pa ) > + { > + continue; > + } > + region_descr->address_range_count++; > + } > + > + tot_len = sizeof(*descr) + sizeof(*mem_access_array) + > + sizeof(*region_descr) + > + region_descr->address_range_count * sizeof(*addr_range); > + > + addr_range = region_descr->address_range_array; > + frag_len = (vaddr_t)(addr_range + 1) - (vaddr_t)ffa_tx; > + last_pa = page_to_maddr(shm->pages[0]); > + init_range(addr_range, last_pa); > + first = true; > + range_count = 1; > + range_base = 0; > + for ( n = 1; n < shm->page_count; last_pa = pa, n++ ) > + { > + pa = page_to_maddr(shm->pages[n]); > + if ( last_pa + PAGE_SIZE == pa ) > + { > + addr_range->page_count++; > + continue; > + } > + > + if ( frag_len == max_frag_len ) > + { > + if ( first ) > + { > + ret = ffa_mem_share(tot_len, frag_len, 0, 0, &shm->handle); > + first = false; > + } > + else > + { > + ret = ffa_mem_frag_tx(shm->handle, frag_len, shm->sender_id); > + } > + if ( ret <= 0) > + return ret; > + range_base = range_count; > + range_count = 0; > + frag_len = sizeof(*addr_range); > + addr_range = ffa_tx; > + } > + else > + { > + frag_len += sizeof(*addr_range); > + addr_range++; > + } > + init_range(addr_range, pa); > + range_count++; > + } > + > + if ( first ) > + return ffa_mem_share(tot_len, frag_len, 0, 0, &shm->handle); > + else > + return ffa_mem_frag_tx(shm->handle, frag_len, shm->sender_id); > +} > + > +static int read_mem_transaction(uint32_t ffa_vers, void *buf, size_t blen, > + struct ffa_mem_transaction_x *trans) > +{ > + uint16_t mem_reg_attr; > + uint32_t flags; > + uint32_t count; > + uint32_t offs; > + uint32_t size; > + > + if ( ffa_vers >= FFA_VERSION_1_1 ) > + { > + struct ffa_mem_transaction_1_1 *descr; > + > + if ( blen < sizeof(*descr) ) > + return FFA_RET_INVALID_PARAMETERS; > + > + descr = buf; > + trans->sender_id = read_atomic(&descr->sender_id); > + mem_reg_attr = read_atomic(&descr->mem_reg_attr); > + flags = read_atomic(&descr->flags); > + trans->global_handle = read_atomic(&descr->global_handle); > + trans->tag = read_atomic(&descr->tag); > + > + count = read_atomic(&descr->mem_access_count); > + size = read_atomic(&descr->mem_access_size); > + offs = read_atomic(&descr->mem_access_offs); > + } > + else > + { > + struct ffa_mem_transaction_1_0 *descr; > + > + if ( blen < sizeof(*descr) ) > + return FFA_RET_INVALID_PARAMETERS; > + > + descr = buf; > + trans->sender_id = read_atomic(&descr->sender_id); > + mem_reg_attr = read_atomic(&descr->mem_reg_attr); > + flags = read_atomic(&descr->flags); > + trans->global_handle = read_atomic(&descr->global_handle); > + trans->tag = read_atomic(&descr->tag); > + > + count = read_atomic(&descr->mem_access_count); > + size = sizeof(struct ffa_mem_access); > + offs = offsetof(struct ffa_mem_transaction_1_0, mem_access_array); > + } > + > + if ( mem_reg_attr > UINT8_MAX || flags > UINT8_MAX || size > UINT8_MAX || > + count > UINT8_MAX || offs > UINT16_MAX ) > + return FFA_RET_INVALID_PARAMETERS; > + > + /* Check that the endpoint memory access descriptor array fits */ > + if ( size * count + offs > blen ) > + return FFA_RET_INVALID_PARAMETERS; > + > + trans->mem_reg_attr = mem_reg_attr; > + trans->flags = flags; > + trans->mem_access_size = size; > + trans->mem_access_count = count; > + trans->mem_access_offs = offs; > + return 0; > +} > + > +static int add_mem_share_frag(struct mem_frag_state *s, unsigned int offs, > + unsigned int frag_len) > +{ > + struct domain *d = current->domain; > + unsigned int o = offs; > + unsigned int l; > + int ret; > + > + if ( frag_len < o ) > + return FFA_RET_INVALID_PARAMETERS; > + > + /* Fill up the first struct ffa_address_range */ > + l = min_t(unsigned int, frag_len - o, sizeof(s->range) - s->range_offset); > + memcpy((uint8_t *)&s->range + s->range_offset, s->buf + o, l); > + s->range_offset += l; > + o += l; > + if ( s->range_offset != sizeof(s->range) ) > + goto out; > + s->range_offset = 0; > + > + while ( true ) > + { > + ret = get_shm_pages(d, s->shm, &s->range, 1, s->current_page_idx, > + &s->current_page_idx); > + if ( ret ) > + return ret; > + if ( s->range_count == 1 ) > + return 0; > + s->range_count--; > + if ( frag_len - o < sizeof(s->range) ) > + break; > + memcpy(&s->range, s->buf + o, sizeof(s->range)); > + o += sizeof(s->range); > + } > + > + /* Collect any remaining bytes for the next struct ffa_address_range */ > + s->range_offset = frag_len - o; > + memcpy(&s->range, s->buf + o, frag_len - o); > +out: > + s->frag_offset += frag_len; > + return s->frag_offset; > +} > + > +static void handle_mem_share(struct cpu_user_regs *regs) > +{ > + uint32_t tot_len = get_user_reg(regs, 1); > + uint32_t frag_len = get_user_reg(regs, 2); > + uint64_t addr = get_user_reg(regs, 3); > + uint32_t page_count = get_user_reg(regs, 4); > + struct ffa_mem_transaction_x trans; > + struct ffa_mem_access *mem_access; > + struct ffa_mem_region *region_descr; > + struct domain *d = current->domain; > + struct ffa_ctx *ctx = d->arch.ffa; > + struct ffa_shm_mem *shm = NULL; > + unsigned int last_page_idx = 0; > + uint32_t range_count; > + uint32_t region_offs; > + int ret = FFA_RET_DENIED; > + uint32_t handle_hi = 0; > + uint32_t handle_lo = 0; > + > + /* > + * We're only accepting memory transaction descriptors via the rx/tx > + * buffer. > + */ > + if ( addr ) > + { > + ret = FFA_RET_NOT_SUPPORTED; > + goto out_unlock; > + } > + > + /* Check that fragment legnth doesn't exceed total length */ > + if ( frag_len > tot_len ) > + { > + ret = FFA_RET_INVALID_PARAMETERS; > + goto out_unlock; > + } > + > + spin_lock(&ctx->lock); > + > + if ( frag_len > ctx->page_count * PAGE_SIZE ) > + goto out_unlock; > + > + if ( !ffa_page_count ) > + { > + ret = FFA_RET_NO_MEMORY; > + goto out_unlock; > + } > + > + ret = read_mem_transaction(ctx->guest_vers, ctx->tx, frag_len, &trans); > + if ( ret ) > + goto out_unlock; > + > + if ( trans.mem_reg_attr != FFA_NORMAL_MEM_REG_ATTR ) > + { > + ret = FFA_RET_NOT_SUPPORTED; > + goto out; > + } > + > + /* Only supports sharing it with one SP for now */ > + if ( trans.mem_access_count != 1 ) > + { > + ret = FFA_RET_NOT_SUPPORTED; > + goto out_unlock; > + } > + > + if ( trans.sender_id != get_vm_id(d) ) > + { > + ret = FFA_RET_INVALID_PARAMETERS; > + goto out_unlock; > + } > + > + /* Check that it fits in the supplied data */ > + if ( trans.mem_access_offs + trans.mem_access_size > frag_len ) > + goto out_unlock; > + > + mem_access = (void *)((vaddr_t)ctx->tx + trans.mem_access_offs); > + if ( read_atomic(&mem_access->access_perm.perm) != FFA_MEM_ACC_RW ) > + { > + ret = FFA_RET_NOT_SUPPORTED; > + goto out_unlock; > + } > + > + region_offs = read_atomic(&mem_access->region_offs); > + if ( sizeof(*region_descr) + region_offs > frag_len ) > + { > + ret = FFA_RET_NOT_SUPPORTED; > + goto out_unlock; > + } > + > + region_descr = (void *)((vaddr_t)ctx->tx + region_offs); > + range_count = read_atomic(®ion_descr->address_range_count); > + page_count = read_atomic(®ion_descr->total_page_count); > + > + shm = xzalloc_flex_struct(struct ffa_shm_mem, pages, page_count); > + if ( !shm ) > + { > + ret = FFA_RET_NO_MEMORY; > + goto out; > + } > + shm->sender_id = trans.sender_id; > + shm->ep_id = read_atomic(&mem_access->access_perm.endpoint_id); > + shm->page_count = page_count; > + > + if ( frag_len != tot_len ) > + { > + struct mem_frag_state *s = xzalloc(struct mem_frag_state); > + > + if ( !s ) > + { > + ret = FFA_RET_NO_MEMORY; > + goto out; > + } > + s->shm = shm; > + s->range_count = range_count; > + s->buf = ctx->tx; > + s->buf_size = ffa_page_count * PAGE_SIZE; > + ret = add_mem_share_frag(s, sizeof(*region_descr) + region_offs, > + frag_len); > + if ( ret <= 0 ) > + { > + xfree(s); > + if ( ret < 0 ) > + goto out; > + } > + else > + { > + shm->handle = next_handle++; > + reg_pair_from_64(&handle_hi, &handle_lo, shm->handle); > + list_add_tail(&s->list, &ctx->frag_list); > + } > + goto out_unlock; > + } > + > + /* > + * Check that the Composite memory region descriptor fits. > + */ > + if ( sizeof(*region_descr) + region_offs + > + range_count * sizeof(struct ffa_address_range) > frag_len ) > + { > + ret = FFA_RET_INVALID_PARAMETERS; > + goto out; > + } > + > + ret = get_shm_pages(d, shm, region_descr->address_range_array, range_count, > + 0, &last_page_idx); > + if ( ret ) > + goto out; > + if ( last_page_idx != shm->page_count ) > + { > + ret = FFA_RET_INVALID_PARAMETERS; > + goto out; > + } > + > + /* Note that share_shm() uses our tx buffer */ > + spin_lock(&ffa_buffer_lock); > + ret = share_shm(shm); > + spin_unlock(&ffa_buffer_lock); > + if ( ret ) > + goto out; > + > + spin_lock(&ffa_mem_list_lock); > + list_add_tail(&shm->list, &ffa_mem_list); > + spin_unlock(&ffa_mem_list_lock); > + > + reg_pair_from_64(&handle_hi, &handle_lo, shm->handle); > + > +out: > + if ( ret && shm ) > + { > + put_shm_pages(shm); > + xfree(shm); > + } > +out_unlock: > + spin_unlock(&ctx->lock); > + > + if ( ret > 0 ) > + set_regs_frag_rx(regs, handle_lo, handle_hi, ret, trans.sender_id); > + else if ( ret == 0) > + set_regs_success(regs, handle_lo, handle_hi); > + else > + set_regs_error(regs, ret); > +} > + > +static struct mem_frag_state *find_frag_state(struct ffa_ctx *ctx, > + uint64_t handle) > +{ > + struct mem_frag_state *s; > + > + list_for_each_entry(s, &ctx->frag_list, list) > + if ( s->shm->handle == handle ) > + return s; > + > + return NULL; > +} > + > +static void handle_mem_frag_tx(struct cpu_user_regs *regs) > +{ > + struct domain *d = current->domain; > + struct ffa_ctx *ctx = d->arch.ffa; > + uint32_t frag_len = get_user_reg(regs, 3); > + uint32_t handle_lo = get_user_reg(regs, 1); > + uint32_t handle_hi = get_user_reg(regs, 2); > + uint64_t handle = reg_pair_to_64(handle_hi, handle_lo); > + struct mem_frag_state *s; > + uint16_t sender_id = 0; > + int ret; > + > + spin_lock(&ctx->lock); > + s = find_frag_state(ctx, handle); > + if ( !s ) > + { > + ret = FFA_RET_INVALID_PARAMETERS; > + goto out; > + } > + sender_id = s->shm->sender_id; > + > + if ( frag_len > s->buf_size ) > + { > + ret = FFA_RET_INVALID_PARAMETERS; > + goto out; > + } > + > + ret = add_mem_share_frag(s, 0, frag_len); > + if ( ret == 0 ) > + { > + /* Note that share_shm() uses our tx buffer */ > + spin_lock(&ffa_buffer_lock); > + ret = share_shm(s->shm); > + spin_unlock(&ffa_buffer_lock); > + if ( ret == 0 ) > + { > + spin_lock(&ffa_mem_list_lock); > + list_add_tail(&s->shm->list, &ffa_mem_list); > + spin_unlock(&ffa_mem_list_lock); > + } > + else > + { > + put_shm_pages(s->shm); > + xfree(s->shm); > + } > + list_del(&s->list); > + xfree(s); > + } > + else if ( ret < 0 ) > + { > + put_shm_pages(s->shm); > + xfree(s->shm); > + list_del(&s->list); > + xfree(s); > + } > +out: > + spin_unlock(&ctx->lock); > + > + if ( ret > 0 ) > + set_regs_frag_rx(regs, handle_lo, handle_hi, ret, sender_id); > + else if ( ret == 0) > + set_regs_success(regs, handle_lo, handle_hi); > + else > + set_regs_error(regs, ret); > +} > + > +static int handle_mem_reclaim(uint64_t handle, uint32_t flags) > +{ > + struct ffa_shm_mem *shm; > + uint32_t handle_hi; > + uint32_t handle_lo; > + int ret; > + > + spin_lock(&ffa_mem_list_lock); > + list_for_each_entry(shm, &ffa_mem_list, list) > + { > + if ( shm->handle == handle ) > + goto found_it; > + } > + shm = NULL; > +found_it: > + spin_unlock(&ffa_mem_list_lock); > + > + if ( !shm ) > + return FFA_RET_INVALID_PARAMETERS; > + > + reg_pair_from_64(&handle_hi, &handle_lo, handle); > + ret = ffa_mem_reclaim(handle_lo, handle_hi, flags); > + if ( ret ) > + return ret; > + > + spin_lock(&ffa_mem_list_lock); > + list_del(&shm->list); > + spin_unlock(&ffa_mem_list_lock); > + > + put_shm_pages(shm); > + xfree(shm); > + > + return ret; > +} > + > +bool ffa_handle_call(struct cpu_user_regs *regs, uint32_t fid) > +{ > + struct domain *d = current->domain; > + struct ffa_ctx *ctx = d->arch.ffa; > + uint32_t count; > + uint32_t e; > + > + if ( !ctx ) > + return false; > + > + switch ( fid ) > + { > + case FFA_VERSION: > + handle_version(regs); > + return true; > + case FFA_ID_GET: > + set_regs_success(regs, get_vm_id(d), 0); > + return true; > + case FFA_RXTX_MAP_32: > +#ifdef CONFIG_ARM_64 > + case FFA_RXTX_MAP_64: > +#endif > + e = handle_rxtx_map(fid, get_user_reg(regs, 1), get_user_reg(regs, 2), > + get_user_reg(regs, 3)); > + if ( e ) > + set_regs_error(regs, e); > + else > + set_regs_success(regs, 0, 0); > + return true; > + case FFA_RXTX_UNMAP: > + e = handle_rxtx_unmap(); > + if ( e ) > + set_regs_error(regs, e); > + else > + set_regs_success(regs, 0, 0); > + return true; > + case FFA_PARTITION_INFO_GET: > + e = handle_partition_info_get(get_user_reg(regs, 1), > + get_user_reg(regs, 2), > + get_user_reg(regs, 3), > + get_user_reg(regs, 4), > + get_user_reg(regs, 5), &count); > + if ( e ) > + set_regs_error(regs, e); > + else > + set_regs_success(regs, count, 0); > + return true; > + case FFA_RX_RELEASE: > + e = handle_rx_release(); > + if ( e ) > + set_regs_error(regs, e); > + else > + set_regs_success(regs, 0, 0); > + return true; > + case FFA_MSG_SEND_DIRECT_REQ_32: > +#ifdef CONFIG_ARM_64 > + case FFA_MSG_SEND_DIRECT_REQ_64: > +#endif > + handle_msg_send_direct_req(regs, fid); > + return true; > + case FFA_MEM_SHARE_32: > +#ifdef CONFIG_ARM_64 > + case FFA_MEM_SHARE_64: > +#endif > + handle_mem_share(regs); > + return true; > + case FFA_MEM_RECLAIM: > + e = handle_mem_reclaim(reg_pair_to_64(get_user_reg(regs, 2), > + get_user_reg(regs, 1)), > + get_user_reg(regs, 3)); > + if ( e ) > + set_regs_error(regs, e); > + else > + set_regs_success(regs, 0, 0); > + return true; > + case FFA_MEM_FRAG_TX: > + handle_mem_frag_tx(regs); > + return true; > + > + default: > + printk(XENLOG_ERR "ffa: unhandled fid 0x%x\n", fid); > + return false; > + } > +} > + > +int ffa_domain_init(struct domain *d, bool ffa_enabled) > +{ > + struct ffa_ctx *ctx; > + unsigned int n; > + unsigned int m; > + unsigned int c_pos; > + int32_t res; > + > + if ( !ffa_version || !ffa_enabled ) > + return 0; > + > + ctx = xzalloc(struct ffa_ctx); > + if ( !ctx ) > + return -ENOMEM; > + > + for ( n = 0; n < subsr_vm_created_count; n++ ) > + { > + res = ffa_direct_req_send_vm(subsr_vm_created[n], get_vm_id(d), > + FFA_MSG_SEND_VM_CREATED); > + if ( res ) > + { > + printk(XENLOG_ERR "ffa: Failed to report creation of vm_id %u to %u: res %d\n", > + get_vm_id(d), subsr_vm_created[n], res); > + c_pos = n; > + goto err; > + } > + } > + > + INIT_LIST_HEAD(&ctx->frag_list); > + > + d->arch.ffa = ctx; > + > + return 0; > + > +err: > + /* Undo any already sent vm created messaged */ > + for ( n = 0; n < c_pos; n++ ) > + for ( m = 0; m < subsr_vm_destroyed_count; m++ ) > + if ( subsr_vm_destroyed[m] == subsr_vm_created[n] ) > + ffa_direct_req_send_vm(subsr_vm_destroyed[n], get_vm_id(d), > + FFA_MSG_SEND_VM_DESTROYED); > + return -ENOMEM; > +} > + > +int ffa_relinquish_resources(struct domain *d) > +{ > + struct ffa_ctx *ctx = d->arch.ffa; > + unsigned int n; > + int32_t res; > + > + if ( !ctx ) > + return 0; > + > + for ( n = 0; n < subsr_vm_destroyed_count; n++ ) > + { > + res = ffa_direct_req_send_vm(subsr_vm_destroyed[n], get_vm_id(d), > + FFA_MSG_SEND_VM_DESTROYED); > + > + if ( res ) > + printk(XENLOG_ERR "ffa: Failed to report destruction of vm_id %u to %u: res %d\n", > + get_vm_id(d), subsr_vm_destroyed[n], res); > + } > + > + XFREE(d->arch.ffa); > + > + return 0; > +} > + > +static bool __init init_subscribers(void) > +{ > + struct ffa_partition_info_1_1 *fpi; > + bool ret = false; > + uint32_t count; > + uint32_t e; > + uint32_t n; > + uint32_t c_pos; > + uint32_t d_pos; > + > + if ( ffa_version < FFA_VERSION_1_1 ) > + return true; > + > + e = ffa_partition_info_get(0, 0, 0, 0, 1, &count); > + ffa_rx_release(); > + if ( e ) > + { > + printk(XENLOG_ERR "ffa: Failed to get list of SPs: %d\n", (int)e); > + goto out; > + } > + > + fpi = ffa_rx; > + subsr_vm_created_count = 0; > + subsr_vm_destroyed_count = 0; > + for ( n = 0; n < count; n++ ) > + { > + if (fpi[n].partition_properties & FFA_PART_PROP_NOTIF_CREATED) > + subsr_vm_created_count++; > + if (fpi[n].partition_properties & FFA_PART_PROP_NOTIF_DESTROYED) > + subsr_vm_destroyed_count++; > + } > + > + if ( subsr_vm_created_count ) > + subsr_vm_created = xzalloc_array(uint16_t, subsr_vm_created_count); > + if ( subsr_vm_destroyed_count ) > + subsr_vm_destroyed = xzalloc_array(uint16_t, subsr_vm_destroyed_count); > + if ( (subsr_vm_created_count && !subsr_vm_created) || > + (subsr_vm_destroyed_count && !subsr_vm_destroyed) ) > + { > + printk(XENLOG_ERR "ffa: Failed to allocate subscription lists\n"); > + subsr_vm_created_count = 0; > + subsr_vm_destroyed_count = 0; > + XFREE(subsr_vm_created); > + XFREE(subsr_vm_destroyed); > + goto out; > + } > + > + for ( c_pos = 0, d_pos = 0, n = 0; n < count; n++ ) > + { > + if ( fpi[n].partition_properties & FFA_PART_PROP_NOTIF_CREATED ) > + subsr_vm_created[c_pos++] = fpi[n].id; > + if ( fpi[n].partition_properties & FFA_PART_PROP_NOTIF_DESTROYED ) > + subsr_vm_destroyed[d_pos++] = fpi[n].id; > + } > + > + ret = true; > +out: > + ffa_rx_release(); > + return ret; > +} > + > +static int __init ffa_init(void) > +{ > + uint32_t vers; > + uint32_t e; > + unsigned int major_vers; > + unsigned int minor_vers; > + > + /* > + * psci_init_smccc() updates this value with what's reported by EL-3 > + * or secure world. > + */ > + if ( smccc_ver < ARM_SMCCC_VERSION_1_2 ) > + { > + printk(XENLOG_ERR > + "ffa: unsupported SMCCC version %#x (need at least %#x)\n", > + smccc_ver, ARM_SMCCC_VERSION_1_2); > + return 0; > + } > + > + if ( !ffa_get_version(&vers) ) > + return 0; > + > + if ( vers < FFA_MIN_VERSION || vers > FFA_MY_VERSION ) > + { > + printk(XENLOG_ERR "ffa: Incompatible version %#x found\n", vers); > + return 0; > + } > + > + major_vers = (vers >> FFA_VERSION_MAJOR_SHIFT) & FFA_VERSION_MAJOR_MASK; > + minor_vers = vers & FFA_VERSION_MINOR_MASK; > + printk(XENLOG_INFO "ARM FF-A Mediator version %u.%u\n", > + FFA_VERSION_MAJOR, FFA_VERSION_MINOR); > + printk(XENLOG_INFO "ARM FF-A Firmware version %u.%u\n", > + major_vers, minor_vers); > + > + if ( !check_mandatory_feature(FFA_PARTITION_INFO_GET) || > + !check_mandatory_feature(FFA_RX_RELEASE) || > +#ifdef CONFIG_ARM_64 > + !check_mandatory_feature(FFA_RXTX_MAP_64) || > + !check_mandatory_feature(FFA_MEM_SHARE_64) || > +#endif > +#ifdef CONFIG_ARM_32 > + !check_mandatory_feature(FFA_RXTX_MAP_32) || > +#endif > + !check_mandatory_feature(FFA_RXTX_UNMAP) || > + !check_mandatory_feature(FFA_MEM_SHARE_32) || > + !check_mandatory_feature(FFA_MEM_FRAG_TX) || > + !check_mandatory_feature(FFA_MEM_RECLAIM) || > + !check_mandatory_feature(FFA_MSG_SEND_DIRECT_REQ_32) ) > + return 0; > + > + ffa_rx = alloc_xenheap_pages(0, 0); > + if ( !ffa_rx ) > + return 0; > + > + ffa_tx = alloc_xenheap_pages(0, 0); > + if ( !ffa_tx ) > + goto err_free_ffa_rx; > + > + e = ffa_rxtx_map(__pa(ffa_tx), __pa(ffa_rx), 1); > + if ( e ) > + { > + printk(XENLOG_ERR "ffa: Failed to map rxtx: error %d\n", (int)e); > + goto err_free_ffa_tx; > + } > + ffa_page_count = 1; > + ffa_version = vers; > + > + if ( !init_subscribers() ) > + goto err_free_ffa_tx; > + > + return 0; > + > +err_free_ffa_tx: > + free_xenheap_pages(ffa_tx, 0); > + ffa_tx = NULL; > +err_free_ffa_rx: > + free_xenheap_pages(ffa_rx, 0); > + ffa_rx = NULL; > + ffa_page_count = 0; > + ffa_version = 0; > + XFREE(subsr_vm_created); > + subsr_vm_created_count = 0; > + XFREE(subsr_vm_destroyed); > + subsr_vm_destroyed_count = 0; > + return 0; > +} > + > +__initcall(ffa_init); > diff --git a/xen/arch/arm/include/asm/domain.h b/xen/arch/arm/include/asm/domain.h > index ed63c2b6f91f..b3dee269bced 100644 > --- a/xen/arch/arm/include/asm/domain.h > +++ b/xen/arch/arm/include/asm/domain.h > @@ -103,6 +103,10 @@ struct arch_domain > void *tee; > #endif > > +#ifdef CONFIG_FFA > + void *ffa; > +#endif > + > bool directmap; > } __cacheline_aligned; > > diff --git a/xen/arch/arm/include/asm/ffa.h b/xen/arch/arm/include/asm/ffa.h > new file mode 100644 > index 000000000000..4f4a739345bd > --- /dev/null > +++ b/xen/arch/arm/include/asm/ffa.h > @@ -0,0 +1,71 @@ > +/* > + * xen/arch/arm/ffa.c > + * > + * Arm Firmware Framework for ARMv8-A(FFA) mediator > + * > + * Copyright (C) 2021 Linaro Limited > + * > + * Permission is hereby granted, free of charge, to any person > + * obtaining a copy of this software and associated documentation > + * files (the "Software"), to deal in the Software without restriction, > + * including without limitation the rights to use, copy, modify, merge, > + * publish, distribute, sublicense, and/or sell copies of the Software, > + * and to permit persons to whom the Software is furnished to do so, > + * subject to the following conditions: > + * > + * The above copyright notice and this permission notice shall be > + * included in all copies or substantial portions of the Software. > + * > + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, > + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF > + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. > + * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY > + * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, > + * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE > + * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. > + */ > + > +#ifndef __ASM_ARM_FFA_H__ > +#define __ASM_ARM_FFA_H__ > + > +#include <xen/const.h> > + > +#include <asm/smccc.h> > +#include <asm/types.h> > + > +#define FFA_FNUM_MIN_VALUE _AC(0x60,U) > +#define FFA_FNUM_MAX_VALUE _AC(0x86,U) > + > +static inline bool is_ffa_fid(uint32_t fid) > +{ > + uint32_t fn = fid & ARM_SMCCC_FUNC_MASK; > + > + return fn >= FFA_FNUM_MIN_VALUE && fn <= FFA_FNUM_MAX_VALUE; > +} > + > +#ifdef CONFIG_FFA > +#define FFA_NR_FUNCS 11 > + > +bool ffa_handle_call(struct cpu_user_regs *regs, uint32_t fid); > +int ffa_domain_init(struct domain *d, bool ffa_enabled); > +int ffa_relinquish_resources(struct domain *d); > +#else > +#define FFA_NR_FUNCS 0 > + > +static inline bool ffa_handle_call(struct cpu_user_regs *regs, uint32_t fid) > +{ > + return false; > +} > + > +static inline int ffa_domain_init(struct domain *d, bool ffa_enabled) > +{ > + return 0; > +} > + > +static inline int ffa_relinquish_resources(struct domain *d) > +{ > + return 0; > +} > +#endif > + > +#endif /*__ASM_ARM_FFA_H__*/ > diff --git a/xen/arch/arm/vsmc.c b/xen/arch/arm/vsmc.c > index 6f90c08a6304..34586025eff8 100644 > --- a/xen/arch/arm/vsmc.c > +++ b/xen/arch/arm/vsmc.c > @@ -20,6 +20,7 @@ > #include <public/arch-arm/smccc.h> > #include <asm/cpuerrata.h> > #include <asm/cpufeature.h> > +#include <asm/ffa.h> > #include <asm/monitor.h> > #include <asm/regs.h> > #include <asm/smccc.h> > @@ -32,7 +33,7 @@ > #define XEN_SMCCC_FUNCTION_COUNT 3 > > /* Number of functions currently supported by Standard Service Service Calls. */ > -#define SSSC_SMCCC_FUNCTION_COUNT (3 + VPSCI_NR_FUNCS) > +#define SSSC_SMCCC_FUNCTION_COUNT (3 + VPSCI_NR_FUNCS + FFA_NR_FUNCS) > > static bool fill_uid(struct cpu_user_regs *regs, xen_uuid_t uuid) > { > @@ -196,13 +197,23 @@ static bool handle_existing_apis(struct cpu_user_regs *regs) > return do_vpsci_0_1_call(regs, fid); > } > > +static bool is_psci_fid(uint32_t fid) > +{ > + uint32_t fn = fid & ARM_SMCCC_FUNC_MASK; > + > + return fn >= 0 && fn <= 0x1fU; > +} > + > /* PSCI 0.2 interface and other Standard Secure Calls */ > static bool handle_sssc(struct cpu_user_regs *regs) > { > uint32_t fid = (uint32_t)get_user_reg(regs, 0); > > - if ( do_vpsci_0_2_call(regs, fid) ) > - return true; > + if ( is_psci_fid(fid) ) > + return do_vpsci_0_2_call(regs, fid); > + > + if ( is_ffa_fid(fid) ) > + return ffa_handle_call(regs, fid); > > switch ( fid ) > { > diff --git a/xen/include/public/arch-arm.h b/xen/include/public/arch-arm.h > index ab05fe12b0de..53f8d44a6a8e 100644 > --- a/xen/include/public/arch-arm.h > +++ b/xen/include/public/arch-arm.h > @@ -318,6 +318,8 @@ struct xen_arch_domainconfig { > /* IN/OUT */ > uint8_t gic_version; > /* IN */ > + uint8_t ffa_enabled; > + /* IN */ > uint16_t tee_type; > /* IN */ > uint32_t nr_spis; > -- > 2.31.1 >
Hi Julien, On Fri, Jul 08, 2022 at 02:40:56PM +0100, Julien Grall wrote: > Hi Jens, > > I haven't checked whether the FFA driver is complaint with the spec. I > mainly checked whether the code makes sense from Xen PoV. > > This is a fairly long patch to review. So I will split my review in multiple > session/e-mail. Thanks for the comments. It's going to take a bit longer than I first thought to go through and respond. I'll get back once I'm though it. Thanks, Jens > > On 22/06/2022 14:42, Jens Wiklander wrote: > > Adds a FF-A version 1.1 [1] mediator to communicate with a Secure > > Partition in secure world. > > > > The implementation is the bare minimum to be able to communicate with > > OP-TEE running as an SPMC at S-EL1. > > > > This is loosely based on the TEE mediator framework and the OP-TEE > > mediator. > > > > [1] https://developer.arm.com/documentation/den0077/latest > > Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> > > --- > > SUPPORT.md | 7 + > > tools/libs/light/libxl_arm.c | 3 + > > tools/libs/light/libxl_types.idl | 1 + > > tools/xl/xl_parse.c | 3 + > > These changes would need an ack from the toolstack maintainers. > > > xen/arch/arm/Kconfig | 11 + > > xen/arch/arm/Makefile | 1 + > > xen/arch/arm/domain.c | 10 + > > xen/arch/arm/domain_build.c | 1 + > > xen/arch/arm/ffa.c | 1683 +++++++++++++++++++++++++++++ > > xen/arch/arm/include/asm/domain.h | 4 + > > xen/arch/arm/include/asm/ffa.h | 71 ++ > > xen/arch/arm/vsmc.c | 17 +- > > xen/include/public/arch-arm.h | 2 + > > 13 files changed, 1811 insertions(+), 3 deletions(-) > > create mode 100644 xen/arch/arm/ffa.c > > create mode 100644 xen/arch/arm/include/asm/ffa.h > > > > diff --git a/SUPPORT.md b/SUPPORT.md > > index 70e98964cbc0..215bb3c9043b 100644 > > --- a/SUPPORT.md > > +++ b/SUPPORT.md > > @@ -785,6 +785,13 @@ that covers the DMA of the device to be passed through. > > No support for QEMU backends in a 16K or 64K domain. > > +### ARM: Firmware Framework for Arm A-profile (FF-A) Mediator > > + > > + Status, Arm64: Tech Preview > > + > > +There are still some code paths where a vCPU may hog a pCPU longer than > > +necessary. The FF-A mediator is not yet implemented for Arm32. > > + > > ### ARM: Guest Device Tree support > > Status: Supported > > diff --git a/tools/libs/light/libxl_arm.c b/tools/libs/light/libxl_arm.c > > index eef1de093914..a985609861c7 100644 > > --- a/tools/libs/light/libxl_arm.c > > +++ b/tools/libs/light/libxl_arm.c > > @@ -101,6 +101,9 @@ int libxl__arch_domain_prepare_config(libxl__gc *gc, > > return ERROR_FAIL; > > } > > + config->arch.ffa_enabled = > > + libxl_defbool_val(d_config->b_info.arch_arm.ffa_enabled); > > + > > return 0; > > } > > diff --git a/tools/libs/light/libxl_types.idl b/tools/libs/light/libxl_types.idl > > index 2a42da2f7d78..bf4544bef399 100644 > > --- a/tools/libs/light/libxl_types.idl > > +++ b/tools/libs/light/libxl_types.idl > > @@ -646,6 +646,7 @@ libxl_domain_build_info = Struct("domain_build_info",[ > > ("arch_arm", Struct(None, [("gic_version", libxl_gic_version), > > ("vuart", libxl_vuart_type), > > + ("ffa_enabled", libxl_defbool), > > This needs to be accompagnied with a define LIBXL_HAVE_* in > tools/include/libxl.h. Please see the examples in the header. > > > ])), > > ("arch_x86", Struct(None, [("msr_relaxed", libxl_defbool), > > ])), > > diff --git a/tools/xl/xl_parse.c b/tools/xl/xl_parse.c > > index b98c0de378b6..e0e99ed8d2b1 100644 > > --- a/tools/xl/xl_parse.c > > +++ b/tools/xl/xl_parse.c > > @@ -2746,6 +2746,9 @@ skip_usbdev: > > exit(-ERROR_FAIL); > > } > > } > > + libxl_defbool_setdefault(&b_info->arch_arm.ffa_enabled, false); > > + xlu_cfg_get_defbool(config, "ffa_enabled", > > + &b_info->arch_arm.ffa_enabled, 0); > > This option needs to be documented in docs/man/xl.cfg.5.pod.in. > > > parse_vkb_list(config, d_config); > > diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig > > index be9eff014120..e57e1d3757e2 100644 > > --- a/xen/arch/arm/Kconfig > > +++ b/xen/arch/arm/Kconfig > > @@ -139,6 +139,17 @@ config TEE > > source "arch/arm/tee/Kconfig" > > +config FFA > > + bool "Enable FF-A mediator support" if EXPERT > > + default n > > + depends on ARM_64 > > + help > > + This option enables a minimal FF-A mediator. The mediator is > > + generic as it follows the FF-A specification [1], but it only > > + implements a small subset of the specification. > > Where would a user be able to find which subset of the specification that > Xen implements? > > > + > > + [1] https://developer.arm.com/documentation/den0077/latest > > + > > endmenu > > menu "ARM errata workaround via the alternative framework" > > diff --git a/xen/arch/arm/Makefile b/xen/arch/arm/Makefile > > index bb7a6151c13c..af0c69f793d4 100644 > > --- a/xen/arch/arm/Makefile > > +++ b/xen/arch/arm/Makefile > > @@ -20,6 +20,7 @@ obj-y += domain_build.init.o > > obj-y += domctl.o > > obj-$(CONFIG_EARLY_PRINTK) += early_printk.o > > obj-y += efi/ > > +obj-$(CONFIG_FFA) += ffa.o > > obj-y += gic.o > > obj-y += gic-v2.o > > obj-$(CONFIG_GICV3) += gic-v3.o > > diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c > > index 8110c1df8638..a3f00e7e234d 100644 > > --- a/xen/arch/arm/domain.c > > +++ b/xen/arch/arm/domain.c > > @@ -27,6 +27,7 @@ > > #include <asm/cpufeature.h> > > #include <asm/current.h> > > #include <asm/event.h> > > +#include <asm/ffa.h> > > #include <asm/gic.h> > > #include <asm/guest_atomics.h> > > #include <asm/irq.h> > > @@ -756,6 +757,9 @@ int arch_domain_create(struct domain *d, > > if ( (rc = tee_domain_init(d, config->arch.tee_type)) != 0 ) > > goto fail; > > + if ( (rc = ffa_domain_init(d, config->arch.ffa_enabled)) != 0 ) > > + goto fail; > > + > > update_domain_wallclock_time(d); > > /* > > @@ -998,6 +1002,7 @@ static int relinquish_memory(struct domain *d, struct page_list_head *list) > > enum { > > PROG_pci = 1, > > PROG_tee, > > + PROG_ffa, > > PROG_xen, > > PROG_page, > > PROG_mapping, > > @@ -1043,6 +1048,11 @@ int domain_relinquish_resources(struct domain *d) > > PROGRESS(tee): > > ret = tee_relinquish_resources(d); > > + if ( ret ) > > + return ret; > > + > > + PROGRESS(ffa): > > + ret = ffa_relinquish_resources(d); > > if (ret ) > > return ret; > > diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c > > index 7ddd16c26da5..d708f76356f7 100644 > > --- a/xen/arch/arm/domain_build.c > > +++ b/xen/arch/arm/domain_build.c > > @@ -3450,6 +3450,7 @@ void __init create_dom0(void) > > if ( gic_number_lines() > 992 ) > > printk(XENLOG_WARNING "Maximum number of vGIC IRQs exceeded.\n"); > > dom0_cfg.arch.tee_type = tee_get_type(); > > + dom0_cfg.arch.ffa_enabled = true; > > AFAICT, ffa_enabled is a uint8_t. So we should use 1. However, I am not > convinced that using a uint8_t for what looks like a boolean is warrant. I > will detail more on the definition. > > > dom0_cfg.max_vcpus = dom0_max_vcpus(); > > if ( iommu_enabled ) > > diff --git a/xen/arch/arm/ffa.c b/xen/arch/arm/ffa.c > > new file mode 100644 > > index 000000000000..3117ce5cec4d > > --- /dev/null > > +++ b/xen/arch/arm/ffa.c > > @@ -0,0 +1,1683 @@ > > +/* > > + * xen/arch/arm/ffa.c > > + * > > + * Arm Firmware Framework for ARMv8-A (FF-A) mediator > > + * > > + * Copyright (C) 2022 Linaro Limited > > + * > > + * Permission is hereby granted, free of charge, to any person > > + * obtaining a copy of this software and associated documentation > > + * files (the "Software"), to deal in the Software without restriction, > > + * including without limitation the rights to use, copy, modify, merge, > > + * publish, distribute, sublicense, and/or sell copies of the Software, > > + * and to permit persons to whom the Software is furnished to do so, > > + * subject to the following conditions: > > + * > > + * The above copyright notice and this permission notice shall be > > + * included in all copies or substantial portions of the Software. > > + * > > + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, > > + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF > > + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. > > + * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY > > + * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, > > + * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE > > + * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. > > This doesn't look like to be a GPLv2 license. Can you clarify which license > you are using? > > > + */ > > + > > +#include <xen/domain_page.h> > > +#include <xen/errno.h> > > +#include <xen/init.h> > > +#include <xen/lib.h> > > +#include <xen/sched.h> > > +#include <xen/types.h> > > +#include <xen/sizes.h> > > +#include <xen/bitops.h> > > + > > +#include <asm/smccc.h> > > +#include <asm/event.h> > > +#include <asm/ffa.h> > > +#include <asm/regs.h> > > + > > +/* Error codes */ > > All the #define below are using hard tab. Please use soft tab. > > > +#define FFA_RET_OK 0 > > +#define FFA_RET_NOT_SUPPORTED -1 > > +#define FFA_RET_INVALID_PARAMETERS -2 > > +#define FFA_RET_NO_MEMORY -3 > > +#define FFA_RET_BUSY -4 > > +#define FFA_RET_INTERRUPTED -5 > > +#define FFA_RET_DENIED -6 > > +#define FFA_RET_RETRY -7 > > +#define FFA_RET_ABORTED -8 > > + > > +/* FFA_VERSION helpers */ > > +#define FFA_VERSION_MAJOR _AC(1,U) > > NIT: The use of _AC() is a bit pointless given that you are only use the > values in C code. > > > +#define FFA_VERSION_MAJOR_SHIFT _AC(16,U) > > +#define FFA_VERSION_MAJOR_MASK _AC(0x7FFF,U) > > +#define FFA_VERSION_MINOR _AC(1,U) > > +#define FFA_VERSION_MINOR_SHIFT _AC(0,U) > > +#define FFA_VERSION_MINOR_MASK _AC(0xFFFF,U) > > +#define MAKE_FFA_VERSION(major, minor) \ > > + ((((major) & FFA_VERSION_MAJOR_MASK) << FFA_VERSION_MAJOR_SHIFT) | \ > > + ((minor) & FFA_VERSION_MINOR_MASK)) > > + > > +#define FFA_MIN_VERSION MAKE_FFA_VERSION(1, 0) > > +#define FFA_VERSION_1_0 MAKE_FFA_VERSION(1, 0) > > +#define FFA_VERSION_1_1 MAKE_FFA_VERSION(1, 1) > > +#define FFA_MY_VERSION MAKE_FFA_VERSION(FFA_VERSION_MAJOR, \ > > + FFA_VERSION_MINOR) > > NIT: I think it would be better that FFA_VERSION_MAJOR AND FFA_VERSION_MINOR > are defined closer to FFA_MY_VERSION and they are renamed to > FFA_MY_VERSION_*. > > I would also potentially move the 3 defines past all the definition related > to the specification. This would make clearer that this is what Xen > supports. > > > + > > + > > +#define FFA_HANDLE_HYP_FLAG BIT(63,ULL) > > Coding style: You seem to use a mix of FOO(... , ...) and FOO(...,...). > At mimimum, please be consistent within the file. > > For Xen, we usually add a space after the comma. > > [...] > > > +/* > > + * Our rx/rx buffer shared with the SPMC > > + */ > > Hmmm... The comment seems to be misplaced. > > > +static uint32_t ffa_version; > > This probably can be __read_mostly. > > > +static uint16_t *subsr_vm_created; > > What subsr stand for? > > > +static unsigned int subsr_vm_created_count; > > +static uint16_t *subsr_vm_destroyed; > > +static unsigned int subsr_vm_destroyed_count; > > +static void *ffa_rx; > > +static void *ffa_tx; > > subsr_vm_created, subsr_vm_destroyed, ffa_rx and ffa_tx can probably be > __read_mostly. > > > +static unsigned int ffa_page_count; > > Is this related to ffa_rx? > > > +static DEFINE_SPINLOCK(ffa_buffer_lock); > > + > > +static LIST_HEAD(ffa_mem_list); > > +static DEFINE_SPINLOCK(ffa_mem_list_lock); > > + > > +static uint64_t next_handle = FFA_HANDLE_HYP_FLAG; > > next_handle only seems to be used handle_mem_share(). So I think it would be > better to move the definition (as static) within the function. > > This will reduce the number of global variables. > > > + > > +static inline uint64_t reg_pair_to_64(uint32_t reg0, uint32_t reg1) > > +{ > > + return (uint64_t)reg0 << 32 | reg1; > > +} > > + > > +static void inline reg_pair_from_64(uint32_t *reg0, uint32_t *reg1, > > + uint64_t val) > > +{ > > + *reg0 = val >> 32; > > + *reg1 = val; > > +} > > Those two functions are the same as optee.c but with a different. I would > rather prefer if we avoid the duplication and provide generic helpers in a > pre-requisite. > > > + > > +static bool ffa_get_version(uint32_t *vers) > > +{ > > + const struct arm_smccc_1_2_regs arg = { > > + .a0 = FFA_VERSION, .a1 = FFA_MY_VERSION, > > Coding sytle: Please set each field on their own line. > > > + }; > > + struct arm_smccc_1_2_regs resp; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + if ( resp.a0 == FFA_RET_NOT_SUPPORTED ) > > + { > > + printk(XENLOG_ERR "ffa: FFA_VERSION returned not supported\n"); > > + return false; > > + } > > + > > + *vers = resp.a0; > > Coding style: We tend to add a newline before the last return. I am not > necessarily going to comment about this on all the instances. So please have > a look through the code. > > > + return true; > > +} > > + > > +static uint32_t get_ffa_ret_code(const struct arm_smccc_1_2_regs *resp) > > FFA_RET_* will be negative, so shouldn't this return int32_t? > > > +{ > > + switch ( resp->a0 ) > > + { > > + case FFA_ERROR: > > + if ( resp->a2 ) > > + return resp->a2; > > + else > > + return FFA_RET_NOT_SUPPORTED; > > + case FFA_SUCCESS_32: > > + case FFA_SUCCESS_64: > > + return FFA_RET_OK; > > + default: > > + return FFA_RET_NOT_SUPPORTED; > > + } > > +} > > + > > +static uint32_t ffa_features(uint32_t id) > > +{ > > + const struct arm_smccc_1_2_regs arg = { .a0 = FFA_FEATURES, .a1 = id, }; > > Coding style. Please split each field on their own line. > > > + struct arm_smccc_1_2_regs resp; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + return get_ffa_ret_code(&resp); > > +} > > + > > +static bool check_mandatory_feature(uint32_t id) > > +{ > > + uint32_t ret = ffa_features(id); > > + > > + if (ret) > > + printk(XENLOG_ERR "ffa: mandatory feature id %#x missing\n", id); > > + return !ret; > > +} > > + > > +static uint32_t ffa_rxtx_map(register_t tx_addr, register_t rx_addr, > > + uint32_t page_count) > > Aside the parameters, the helper looks very similar to ffa_features(), > ffa_rxtx_unmap(). Can this be abstracted? Maybe using macro if you still > want to have separate helper name. > > > +{ > > + const struct arm_smccc_1_2_regs arg = { > > +#ifdef CONFIG_ARM_64 > > + .a0 = FFA_RXTX_MAP_64, > > +#endif > > +#ifdef CONFIG_ARM_32 > > + .a0 = FFA_RXTX_MAP_32, > > +#endif > > + .a1 = tx_addr, .a2 = rx_addr, > > Coding: Please don't use hard tab and put each field on their own line. > > > + .a3 = page_count, > > + }; > > + struct arm_smccc_1_2_regs resp; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + > > + return get_ffa_ret_code(&resp); > > +} > > + > > +static uint32_t ffa_rxtx_unmap(uint16_t vm_id) > > +{ > > + const struct arm_smccc_1_2_regs arg = { > > + .a0 = FFA_RXTX_UNMAP, .a1 = vm_id, > > Coding style. Please add each field on their own line. > > > > + }; > > + struct arm_smccc_1_2_regs resp; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + > > + return get_ffa_ret_code(&resp); > > +} > > + > > +static uint32_t ffa_partition_info_get(uint32_t w1, uint32_t w2, uint32_t w3, > > + uint32_t w4, uint32_t w5, > > + uint32_t *count) > > +{ > > + const struct arm_smccc_1_2_regs arg = { > > + .a0 = FFA_PARTITION_INFO_GET, .a1 = w1, .a2 = w2, .a3 = w3, .a4 = w4, > > Ditto. > > > + .a5 = w5, > > + }; > > + struct arm_smccc_1_2_regs resp; > > + uint32_t ret; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + > > + ret = get_ffa_ret_code(&resp); > > + if ( !ret ) > > + *count = resp.a2; > > + > > + return ret; > > +} > > + > > +static uint32_t ffa_rx_release(void) > > +{ > > + const struct arm_smccc_1_2_regs arg = { .a0 = FFA_RX_RELEASE, }; > > + struct arm_smccc_1_2_regs resp; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + > > + return get_ffa_ret_code(&resp); > > +} > > + > > +static int32_t ffa_mem_share(uint32_t tot_len, uint32_t frag_len, > > + register_t addr, uint32_t pg_count, > > + uint64_t *handle) > > +{ > > + struct arm_smccc_1_2_regs arg = { > > + .a0 = FFA_MEM_SHARE_32, .a1 = tot_len, .a2 = frag_len, .a3 = addr, > > Ditto. > > > + .a4 = pg_count, > > + }; > > + struct arm_smccc_1_2_regs resp; > > + > > + /* > > + * For arm64 we must use 64-bit calling convention if the buffer isn't > > + * passed in our tx buffer. > > + */ > > Can you explain why we would want to use the 32-bit calling convention if > addr is 0? > > > + if (sizeof(addr) > 4 && addr) > > sizeof(addr) > 4 is a bit odd to read. I think it would be better to check > that CONFIG_ARM_64 is set (i.e. IS_ENABLED()). > > > + arg.a0 = FFA_MEM_SHARE_64; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + > > + switch ( resp.a0 ) > > + { > > + case FFA_ERROR: > > + if ( resp.a2 ) > > + return resp.a2; > > + else > > + return FFA_RET_NOT_SUPPORTED; > > + case FFA_SUCCESS_32: > > + *handle = reg_pair_to_64(resp.a3, resp.a2); > > + return FFA_RET_OK; > > + case FFA_MEM_FRAG_RX: > > + *handle = reg_pair_to_64(resp.a2, resp.a1); > > + return resp.a3; > > + default: > > + return FFA_RET_NOT_SUPPORTED; > > + } > > +} > > + > > +static int32_t ffa_mem_frag_tx(uint64_t handle, uint32_t frag_len, > > + uint16_t sender_id) > > +{ > > + struct arm_smccc_1_2_regs arg = { > > + .a0 = FFA_MEM_FRAG_TX, .a1 = handle & UINT32_MAX, .a2 = handle >> 32, > > + .a3 = frag_len, .a4 = (uint32_t)sender_id << 16, > > + }; > > + struct arm_smccc_1_2_regs resp; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + > > + switch ( resp.a0 ) > > + { > > + case FFA_ERROR: > > + if ( resp.a2 ) > > + return resp.a2; > > + else > > + return FFA_RET_NOT_SUPPORTED; > > + case FFA_SUCCESS_32: > > + return FFA_RET_OK; > > + case FFA_MEM_FRAG_RX: > > + return resp.a3; > > + default: > > + return FFA_RET_NOT_SUPPORTED; > > + } > > +} > > + > > +static uint32_t ffa_mem_reclaim(uint32_t handle_lo, uint32_t handle_hi, > > + uint32_t flags) > > +{ > > + const struct arm_smccc_1_2_regs arg = { > > + .a0 = FFA_MEM_RECLAIM, .a1 = handle_lo, .a2 = handle_hi, .a3 = flags, > > + }; > > + struct arm_smccc_1_2_regs resp; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + > > + return get_ffa_ret_code(&resp); > > +} > > + > > +static int32_t ffa_direct_req_send_vm(uint16_t sp_id, uint16_t vm_id, > > OOI, why is this call returns int32_t when all the other use uint32_t (even > if may returned negative values)? > > > + uint8_t msg) > > +{ > > + uint32_t exp_resp = FFA_MSG_FLAG_FRAMEWORK; > > + int32_t res; > > + > > + if ( msg != FFA_MSG_SEND_VM_CREATED && msg !=FFA_MSG_SEND_VM_DESTROYED ) > > + return FFA_RET_INVALID_PARAMETERS; > > + > > + if ( msg == FFA_MSG_SEND_VM_CREATED ) > > + exp_resp |= FFA_MSG_RESP_VM_CREATED; > > + else > > + exp_resp |= FFA_MSG_RESP_VM_DESTROYED; > > NIT: I think it would be easier to read if you drop the first 'if' and > instead write: > > if ( msg == ..._CREATED ) > ... > else if ( msg == ..._DESTROYED ) > ... > else > return FFA_RET_INVALID_PARAMETERS. > > > + > > + do { > > + const struct arm_smccc_1_2_regs arg = { > > + .a0 = FFA_MSG_SEND_DIRECT_REQ_32, > > + .a1 = sp_id, > > + .a2 = FFA_MSG_FLAG_FRAMEWORK | msg, > > + .a5 = vm_id, > > + }; > > + struct arm_smccc_1_2_regs resp; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + if ( resp.a0 != FFA_MSG_SEND_DIRECT_RESP_32 || resp.a2 != exp_resp ) > > + { > > + /* > > + * This is an invalid response, likely due to some error in the > > + * implementation of the ABI. > > + */ > > + return FFA_RET_INVALID_PARAMETERS; > > + } > > + res = resp.a3; > > + } while ( res == FFA_RET_INTERRUPTED || res == FFA_RET_RETRY ); > > + > > + return res; > > +} > > + > > +static u16 get_vm_id(struct domain *d) > > d is not meant to be modified by the helper. So please use 'const'. > > > +{ > > + /* +1 since 0 is reserved for the hypervisor in FF-A */ > > + return d->domain_id + 1; > > +} > > + > > +static void set_regs(struct cpu_user_regs *regs, register_t v0, register_t v1, > > + register_t v2, register_t v3, register_t v4, register_t v5, > > + register_t v6, register_t v7) > > +{ > > + set_user_reg(regs, 0, v0); > > + set_user_reg(regs, 1, v1); > > + set_user_reg(regs, 2, v2); > > + set_user_reg(regs, 3, v3); > > + set_user_reg(regs, 4, v4); > > + set_user_reg(regs, 5, v5); > > + set_user_reg(regs, 6, v6); > > + set_user_reg(regs, 7, v7); > > +} > > + > > +static void set_regs_error(struct cpu_user_regs *regs, uint32_t error_code) > > +{ > > + set_regs(regs, FFA_ERROR, 0, error_code, 0, 0, 0, 0, 0); > > +} > > + > > +static void set_regs_success(struct cpu_user_regs *regs, uint32_t w2, > > + uint32_t w3) > > +{ > > + set_regs(regs, FFA_SUCCESS_32, 0, w2, w3, 0, 0, 0, 0); > > +} > > + > > +static void set_regs_frag_rx(struct cpu_user_regs *regs, uint32_t handle_lo, > > + uint32_t handle_hi, uint32_t frag_offset, > > + uint16_t sender_id) > > +{ > > + set_regs(regs, FFA_MEM_FRAG_RX, handle_lo, handle_hi, frag_offset, > > + (uint32_t)sender_id << 16, 0, 0, 0); > > +} > > + > > +static void handle_version(struct cpu_user_regs *regs) > > +{ > > + struct domain *d = current->domain; > > + struct ffa_ctx *ctx = d->arch.ffa; > > + uint32_t vers = get_user_reg(regs, 1); > > + > > + if ( vers < FFA_VERSION_1_1 ) > > + vers = FFA_VERSION_1_0; > > + else > > + vers = FFA_VERSION_1_1; > > I find a bit strange to 'cap' the version provided by the user. Is this part > of the spec? > > > + > > + ctx->guest_vers = vers; > > + set_regs(regs, vers, 0, 0, 0, 0, 0, 0, 0); > > +} > > + > > +static uint32_t handle_rxtx_map(uint32_t fid, register_t tx_addr, > > + register_t rx_addr, uint32_t page_count) > > Xen, Linux, and the firmware may use different page size. Below, you seem to > have the page size will always be 4KB. Is this guaranteed by the spec? If > not, how do all the 3 components agree on it? > > If yes, then I think this should be written down and we should have a > BUILD_BUG_ON(PAGE_SIZE != SZ_4K). > > > +{ > > + uint32_t ret = FFA_RET_INVALID_PARAMETERS; > > + struct domain *d = current->domain; > > + struct ffa_ctx *ctx = d->arch.ffa; > > + struct page_info *tx_pg; > > + struct page_info *rx_pg; > > + p2m_type_t t; > > + void *rx; > > + void *tx; > > + > > + if ( !smccc_is_conv_64(fid) ) > > + { > > + tx_addr &= UINT32_MAX; > > + rx_addr &= UINT32_MAX; > > + } > > + > > + /* For now to keep things simple, only deal with a single page */ > > + if ( page_count != 1 ) > > + return FFA_RET_NOT_SUPPORTED; > > + > > + /* Already mapped */ > > + if ( ctx->rx ) > > + return FFA_RET_DENIED; > > + > > + tx_pg = get_page_from_gfn(d, gaddr_to_gfn(tx_addr), &t, P2M_ALLOC); > > + if ( !tx_pg ) > > + return FFA_RET_INVALID_PARAMETERS; > > + /* Only normal RAM for now */ > > This comment suggests the check below should be p2m_is_ram() but you are > using p2m_ram_rw. > > > + if (t != p2m_ram_rw) > > Coding style: if ( ... ) > > > + goto err_put_tx_pg; > > + > > + rx_pg = get_page_from_gfn(d, gaddr_to_gfn(rx_addr), &t, P2M_ALLOC); > > + if ( !tx_pg ) > > + goto err_put_tx_pg; > > + /* Only normal RAM for now */ > > Same about the comment. > > > + if ( t != p2m_ram_rw ) > > + goto err_put_rx_pg; > > + > > + tx = __map_domain_page_global(tx_pg); > > + if ( !tx ) > > + goto err_put_rx_pg; > > + > > + rx = __map_domain_page_global(rx_pg); > > + if ( !rx ) > > + goto err_unmap_tx; > > + > > + ctx->rx = rx; > > + ctx->tx = tx; > > + ctx->rx_pg = rx_pg; > > + ctx->tx_pg = tx_pg; > > + ctx->page_count = 1; > > + ctx->tx_is_mine = true; > > + return FFA_RET_OK; > > + > > +err_unmap_tx: > > + unmap_domain_page_global(tx); > > +err_put_rx_pg: > > + put_page(rx_pg); > > +err_put_tx_pg: > > + put_page(tx_pg); > > + return ret; > > +} > > + > > +static uint32_t handle_rxtx_unmap(void) > > +{ > > + struct domain *d = current->domain; > > + struct ffa_ctx *ctx = d->arch.ffa; > > + uint32_t ret; > > + > > + if ( !ctx->rx ) > > + return FFA_RET_INVALID_PARAMETERS; > > + > > + ret = ffa_rxtx_unmap(get_vm_id(d)); > > + if ( ret ) > > + return ret; > > + > > + unmap_domain_page_global(ctx->rx); > > + unmap_domain_page_global(ctx->tx); > > + put_page(ctx->rx_pg); > > + put_page(ctx->tx_pg); > > + ctx->rx = NULL; > > + ctx->tx = NULL; > > + ctx->rx_pg = NULL; > > + ctx->tx_pg = NULL; > > + ctx->page_count = 0; > > + ctx->tx_is_mine = false; > > + > > + return FFA_RET_OK; > > +} > > + > > +static uint32_t handle_partition_info_get(uint32_t w1, uint32_t w2, uint32_t w3, > > + uint32_t w4, uint32_t w5, > > + uint32_t *count) > > +{ > > + uint32_t ret = FFA_RET_DENIED; > > + struct domain *d = current->domain; > > + struct ffa_ctx *ctx = d->arch.ffa; > > + > > + if ( !ffa_page_count ) > > + return FFA_RET_DENIED; > > + > > + spin_lock(&ctx->lock); > > + if ( !ctx->page_count || !ctx->tx_is_mine ) > > + goto out; > > + ret = ffa_partition_info_get(w1, w2, w3, w4, w5, count); > > + if ( ret ) > > + goto out; > > + if ( ctx->guest_vers == FFA_VERSION_1_0 ) > > + { > > + size_t n; > > + struct ffa_partition_info_1_1 *src = ffa_rx; > > + struct ffa_partition_info_1_0 *dst = ctx->rx; > > + > > + for ( n = 0; n < *count; n++ ) > > Who is going to sanitize 'count' and how do you make sure that... > > > + { > > + dst[n].id = src[n].id; > > ... this will still be written within the page provided by the domain? > > > + dst[n].execution_context = src[n].execution_context; > > + dst[n].partition_properties = src[n].partition_properties; > > + } > > + } > > + else > > + { > > + size_t sz = *count * sizeof(struct ffa_partition_info_1_1); > > + > > + memcpy(ctx->rx, ffa_rx, sz); > > + } > > + ffa_rx_release(); > > I saw above that you are expecting the ffa_rx to be "locked". Will it be the > firmware to block another thread that may need ffa_rx? > > > + ctx->tx_is_mine = false; > > +out: > > + spin_unlock(&ctx->lock); > > + > > + return ret; > > +} > > + > > +static uint32_t handle_rx_release(void) > > +{ > > + uint32_t ret = FFA_RET_DENIED; > > + struct domain *d = current->domain; > > + struct ffa_ctx *ctx = d->arch.ffa; > > + > > + spin_lock(&ctx->lock); > > + if ( !ctx->page_count || ctx->tx_is_mine ) > > + goto out; > > + ret = FFA_RET_OK; > > + ctx->tx_is_mine = true; > > +out: > > + spin_unlock(&ctx->lock); > > + > > + return ret; > > +} > > + > > +static void handle_msg_send_direct_req(struct cpu_user_regs *regs, uint32_t fid) > > +{ > > + struct arm_smccc_1_2_regs arg = { .a0 = fid, }; > > + struct arm_smccc_1_2_regs resp = { }; > > + struct domain *d = current->domain; > > + struct ffa_ctx *ctx = d->arch.ffa; > > + uint32_t src_dst; > > + uint64_t mask; > > + > > + if ( smccc_is_conv_64(fid) ) > > + mask = 0xffffffffffffffff; > > + else > > + mask = 0xffffffff; > > Please use GENMASK() (or similar). So it is easier to confirm the number of > 'f' is correct. > > > + > > + src_dst = get_user_reg(regs, 1); > > + if ( (src_dst >> 16) != get_vm_id(d) ) > > + { > > + resp.a0 = FFA_ERROR; > > + resp.a2 = FFA_RET_INVALID_PARAMETERS; > > + goto out; > > + } > > + > > + arg.a1 = src_dst; > > + arg.a2 = get_user_reg(regs, 2) & mask; > > + arg.a3 = get_user_reg(regs, 3) & mask; > > + arg.a4 = get_user_reg(regs, 4) & mask; > > + arg.a5 = get_user_reg(regs, 5) & mask; > > + arg.a6 = get_user_reg(regs, 6) & mask; > > + arg.a7 = get_user_reg(regs, 7) & mask; > > + > > + while ( true ) > > + { > > + arm_smccc_1_2_smc(&arg, &resp); > > + > > + switch ( resp.a0 ) > > + { > > + case FFA_INTERRUPT: > > + ctx->interrupted = true; > > + goto out; > > + case FFA_ERROR: > > + case FFA_SUCCESS_32: > > + case FFA_SUCCESS_64: > > + case FFA_MSG_SEND_DIRECT_RESP_32: > > + case FFA_MSG_SEND_DIRECT_RESP_64: > > + goto out; > > + default: > > + /* Bad fid, report back. */ > > + memset(&arg, 0, sizeof(arg)); > > + arg.a0 = FFA_ERROR; > > + arg.a1 = src_dst; > > + arg.a2 = FFA_RET_NOT_SUPPORTED; > > + continue; > > + } > > + } > > + > > +out: > > + set_user_reg(regs, 0, resp.a0); > > + set_user_reg(regs, 1, resp.a1 & mask); > > + set_user_reg(regs, 2, resp.a2 & mask); > > + set_user_reg(regs, 3, resp.a3 & mask); > > + set_user_reg(regs, 4, resp.a4 & mask); > > + set_user_reg(regs, 5, resp.a5 & mask); > > + set_user_reg(regs, 6, resp.a6 & mask); > > + set_user_reg(regs, 7, resp.a7 & mask); > > You have already an helper to set all the registers. Why not using it? > > > +} > > I will continue the rest of the review at a later point. > > Cheers, > > -- > Julien Grall
Hi Julien, On Fri, Jul 8, 2022 at 3:41 PM Julien Grall <julien@xen.org> wrote: > > Hi Jens, > > I haven't checked whether the FFA driver is complaint with the spec. I > mainly checked whether the code makes sense from Xen PoV. > > This is a fairly long patch to review. So I will split my review in > multiple session/e-mail. > > On 22/06/2022 14:42, Jens Wiklander wrote: > > Adds a FF-A version 1.1 [1] mediator to communicate with a Secure > > Partition in secure world. > > > > The implementation is the bare minimum to be able to communicate with > > OP-TEE running as an SPMC at S-EL1. > > > > This is loosely based on the TEE mediator framework and the OP-TEE > > mediator. > > > > [1] https://developer.arm.com/documentation/den0077/latest > > Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> > > --- > > SUPPORT.md | 7 + > > tools/libs/light/libxl_arm.c | 3 + > > tools/libs/light/libxl_types.idl | 1 + > > tools/xl/xl_parse.c | 3 + > > These changes would need an ack from the toolstack maintainers. OK, I'll keep them in CC. > > > xen/arch/arm/Kconfig | 11 + > > xen/arch/arm/Makefile | 1 + > > xen/arch/arm/domain.c | 10 + > > xen/arch/arm/domain_build.c | 1 + > > xen/arch/arm/ffa.c | 1683 +++++++++++++++++++++++++++++ > > xen/arch/arm/include/asm/domain.h | 4 + > > xen/arch/arm/include/asm/ffa.h | 71 ++ > > xen/arch/arm/vsmc.c | 17 +- > > xen/include/public/arch-arm.h | 2 + > > 13 files changed, 1811 insertions(+), 3 deletions(-) > > create mode 100644 xen/arch/arm/ffa.c > > create mode 100644 xen/arch/arm/include/asm/ffa.h > > > > diff --git a/SUPPORT.md b/SUPPORT.md > > index 70e98964cbc0..215bb3c9043b 100644 > > --- a/SUPPORT.md > > +++ b/SUPPORT.md > > @@ -785,6 +785,13 @@ that covers the DMA of the device to be passed through. > > > > No support for QEMU backends in a 16K or 64K domain. > > > > +### ARM: Firmware Framework for Arm A-profile (FF-A) Mediator > > + > > + Status, Arm64: Tech Preview > > + > > +There are still some code paths where a vCPU may hog a pCPU longer than > > +necessary. The FF-A mediator is not yet implemented for Arm32. > > + > > ### ARM: Guest Device Tree support > > > > Status: Supported > > diff --git a/tools/libs/light/libxl_arm.c b/tools/libs/light/libxl_arm.c > > index eef1de093914..a985609861c7 100644 > > --- a/tools/libs/light/libxl_arm.c > > +++ b/tools/libs/light/libxl_arm.c > > @@ -101,6 +101,9 @@ int libxl__arch_domain_prepare_config(libxl__gc *gc, > > return ERROR_FAIL; > > } > > > > + config->arch.ffa_enabled = > > + libxl_defbool_val(d_config->b_info.arch_arm.ffa_enabled); > > + > > return 0; > > } > > > > diff --git a/tools/libs/light/libxl_types.idl b/tools/libs/light/libxl_types.idl > > index 2a42da2f7d78..bf4544bef399 100644 > > --- a/tools/libs/light/libxl_types.idl > > +++ b/tools/libs/light/libxl_types.idl > > @@ -646,6 +646,7 @@ libxl_domain_build_info = Struct("domain_build_info",[ > > > > ("arch_arm", Struct(None, [("gic_version", libxl_gic_version), > > ("vuart", libxl_vuart_type), > > + ("ffa_enabled", libxl_defbool), > > This needs to be accompagnied with a define LIBXL_HAVE_* in > tools/include/libxl.h. Please see the examples in the header. OK, I'll add something. I'm not entirely sure how this is used so I'm afraid it will be a bit of Cargo Cult programming from my side. > > > ])), > > ("arch_x86", Struct(None, [("msr_relaxed", libxl_defbool), > > ])), > > diff --git a/tools/xl/xl_parse.c b/tools/xl/xl_parse.c > > index b98c0de378b6..e0e99ed8d2b1 100644 > > --- a/tools/xl/xl_parse.c > > +++ b/tools/xl/xl_parse.c > > @@ -2746,6 +2746,9 @@ skip_usbdev: > > exit(-ERROR_FAIL); > > } > > } > > + libxl_defbool_setdefault(&b_info->arch_arm.ffa_enabled, false); > > + xlu_cfg_get_defbool(config, "ffa_enabled", > > + &b_info->arch_arm.ffa_enabled, 0); > > This option needs to be documented in docs/man/xl.cfg.5.pod.in. OK > > > > > parse_vkb_list(config, d_config); > > > > diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig > > index be9eff014120..e57e1d3757e2 100644 > > --- a/xen/arch/arm/Kconfig > > +++ b/xen/arch/arm/Kconfig > > @@ -139,6 +139,17 @@ config TEE > > > > source "arch/arm/tee/Kconfig" > > > > +config FFA > > + bool "Enable FF-A mediator support" if EXPERT > > + default n > > + depends on ARM_64 > > + help > > + This option enables a minimal FF-A mediator. The mediator is > > + generic as it follows the FF-A specification [1], but it only > > + implements a small subset of the specification. > > Where would a user be able to find which subset of the specification > that Xen implements? I'll add a bit more in docs/man/xl.cfg.5.pod.in where I'm describing ffa_enabled. > > > + > > + [1] https://developer.arm.com/documentation/den0077/latest > > + > > endmenu > > > > menu "ARM errata workaround via the alternative framework" > > diff --git a/xen/arch/arm/Makefile b/xen/arch/arm/Makefile > > index bb7a6151c13c..af0c69f793d4 100644 > > --- a/xen/arch/arm/Makefile > > +++ b/xen/arch/arm/Makefile > > @@ -20,6 +20,7 @@ obj-y += domain_build.init.o > > obj-y += domctl.o > > obj-$(CONFIG_EARLY_PRINTK) += early_printk.o > > obj-y += efi/ > > +obj-$(CONFIG_FFA) += ffa.o > > obj-y += gic.o > > obj-y += gic-v2.o > > obj-$(CONFIG_GICV3) += gic-v3.o > > diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c > > index 8110c1df8638..a3f00e7e234d 100644 > > --- a/xen/arch/arm/domain.c > > +++ b/xen/arch/arm/domain.c > > @@ -27,6 +27,7 @@ > > #include <asm/cpufeature.h> > > #include <asm/current.h> > > #include <asm/event.h> > > +#include <asm/ffa.h> > > #include <asm/gic.h> > > #include <asm/guest_atomics.h> > > #include <asm/irq.h> > > @@ -756,6 +757,9 @@ int arch_domain_create(struct domain *d, > > if ( (rc = tee_domain_init(d, config->arch.tee_type)) != 0 ) > > goto fail; > > > > + if ( (rc = ffa_domain_init(d, config->arch.ffa_enabled)) != 0 ) > > + goto fail; > > + > > update_domain_wallclock_time(d); > > > > /* > > @@ -998,6 +1002,7 @@ static int relinquish_memory(struct domain *d, struct page_list_head *list) > > enum { > > PROG_pci = 1, > > PROG_tee, > > + PROG_ffa, > > PROG_xen, > > PROG_page, > > PROG_mapping, > > @@ -1043,6 +1048,11 @@ int domain_relinquish_resources(struct domain *d) > > > > PROGRESS(tee): > > ret = tee_relinquish_resources(d); > > + if ( ret ) > > + return ret; > > + > > + PROGRESS(ffa): > > + ret = ffa_relinquish_resources(d); > > if (ret ) > > return ret; > > > > diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c > > index 7ddd16c26da5..d708f76356f7 100644 > > --- a/xen/arch/arm/domain_build.c > > +++ b/xen/arch/arm/domain_build.c > > @@ -3450,6 +3450,7 @@ void __init create_dom0(void) > > if ( gic_number_lines() > 992 ) > > printk(XENLOG_WARNING "Maximum number of vGIC IRQs exceeded.\n"); > > dom0_cfg.arch.tee_type = tee_get_type(); > > + dom0_cfg.arch.ffa_enabled = true; > > AFAICT, ffa_enabled is a uint8_t. So we should use 1. However, I am not > convinced that using a uint8_t for what looks like a boolean is warrant. > I will detail more on the definition. OK > > > dom0_cfg.max_vcpus = dom0_max_vcpus(); > > > > if ( iommu_enabled ) > > diff --git a/xen/arch/arm/ffa.c b/xen/arch/arm/ffa.c > > new file mode 100644 > > index 000000000000..3117ce5cec4d > > --- /dev/null > > +++ b/xen/arch/arm/ffa.c > > @@ -0,0 +1,1683 @@ > > +/* > > + * xen/arch/arm/ffa.c > > + * > > + * Arm Firmware Framework for ARMv8-A (FF-A) mediator > > + * > > + * Copyright (C) 2022 Linaro Limited > > + * > > + * Permission is hereby granted, free of charge, to any person > > + * obtaining a copy of this software and associated documentation > > + * files (the "Software"), to deal in the Software without restriction, > > + * including without limitation the rights to use, copy, modify, merge, > > + * publish, distribute, sublicense, and/or sell copies of the Software, > > + * and to permit persons to whom the Software is furnished to do so, > > + * subject to the following conditions: > > + * > > + * The above copyright notice and this permission notice shall be > > + * included in all copies or substantial portions of the Software. > > + * > > + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, > > + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF > > + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. > > + * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY > > + * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, > > + * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE > > + * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. > > This doesn't look like to be a GPLv2 license. Can you clarify which > license you are using? I'll switch to the GPLv2 license to keep things simple. > > > + */ > > + > > +#include <xen/domain_page.h> > > +#include <xen/errno.h> > > +#include <xen/init.h> > > +#include <xen/lib.h> > > +#include <xen/sched.h> > > +#include <xen/types.h> > > +#include <xen/sizes.h> > > +#include <xen/bitops.h> > > + > > +#include <asm/smccc.h> > > +#include <asm/event.h> > > +#include <asm/ffa.h> > > +#include <asm/regs.h> > > + > > +/* Error codes */ > > All the #define below are using hard tab. Please use soft tab. OK > > > +#define FFA_RET_OK 0 > > +#define FFA_RET_NOT_SUPPORTED -1 > > +#define FFA_RET_INVALID_PARAMETERS -2 > > +#define FFA_RET_NO_MEMORY -3 > > +#define FFA_RET_BUSY -4 > > +#define FFA_RET_INTERRUPTED -5 > > +#define FFA_RET_DENIED -6 > > +#define FFA_RET_RETRY -7 > > +#define FFA_RET_ABORTED -8 > > + > > +/* FFA_VERSION helpers */ > > +#define FFA_VERSION_MAJOR _AC(1,U) > > NIT: The use of _AC() is a bit pointless given that you are only use the > values in C code. OK, I'll drop the _AC() usage. > > > +#define FFA_VERSION_MAJOR_SHIFT _AC(16,U) > > +#define FFA_VERSION_MAJOR_MASK _AC(0x7FFF,U) > > +#define FFA_VERSION_MINOR _AC(1,U) > > +#define FFA_VERSION_MINOR_SHIFT _AC(0,U) > > +#define FFA_VERSION_MINOR_MASK _AC(0xFFFF,U) > > +#define MAKE_FFA_VERSION(major, minor) \ > > + ((((major) & FFA_VERSION_MAJOR_MASK) << FFA_VERSION_MAJOR_SHIFT) | \ > > + ((minor) & FFA_VERSION_MINOR_MASK)) > > + > > +#define FFA_MIN_VERSION MAKE_FFA_VERSION(1, 0) > > +#define FFA_VERSION_1_0 MAKE_FFA_VERSION(1, 0) > > +#define FFA_VERSION_1_1 MAKE_FFA_VERSION(1, 1) > > +#define FFA_MY_VERSION MAKE_FFA_VERSION(FFA_VERSION_MAJOR, \ > > + FFA_VERSION_MINOR) > > NIT: I think it would be better that FFA_VERSION_MAJOR AND > FFA_VERSION_MINOR are defined closer to FFA_MY_VERSION and they are > renamed to FFA_MY_VERSION_*. OK > > I would also potentially move the 3 defines past all the definition > related to the specification. This would make clearer that this is what > Xen supports. I couldn't find a good spot below so I'll add a comment here instead to make it more clear. > > > + > > + > > +#define FFA_HANDLE_HYP_FLAG BIT(63,ULL) > > Coding style: You seem to use a mix of FOO(... , ...) and FOO(...,...). > At mimimum, please be consistent within the file. > > For Xen, we usually add a space after the comma. I'll do that. > > [...] > > > +/* > > + * Our rx/rx buffer shared with the SPMC > > + */ > > Hmmm... The comment seems to be misplaced. > > > +static uint32_t ffa_version; > > This probably can be __read_mostly. > > > +static uint16_t *subsr_vm_created; > > What subsr stand for? Subscribers. Not sure how I came to shorten it in that way, maybe I slipped on the keyboard :-). But it is a bit long to spell out. I'll add a comment. > > > +static unsigned int subsr_vm_created_count; > > +static uint16_t *subsr_vm_destroyed; > > +static unsigned int subsr_vm_destroyed_count; > > +static void *ffa_rx; > > +static void *ffa_tx; > > subsr_vm_created, subsr_vm_destroyed, ffa_rx and ffa_tx can probably be > __read_mostly. Agree, I'll fix. > > > +static unsigned int ffa_page_count; > > Is this related to ffa_rx? Yes, the number of pages used each by ffa_rx and ffa_tx. I'll add a comment. > > > +static DEFINE_SPINLOCK(ffa_buffer_lock); > > + > > +static LIST_HEAD(ffa_mem_list); > > +static DEFINE_SPINLOCK(ffa_mem_list_lock); > > + > > +static uint64_t next_handle = FFA_HANDLE_HYP_FLAG; > > next_handle only seems to be used handle_mem_share(). So I think it > would be better to move the definition (as static) within the function. > > This will reduce the number of global variables. OK > > > + > > +static inline uint64_t reg_pair_to_64(uint32_t reg0, uint32_t reg1) > > +{ > > + return (uint64_t)reg0 << 32 | reg1; > > +} > > + > > +static void inline reg_pair_from_64(uint32_t *reg0, uint32_t *reg1, > > + uint64_t val) > > +{ > > + *reg0 = val >> 32; > > + *reg1 = val; > > +} > > Those two functions are the same as optee.c but with a different. I > would rather prefer if we avoid the duplication and provide generic > helpers in a pre-requisite. These functions are trivial but at the same time for a special purpose which happens to coincide with the usage in optee.c. I can't find a suitable common .h file and creating a new one seems a bit much. > > > + > > +static bool ffa_get_version(uint32_t *vers) > > +{ > > + const struct arm_smccc_1_2_regs arg = { > > + .a0 = FFA_VERSION, .a1 = FFA_MY_VERSION, > > Coding sytle: Please set each field on their own line. OK > > > + }; > > + struct arm_smccc_1_2_regs resp; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + if ( resp.a0 == FFA_RET_NOT_SUPPORTED ) > > + { > > + printk(XENLOG_ERR "ffa: FFA_VERSION returned not supported\n"); > > + return false; > > + } > > + > > + *vers = resp.a0; > > Coding style: We tend to add a newline before the last return. I am not > necessarily going to comment about this on all the instances. So please > have a look through the code. OK > > > + return true; > > +} > > + > > +static uint32_t get_ffa_ret_code(const struct arm_smccc_1_2_regs *resp) > > FFA_RET_* will be negative, so shouldn't this return int32_t? You're right, I'll update as needed. > > > +{ > > + switch ( resp->a0 ) > > + { > > + case FFA_ERROR: > > + if ( resp->a2 ) > > + return resp->a2; > > + else > > + return FFA_RET_NOT_SUPPORTED; > > + case FFA_SUCCESS_32: > > + case FFA_SUCCESS_64: > > + return FFA_RET_OK; > > + default: > > + return FFA_RET_NOT_SUPPORTED; > > + } > > +} > > + > > +static uint32_t ffa_features(uint32_t id) > > +{ > > + const struct arm_smccc_1_2_regs arg = { .a0 = FFA_FEATURES, .a1 = id, }; > > Coding style. Please split each field on their own line. OK > > > + struct arm_smccc_1_2_regs resp; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + return get_ffa_ret_code(&resp); > > +} > > + > > +static bool check_mandatory_feature(uint32_t id) > > +{ > > + uint32_t ret = ffa_features(id); > > + > > + if (ret) > > + printk(XENLOG_ERR "ffa: mandatory feature id %#x missing\n", id); > > + return !ret; > > +} > > + > > +static uint32_t ffa_rxtx_map(register_t tx_addr, register_t rx_addr, > > + uint32_t page_count) > > Aside the parameters, the helper looks very similar to ffa_features(), > ffa_rxtx_unmap(). Can this be abstracted? Maybe using macro if you still > want to have separate helper name. OK, I'll try something. > > > +{ > > + const struct arm_smccc_1_2_regs arg = { > > +#ifdef CONFIG_ARM_64 > > + .a0 = FFA_RXTX_MAP_64, > > +#endif > > +#ifdef CONFIG_ARM_32 > > + .a0 = FFA_RXTX_MAP_32, > > +#endif > > + .a1 = tx_addr, .a2 = rx_addr, > > Coding: Please don't use hard tab and put each field on their own line. OK > > > + .a3 = page_count, > > + }; > > + struct arm_smccc_1_2_regs resp; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + > > + return get_ffa_ret_code(&resp); > > +} > > + > > +static uint32_t ffa_rxtx_unmap(uint16_t vm_id) > > +{ > > + const struct arm_smccc_1_2_regs arg = { > > + .a0 = FFA_RXTX_UNMAP, .a1 = vm_id, > > Coding style. Please add each field on their own line. OK > > > > + }; > > + struct arm_smccc_1_2_regs resp; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + > > + return get_ffa_ret_code(&resp); > > +} > > + > > +static uint32_t ffa_partition_info_get(uint32_t w1, uint32_t w2, uint32_t w3, > > + uint32_t w4, uint32_t w5, > > + uint32_t *count) > > +{ > > + const struct arm_smccc_1_2_regs arg = { > > + .a0 = FFA_PARTITION_INFO_GET, .a1 = w1, .a2 = w2, .a3 = w3, .a4 = w4, > > Ditto. OK > > > + .a5 = w5, > > + }; > > + struct arm_smccc_1_2_regs resp; > > + uint32_t ret; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + > > + ret = get_ffa_ret_code(&resp); > > + if ( !ret ) > > + *count = resp.a2; > > + > > + return ret; > > +} > > + > > +static uint32_t ffa_rx_release(void) > > +{ > > + const struct arm_smccc_1_2_regs arg = { .a0 = FFA_RX_RELEASE, }; > > + struct arm_smccc_1_2_regs resp; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + > > + return get_ffa_ret_code(&resp); > > +} > > + > > +static int32_t ffa_mem_share(uint32_t tot_len, uint32_t frag_len, > > + register_t addr, uint32_t pg_count, > > + uint64_t *handle) > > +{ > > + struct arm_smccc_1_2_regs arg = { > > + .a0 = FFA_MEM_SHARE_32, .a1 = tot_len, .a2 = frag_len, .a3 = addr, > > Ditto. OK > > > + .a4 = pg_count, > > + }; > > + struct arm_smccc_1_2_regs resp; > > + > > + /* > > + * For arm64 we must use 64-bit calling convention if the buffer isn't > > + * passed in our tx buffer. > > + */ > > Can you explain why we would want to use the 32-bit calling convention > if addr is 0? I was trying to avoid the 64-bit calling convention where possible, but ffa_rxtx_map() still depends on 64-bit calling convention. So it's useless here, I'll remove that check. > > > + if (sizeof(addr) > 4 && addr) > > sizeof(addr) > 4 is a bit odd to read. I think it would be better to > check that CONFIG_ARM_64 is set (i.e. IS_ENABLED()). Thanks, I'll fix. > > > + arg.a0 = FFA_MEM_SHARE_64; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + > > + switch ( resp.a0 ) > > + { > > + case FFA_ERROR: > > + if ( resp.a2 ) > > + return resp.a2; > > + else > > + return FFA_RET_NOT_SUPPORTED; > > + case FFA_SUCCESS_32: > > + *handle = reg_pair_to_64(resp.a3, resp.a2); > > + return FFA_RET_OK; > > + case FFA_MEM_FRAG_RX: > > + *handle = reg_pair_to_64(resp.a2, resp.a1); > > + return resp.a3; > > + default: > > + return FFA_RET_NOT_SUPPORTED; > > + } > > +} > > + > > +static int32_t ffa_mem_frag_tx(uint64_t handle, uint32_t frag_len, > > + uint16_t sender_id) > > +{ > > + struct arm_smccc_1_2_regs arg = { > > + .a0 = FFA_MEM_FRAG_TX, .a1 = handle & UINT32_MAX, .a2 = handle >> 32, > > + .a3 = frag_len, .a4 = (uint32_t)sender_id << 16, > > + }; > > + struct arm_smccc_1_2_regs resp; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + > > + switch ( resp.a0 ) > > + { > > + case FFA_ERROR: > > + if ( resp.a2 ) > > + return resp.a2; > > + else > > + return FFA_RET_NOT_SUPPORTED; > > + case FFA_SUCCESS_32: > > + return FFA_RET_OK; > > + case FFA_MEM_FRAG_RX: > > + return resp.a3; > > + default: > > + return FFA_RET_NOT_SUPPORTED; > > + } > > +} > > + > > +static uint32_t ffa_mem_reclaim(uint32_t handle_lo, uint32_t handle_hi, > > + uint32_t flags) > > +{ > > + const struct arm_smccc_1_2_regs arg = { > > + .a0 = FFA_MEM_RECLAIM, .a1 = handle_lo, .a2 = handle_hi, .a3 = flags, > > + }; > > + struct arm_smccc_1_2_regs resp; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + > > + return get_ffa_ret_code(&resp); > > +} > > + > > +static int32_t ffa_direct_req_send_vm(uint16_t sp_id, uint16_t vm_id, > > OOI, why is this call returns int32_t when all the other use uint32_t > (even if may returned negative values)? I'll fix all those other functions. > > > + uint8_t msg) > > +{ > > + uint32_t exp_resp = FFA_MSG_FLAG_FRAMEWORK; > > + int32_t res; > > + > > + if ( msg != FFA_MSG_SEND_VM_CREATED && msg !=FFA_MSG_SEND_VM_DESTROYED ) > > + return FFA_RET_INVALID_PARAMETERS; > > + > > + if ( msg == FFA_MSG_SEND_VM_CREATED ) > > + exp_resp |= FFA_MSG_RESP_VM_CREATED; > > + else > > + exp_resp |= FFA_MSG_RESP_VM_DESTROYED; > > NIT: I think it would be easier to read if you drop the first 'if' and > instead write: > > if ( msg == ..._CREATED ) > ... > else if ( msg == ..._DESTROYED ) > ... > else > return FFA_RET_INVALID_PARAMETERS. Thanks, I'll fix. > > > + > > + do { > > + const struct arm_smccc_1_2_regs arg = { > > + .a0 = FFA_MSG_SEND_DIRECT_REQ_32, > > + .a1 = sp_id, > > + .a2 = FFA_MSG_FLAG_FRAMEWORK | msg, > > + .a5 = vm_id, > > + }; > > + struct arm_smccc_1_2_regs resp; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + if ( resp.a0 != FFA_MSG_SEND_DIRECT_RESP_32 || resp.a2 != exp_resp ) > > + { > > + /* > > + * This is an invalid response, likely due to some error in the > > + * implementation of the ABI. > > + */ > > + return FFA_RET_INVALID_PARAMETERS; > > + } > > + res = resp.a3; > > + } while ( res == FFA_RET_INTERRUPTED || res == FFA_RET_RETRY ); > > + > > + return res; > > +} > > + > > +static u16 get_vm_id(struct domain *d) > > d is not meant to be modified by the helper. So please use 'const'. OK > > > +{ > > + /* +1 since 0 is reserved for the hypervisor in FF-A */ > > + return d->domain_id + 1; > > +} > > + > > +static void set_regs(struct cpu_user_regs *regs, register_t v0, register_t v1, > > + register_t v2, register_t v3, register_t v4, register_t v5, > > + register_t v6, register_t v7) > > +{ > > + set_user_reg(regs, 0, v0); > > + set_user_reg(regs, 1, v1); > > + set_user_reg(regs, 2, v2); > > + set_user_reg(regs, 3, v3); > > + set_user_reg(regs, 4, v4); > > + set_user_reg(regs, 5, v5); > > + set_user_reg(regs, 6, v6); > > + set_user_reg(regs, 7, v7); > > +} > > + > > +static void set_regs_error(struct cpu_user_regs *regs, uint32_t error_code) > > +{ > > + set_regs(regs, FFA_ERROR, 0, error_code, 0, 0, 0, 0, 0); > > +} > > + > > +static void set_regs_success(struct cpu_user_regs *regs, uint32_t w2, > > + uint32_t w3) > > +{ > > + set_regs(regs, FFA_SUCCESS_32, 0, w2, w3, 0, 0, 0, 0); > > +} > > + > > +static void set_regs_frag_rx(struct cpu_user_regs *regs, uint32_t handle_lo, > > + uint32_t handle_hi, uint32_t frag_offset, > > + uint16_t sender_id) > > +{ > > + set_regs(regs, FFA_MEM_FRAG_RX, handle_lo, handle_hi, frag_offset, > > + (uint32_t)sender_id << 16, 0, 0, 0); > > +} > > + > > +static void handle_version(struct cpu_user_regs *regs) > > +{ > > + struct domain *d = current->domain; > > + struct ffa_ctx *ctx = d->arch.ffa; > > + uint32_t vers = get_user_reg(regs, 1); > > + > > + if ( vers < FFA_VERSION_1_1 ) > > + vers = FFA_VERSION_1_0; > > + else > > + vers = FFA_VERSION_1_1; > > I find a bit strange to 'cap' the version provided by the user. Is this > part of the spec? Yes, it's part of the spec. The user supplies its version and we reply with the version closest to that which we can handle. Then we must remember that so we use the correct version of structs etc. > > > + > > + ctx->guest_vers = vers; > > + set_regs(regs, vers, 0, 0, 0, 0, 0, 0, 0); > > +} > > + > > +static uint32_t handle_rxtx_map(uint32_t fid, register_t tx_addr, > > + register_t rx_addr, uint32_t page_count) > > Xen, Linux, and the firmware may use different page size. Below, you > seem to have the page size will always be 4KB. Is this guaranteed by the > spec? If not, how do all the 3 components agree on it? The page size is always 4KB, but the smallest memory unit may be larger, 16KB or 64KB if I remember correctly. > > If yes, then I think this should be written down and we should have a > BUILD_BUG_ON(PAGE_SIZE != SZ_4K). However, here I've assumed 4KB as the smallest memory unit so I'll add the BUILD_BUG_ON() for now. > > > +{ > > + uint32_t ret = FFA_RET_INVALID_PARAMETERS; > > + struct domain *d = current->domain; > > + struct ffa_ctx *ctx = d->arch.ffa; > > + struct page_info *tx_pg; > > + struct page_info *rx_pg; > > + p2m_type_t t; > > + void *rx; > > + void *tx; > > + > > + if ( !smccc_is_conv_64(fid) ) > > + { > > + tx_addr &= UINT32_MAX; > > + rx_addr &= UINT32_MAX; > > + } > > + > > + /* For now to keep things simple, only deal with a single page */ > > + if ( page_count != 1 ) > > + return FFA_RET_NOT_SUPPORTED; > > + > > + /* Already mapped */ > > + if ( ctx->rx ) > > + return FFA_RET_DENIED; > > + > > + tx_pg = get_page_from_gfn(d, gaddr_to_gfn(tx_addr), &t, P2M_ALLOC); > > + if ( !tx_pg ) > > + return FFA_RET_INVALID_PARAMETERS; > > + /* Only normal RAM for now */ > > This comment suggests the check below should be p2m_is_ram() but you are > using p2m_ram_rw. Thanks, I'll fix. > > > + if (t != p2m_ram_rw) > > Coding style: if ( ... ) OK > > > + goto err_put_tx_pg; > > + > > + rx_pg = get_page_from_gfn(d, gaddr_to_gfn(rx_addr), &t, P2M_ALLOC); > > + if ( !tx_pg ) > > + goto err_put_tx_pg; > > + /* Only normal RAM for now */ > > Same about the comment. OK > > > + if ( t != p2m_ram_rw ) > > + goto err_put_rx_pg; > > + > > + tx = /(tx_pg); > > + if ( !tx ) > > + goto err_put_rx_pg; > > + > > + rx = __map_domain_page_global(rx_pg); > > + if ( !rx ) > > + goto err_unmap_tx; > > + > > + ctx->rx = rx; > > + ctx->tx = tx; > > + ctx->rx_pg = rx_pg; > > + ctx->tx_pg = tx_pg; > > + ctx->page_count = 1; > > + ctx->tx_is_mine = true; > > + return FFA_RET_OK; > > + > > +err_unmap_tx: > > + unmap_domain_page_global(tx); > > +err_put_rx_pg: > > + put_page(rx_pg); > > +err_put_tx_pg: > > + put_page(tx_pg); > > + return ret; > > +} > > + > > +static uint32_t handle_rxtx_unmap(void) > > +{ > > + struct domain *d = current->domain; > > + struct ffa_ctx *ctx = d->arch.ffa; > > + uint32_t ret; > > + > > + if ( !ctx->rx ) > > + return FFA_RET_INVALID_PARAMETERS; > > + > > + ret = ffa_rxtx_unmap(get_vm_id(d)); > > + if ( ret ) > > + return ret; > > + > > + unmap_domain_page_global(ctx->rx); > > + unmap_domain_page_global(ctx->tx); > > + put_page(ctx->rx_pg); > > + put_page(ctx->tx_pg); > > + ctx->rx = NULL; > > + ctx->tx = NULL; > > + ctx->rx_pg = NULL; > > + ctx->tx_pg = NULL; > > + ctx->page_count = 0; > > + ctx->tx_is_mine = false; > > + > > + return FFA_RET_OK; > > +} > > + > > +static uint32_t handle_partition_info_get(uint32_t w1, uint32_t w2, uint32_t w3, > > + uint32_t w4, uint32_t w5, > > + uint32_t *count) > > +{ > > + uint32_t ret = FFA_RET_DENIED; > > + struct domain *d = current->domain; > > + struct ffa_ctx *ctx = d->arch.ffa; > > + > > + if ( !ffa_page_count ) > > + return FFA_RET_DENIED; > > + > > + spin_lock(&ctx->lock); > > + if ( !ctx->page_count || !ctx->tx_is_mine ) > > + goto out; > > + ret = ffa_partition_info_get(w1, w2, w3, w4, w5, count); > > + if ( ret ) > > + goto out; > > + if ( ctx->guest_vers == FFA_VERSION_1_0 ) > > + { > > + size_t n; > > + struct ffa_partition_info_1_1 *src = ffa_rx; > > + struct ffa_partition_info_1_0 *dst = ctx->rx; > > + > > + for ( n = 0; n < *count; n++ ) > > Who is going to sanitize 'count' and how do you make sure that... > > > + { > > + dst[n].id = src[n].id; > > ... this will still be written within the page provided by the domain? Good point, I'll add some checks. > > > + dst[n].execution_context = src[n].execution_context; > > + dst[n].partition_properties = src[n].partition_properties; > > + } > > + } > > + else > > + { > > + size_t sz = *count * sizeof(struct ffa_partition_info_1_1); > > + > > + memcpy(ctx->rx, ffa_rx, sz); > > + } > > + ffa_rx_release(); > > I saw above that you are expecting the ffa_rx to be "locked". Will it be > the firmware to block another thread that may need ffa_rx? It's firmware (SPMC) which writes into ffa_rx. At the same time it's marking ffa_rx as used and will refuse another call which would also mark ffa_rx as used until ffa_rx_release() has been called. If another thread also tries to use ffa_rx before it has been released the SPMC will return FFA_RET_BUSY. So SPMC isn't blocking it's rather preventing another thread. I'll add a spinlock for the ffa_rx buffer too. > > > + ctx->tx_is_mine = false; > > +out: > > + spin_unlock(&ctx->lock); > > + > > + return ret; > > +} > > + > > +static uint32_t handle_rx_release(void) > > +{ > > + uint32_t ret = FFA_RET_DENIED; > > + struct domain *d = current->domain; > > + struct ffa_ctx *ctx = d->arch.ffa; > > + > > + spin_lock(&ctx->lock); > > + if ( !ctx->page_count || ctx->tx_is_mine ) > > + goto out; > > + ret = FFA_RET_OK; > > + ctx->tx_is_mine = true; > > +out: > > + spin_unlock(&ctx->lock); > > + > > + return ret; > > +} > > + > > +static void handle_msg_send_direct_req(struct cpu_user_regs *regs, uint32_t fid) > > +{ > > + struct arm_smccc_1_2_regs arg = { .a0 = fid, }; > > + struct arm_smccc_1_2_regs resp = { }; > > + struct domain *d = current->domain; > > + struct ffa_ctx *ctx = d->arch.ffa; > > + uint32_t src_dst; > > + uint64_t mask; > > + > > + if ( smccc_is_conv_64(fid) ) > > + mask = 0xffffffffffffffff; > > + else > > + mask = 0xffffffff; > > Please use GENMASK() (or similar). So it is easier to confirm the number > of 'f' is correct. OK > > > + > > + src_dst = get_user_reg(regs, 1); > > + if ( (src_dst >> 16) != get_vm_id(d) ) > > + { > > + resp.a0 = FFA_ERROR; > > + resp.a2 = FFA_RET_INVALID_PARAMETERS; > > + goto out; > > + } > > + > > + arg.a1 = src_dst; > > + arg.a2 = get_user_reg(regs, 2) & mask; > > + arg.a3 = get_user_reg(regs, 3) & mask; > > + arg.a4 = get_user_reg(regs, 4) & mask; > > + arg.a5 = get_user_reg(regs, 5) & mask; > > + arg.a6 = get_user_reg(regs, 6) & mask; > > + arg.a7 = get_user_reg(regs, 7) & mask; > > + > > + while ( true ) > > + { > > + arm_smccc_1_2_smc(&arg, &resp); > > + > > + switch ( resp.a0 ) > > + { > > + case FFA_INTERRUPT: > > + ctx->interrupted = true; > > + goto out; > > + case FFA_ERROR: > > + case FFA_SUCCESS_32: > > + case FFA_SUCCESS_64: > > + case FFA_MSG_SEND_DIRECT_RESP_32: > > + case FFA_MSG_SEND_DIRECT_RESP_64: > > + goto out; > > + default: > > + /* Bad fid, report back. */ > > + memset(&arg, 0, sizeof(arg)); > > + arg.a0 = FFA_ERROR; > > + arg.a1 = src_dst; > > + arg.a2 = FFA_RET_NOT_SUPPORTED; > > + continue; > > + } > > + } > > + > > +out: > > + set_user_reg(regs, 0, resp.a0); > > + set_user_reg(regs, 1, resp.a1 & mask); > > + set_user_reg(regs, 2, resp.a2 & mask); > > + set_user_reg(regs, 3, resp.a3 & mask); > > + set_user_reg(regs, 4, resp.a4 & mask); > > + set_user_reg(regs, 5, resp.a5 & mask); > > + set_user_reg(regs, 6, resp.a6 & mask); > > + set_user_reg(regs, 7, resp.a7 & mask); > > You have already an helper to set all the registers. Why not using it? OK > > > +} > > I will continue the rest of the review at a later point. Thanks for reviewing this far. Cheers, Jens
Hi Julien, On Fri, Jul 8, 2022 at 9:54 PM Julien Grall <julien@xen.org> wrote: > > Hi Jens, > > This is the second part of the review. > > On 22/06/2022 14:42, Jens Wiklander wrote: > > +static int get_shm_pages(struct domain *d, struct ffa_shm_mem *shm, > > + struct ffa_address_range *range, uint32_t range_count, > > AFAICT, 'range' is not meant to be modified. So I would add 'const'. OK > > > + unsigned int start_page_idx, > > + unsigned int *last_page_idx) > > +{ > > + unsigned int pg_idx = start_page_idx; > > + unsigned long gfn; > > Below you are using gaddr_to_gfn() which will return gfn_t. This is > using the typesafe infrastructure: gfn_t will be a structure with > CONFIG_DEBUG=y to allow type checking and a plain 'unsigned long' when > CONFIG_DEBUG=n. > > Please make sure to test build with CONFIG_DEBUG=y. > > As a side note, I would suggest to try booting as CONFIG_DEBUG as it > enables extra check for the common pitfalls. Thanks, I'll do that. > > > + unsigned int n; > > + unsigned int m; > > + p2m_type_t t; > > + uint64_t addr; > > + > > + for ( n = 0; n < range_count; n++ ) > > + { > > + for ( m = 0; m < range[n].page_count; m++ ) > > + { > > + if ( pg_idx >= shm->page_count ) > > + return FFA_RET_INVALID_PARAMETERS; > > Shouldn't we call put_page() to drop the references taken by > get_page_from_gfn()? Yes, and that's done by put_shm_pages(). One would normally expect get_shm_pages() to do this on error, but that's not needed here since we're always calling put_shm_pages() just before freeing the shm. I can change to let get_shm_pages() do the cleanup on error instead if you prefer that. > > > + > > + addr = read_atomic(&range[n].address); > > IIUC, range is part of the shared page with the guest. Where do you > check that all the access will be within the shared page? It's checked by the callers. > > > + gfn = gaddr_to_gfn(addr + m * PAGE_SIZE); > > Is addr meant to be page-aligned? Also, you are using the hypervisor > page size here when AFAICT page_count is provided by the domain. You're right, this is confusing. I'll define a FFA_PAGE_SIZE to SZ_4K and use that instead. Note that with FF-A a page is always 4K even if the smallest unit/granule may be larger (16kB or 64kB). > > How do you guarantee that both Xen and the domain agree on the page size? For now, I'll add a BUILD_BUG_ON() to check that the hypervisor page size is 4K to simplify the initial implementation. We can update to support a larger minimal memory granule later on. > > > + shm->pages[pg_idx] = get_page_from_gfn(d, gfn, &t, P2M_ALLOC); > > + if ( !shm->pages[pg_idx] ) > > + return FFA_RET_DENIED; > > + pg_idx++; > > + /* Only normal RAM for now */ > > Similar to my earlier remark, the comment doesn't match the check below. I'll fix. > > > + if ( t != p2m_ram_rw ) > > + return FFA_RET_DENIED; > > + } > > + } > > + > > + *last_page_idx = pg_idx; > > + > > + return FFA_RET_OK; > > +} > > + > > +static void put_shm_pages(struct ffa_shm_mem *shm) > > +{ > > + unsigned int n; > > + > > + for ( n = 0; n < shm->page_count && shm->pages[n]; n++ ) > > + { > > + put_page(shm->pages[n]); > > + shm->pages[n] = NULL; > > + } > > +} > > + > > +static void init_range(struct ffa_address_range *addr_range, > > + paddr_t pa) > +{ > > + memset(addr_range, 0, sizeof(*addr_range)); > > + addr_range->address = pa; > > + addr_range->page_count = 1; > > +} > > + > > +static int share_shm(struct ffa_shm_mem *shm) > > AFAIU, share_shm() cannot be concurrently called. You seem to use > ffa_buffer_lock to guarantee that. So I would suggest to add: > 1) an ASSERT(spin_is_Locked(&ffa_buffer_lock)) > 2) a comment on top of share_shm() explaining that the function > should be called with ffa_buffer_lock taken. Yes, it's the ffa_tx buffer that must be protected against concurrent use. I'll update. > > > +{ > > + uint32_t max_frag_len = ffa_page_count * PAGE_SIZE; > > + struct ffa_mem_transaction_1_1 *descr = ffa_tx; > > + struct ffa_mem_access *mem_access_array; > > + struct ffa_mem_region *region_descr; > > + struct ffa_address_range *addr_range; > > + paddr_t pa; > > + paddr_t last_pa; > > + unsigned int n; > > + uint32_t frag_len; > > + uint32_t tot_len; > > + int ret; > > + unsigned int range_count; > > + unsigned int range_base; > > + bool first; > > + > > + memset(descr, 0, sizeof(*descr)); > > + descr->sender_id = shm->sender_id; > > + descr->global_handle = shm->handle; > > + descr->mem_reg_attr = FFA_NORMAL_MEM_REG_ATTR; > > + descr->mem_access_count = 1; > > + descr->mem_access_size = sizeof(*mem_access_array); > > + descr->mem_access_offs = sizeof(*descr); > > + mem_access_array = (void *)(descr + 1); > > + region_descr = (void *)(mem_access_array + 1); > > The (void *)(descr + 1) seems to be very common in your comment. Can you > consider to add a wrapper? This will make easier to read the code? OK, I'll try something different. > > > + > > + memset(mem_access_array, 0, sizeof(*mem_access_array)); > > + mem_access_array[0].access_perm.endpoint_id = shm->ep_id; > > + mem_access_array[0].access_perm.perm = FFA_MEM_ACC_RW; > > + mem_access_array[0].region_offs = (vaddr_t)region_descr - (vaddr_t)ffa_tx; > > Same for calculating the offset. OK > > > + > > + memset(region_descr, 0, sizeof(*region_descr)); > > + region_descr->total_page_count = shm->page_count; > > + > > + region_descr->address_range_count = 1; > > + last_pa = page_to_maddr(shm->pages[0]); > For hardening purpose, I would suggest to check if shm->page_count is at > least 1. If you think this could be a programming error then you could > write: > > if ( .... ) > { > ASSERT_UNREACHABLE() > return <error>; > } OK > > > + for ( n = 1; n < shm->page_count; last_pa = pa, n++ ) > > + { > > + pa = page_to_maddr(shm->pages[n]); > > + if ( last_pa + PAGE_SIZE == pa ) > > + { > > Coding style: We usually avoid {} for single line. OK > > > + continue; > > + } > > + region_descr->address_range_count++; > > + } > > + > > + tot_len = sizeof(*descr) + sizeof(*mem_access_array) + > > + sizeof(*region_descr) + > > + region_descr->address_range_count * sizeof(*addr_range); > > How do you make sure that you will not write past the end of ffa_tx? > > I think it would be worth to consider adding an helper that would allow > you to allocate space in ffa_tx and zero it. This would return an error > if there is not enough space. That's what I'm doing with frag_len. If the descriptor cannot fit it's divided into fragments that will fit. > > > + > > + addr_range = region_descr->address_range_array; > > + frag_len = (vaddr_t)(addr_range + 1) - (vaddr_t)ffa_tx; > > + last_pa = page_to_maddr(shm->pages[0]); > > + init_range(addr_range, last_pa); > > + first = true; > > + range_count = 1; > > + range_base = 0; > > + for ( n = 1; n < shm->page_count; last_pa = pa, n++ ) > > + { > > + pa = page_to_maddr(shm->pages[n]); > > + if ( last_pa + PAGE_SIZE == pa ) > > + { > > + addr_range->page_count++; > > + continue; > > + } > > + > > + if ( frag_len == max_frag_len ) > > + { > > + if ( first ) > > + { > > + ret = ffa_mem_share(tot_len, frag_len, 0, 0, &shm->handle); > > + first = false; > > + } > > + else > > + { > > + ret = ffa_mem_frag_tx(shm->handle, frag_len, shm->sender_id); > > + } > > + if ( ret <= 0) > > Coding style: Missing space before ). > > > + return ret; > > + range_base = range_count; > > You set range_base but don't seem to read it > > > + range_count = 0; > > Same here. I'll remove them. > > > + frag_len = sizeof(*addr_range); > > + addr_range = ffa_tx; > > + } > > + else > > + { > > + frag_len += sizeof(*addr_range); > > + addr_range++; > > + } > > + init_range(addr_range, pa); > > + range_count++; > > + } > > + > > + if ( first ) > > + return ffa_mem_share(tot_len, frag_len, 0, 0, &shm->handle); > > + else > > + return ffa_mem_frag_tx(shm->handle, frag_len, shm->sender_id); > > +} > > + > > +static int read_mem_transaction(uint32_t ffa_vers, void *buf, size_t blen, > > buf should be const if it is not meant to be modified by the function. OK > > > + struct ffa_mem_transaction_x *trans) > > +{ > > + uint16_t mem_reg_attr; > > + uint32_t flags; > > + uint32_t count; > > + uint32_t offs; > > + uint32_t size; > > + > > + if ( ffa_vers >= FFA_VERSION_1_1 ) > > + { > > + struct ffa_mem_transaction_1_1 *descr; > > + > > + if ( blen < sizeof(*descr) ) > > + return FFA_RET_INVALID_PARAMETERS; > > + > > + descr = buf; > > + trans->sender_id = read_atomic(&descr->sender_id); > AFAIU, descr point to guest data. If yes, then we can't trust input. In > which case, is this really necessary to use read_atomic() for every access? > > The reason I am asking is read_atomic() is quite a hammer when a > compiler barrier should be sufficient. I see, I'll use barrier() instead. > > > + mem_reg_attr = read_atomic(&descr->mem_reg_attr); > > + flags = read_atomic(&descr->flags); > > + trans->global_handle = read_atomic(&descr->global_handle); > > + trans->tag = read_atomic(&descr->tag); > > + > > + count = read_atomic(&descr->mem_access_count); > > + size = read_atomic(&descr->mem_access_size); > > + offs = read_atomic(&descr->mem_access_offs); > > + } > > + else > > + { > > + struct ffa_mem_transaction_1_0 *descr; > > + > > + if ( blen < sizeof(*descr) ) > > + return FFA_RET_INVALID_PARAMETERS; > > + > > + descr = buf; > > + trans->sender_id = read_atomic(&descr->sender_id); > > + mem_reg_attr = read_atomic(&descr->mem_reg_attr); > > + flags = read_atomic(&descr->flags); > > + trans->global_handle = read_atomic(&descr->global_handle); > > + trans->tag = read_atomic(&descr->tag); > > + > > + count = read_atomic(&descr->mem_access_count); > > + size = sizeof(struct ffa_mem_access); > > + offs = offsetof(struct ffa_mem_transaction_1_0, mem_access_array); > > + } > > + > > + if ( mem_reg_attr > UINT8_MAX || flags > UINT8_MAX || size > UINT8_MAX || > > AFAIU, these checks are to ensure that the fields fit in your structure > below. However, it is not clear to me why we are capping the values > provided by the domain. > > I think this would be good to explain it in a comment. OK, I'll add something. > > > + count > UINT8_MAX || offs > UINT16_MAX ) > > + return FFA_RET_INVALID_PARAMETERS; > > + > > + /* Check that the endpoint memory access descriptor array fits */ > > + if ( size * count + offs > blen ) > > + return FFA_RET_INVALID_PARAMETERS; > > + > > + trans->mem_reg_attr = mem_reg_attr; > > + trans->flags = flags; > > + trans->mem_access_size = size; > > + trans->mem_access_count = count; > > + trans->mem_access_offs = offs; > > + return 0; > > +} > > + > > +static int add_mem_share_frag(struct mem_frag_state *s, unsigned int offs, > > + unsigned int frag_len) > > +{ > > + struct domain *d = current->domain; > > + unsigned int o = offs; > > + unsigned int l; > > + int ret; > > + > > + if ( frag_len < o ) > > + return FFA_RET_INVALID_PARAMETERS; > > + > > + /* Fill up the first struct ffa_address_range */ > > + l = min_t(unsigned int, frag_len - o, sizeof(s->range) - s->range_offset); > > + memcpy((uint8_t *)&s->range + s->range_offset, s->buf + o, l); > > + s->range_offset += l; > > + o += l; > > + if ( s->range_offset != sizeof(s->range) ) > > + goto out; > > + s->range_offset = 0; > > + > > + while ( true ) > > + { > > + ret = get_shm_pages(d, s->shm, &s->range, 1, s->current_page_idx, > > + &s->current_page_idx); > > + if ( ret ) > > + return ret; > > + if ( s->range_count == 1 ) > > + return 0; > > + s->range_count--; > > + if ( frag_len - o < sizeof(s->range) ) > > + break; > > + memcpy(&s->range, s->buf + o, sizeof(s->range)); > > + o += sizeof(s->range); > > + } > > + > > + /* Collect any remaining bytes for the next struct ffa_address_range */ > > + s->range_offset = frag_len - o; > > + memcpy(&s->range, s->buf + o, frag_len - o); > > +out: > > + s->frag_offset += frag_len; > > + return s->frag_offset; > > +} > > + > > +static void handle_mem_share(struct cpu_user_regs *regs) > > +{ > > + uint32_t tot_len = get_user_reg(regs, 1); > > + uint32_t frag_len = get_user_reg(regs, 2); > > + uint64_t addr = get_user_reg(regs, 3); > > + uint32_t page_count = get_user_reg(regs, 4); > > + struct ffa_mem_transaction_x trans; > > + struct ffa_mem_access *mem_access; > > + struct ffa_mem_region *region_descr; > > + struct domain *d = current->domain; > > + struct ffa_ctx *ctx = d->arch.ffa; > > + struct ffa_shm_mem *shm = NULL; > > + unsigned int last_page_idx = 0; > > + uint32_t range_count; > > + uint32_t region_offs; > > + int ret = FFA_RET_DENIED; > > + uint32_t handle_hi = 0; > > + uint32_t handle_lo = 0; > > + > > + /* > > + * We're only accepting memory transaction descriptors via the rx/tx > > + * buffer. > > + */ > > + if ( addr ) > > + { > > + ret = FFA_RET_NOT_SUPPORTED; > > + goto out_unlock; > > + } > > + > > + /* Check that fragment legnth doesn't exceed total length */ > > Typo: s/legnth/length/ > > > + if ( frag_len > tot_len ) > > + { > > + ret = FFA_RET_INVALID_PARAMETERS; > > + goto out_unlock; > > + } > > + > > + spin_lock(&ctx->lock); > > + > > + if ( frag_len > ctx->page_count * PAGE_SIZE ) > > + goto out_unlock; > > + > > + if ( !ffa_page_count ) > > + { > > + ret = FFA_RET_NO_MEMORY; > > + goto out_unlock; > > + } > > + > > + ret = read_mem_transaction(ctx->guest_vers, ctx->tx, frag_len, &trans); > > + if ( ret ) > > + goto out_unlock; > > + > > + if ( trans.mem_reg_attr != FFA_NORMAL_MEM_REG_ATTR ) > > + { > > + ret = FFA_RET_NOT_SUPPORTED; > > + goto out; > > + } > > + > > + /* Only supports sharing it with one SP for now */ > > + if ( trans.mem_access_count != 1 ) > > + { > > + ret = FFA_RET_NOT_SUPPORTED; > > + goto out_unlock; > > + } > > + > > + if ( trans.sender_id != get_vm_id(d) ) > > + { > > + ret = FFA_RET_INVALID_PARAMETERS; > > + goto out_unlock; > > + } > > + > > + /* Check that it fits in the supplied data */ > > + if ( trans.mem_access_offs + trans.mem_access_size > frag_len ) > > + goto out_unlock; > > + > > + mem_access = (void *)((vaddr_t)ctx->tx + trans.mem_access_offs); > > There are a bit too much open-cast in this series. Please try to reduce > the numbers. OK > > In this case, the two casts are unnecessary because tx is already a void > pointer. Thanks, I didn't realize that void pointer arithmetics was allowed here. > > In addition to that, ctx->tx could be a "const void *" because it is not > meant to be written by Xen. The const would also needs to be propagated > to mem_access & co. OK > > > + if ( read_atomic(&mem_access->access_perm.perm) != FFA_MEM_ACC_RW ) > > + { > > + ret = FFA_RET_NOT_SUPPORTED; > > + goto out_unlock; > > + } > > + > > + region_offs = read_atomic(&mem_access->region_offs); > > + if ( sizeof(*region_descr) + region_offs > frag_len ) > > + { > > + ret = FFA_RET_NOT_SUPPORTED; > > + goto out_unlock; > > + } > > + > > + region_descr = (void *)((vaddr_t)ctx->tx + region_offs); > > + range_count = read_atomic(®ion_descr->address_range_count); > > + page_count = read_atomic(®ion_descr->total_page_count); > > + > > + shm = xzalloc_flex_struct(struct ffa_shm_mem, pages, page_count) > This will allow a guest to allocate an arbitrarily large array in Xen. > So please sanitize page_count before using it. This is tricky, what is a reasonable limit? If we do set a limit the guest can still share many separate memory ranges. > > > + if ( !shm ) > > + { > > + ret = FFA_RET_NO_MEMORY; > > + goto out; > > + } > > + shm->sender_id = trans.sender_id; > > + shm->ep_id = read_atomic(&mem_access->access_perm.endpoint_id); > > + shm->page_count = page_count; > > + > > + if ( frag_len != tot_len ) > > + { > > + struct mem_frag_state *s = xzalloc(struct mem_frag_state); > > + > > + if ( !s ) > > + { > > + ret = FFA_RET_NO_MEMORY; > > + goto out; > > + } > > + s->shm = shm; > > + s->range_count = range_count; > > + s->buf = ctx->tx; > > + s->buf_size = ffa_page_count * PAGE_SIZE; > > + ret = add_mem_share_frag(s, sizeof(*region_descr) + region_offs, > > + frag_len); > > + if ( ret <= 0 ) > > + { > > + xfree(s); > > + if ( ret < 0 ) > > + goto out; > > + } > > + else > > + { > > + shm->handle = next_handle++; > > + reg_pair_from_64(&handle_hi, &handle_lo, shm->handle); > > + list_add_tail(&s->list, &ctx->frag_list); > > + } > > + goto out_unlock; > > + } > > + > > + /* > > + * Check that the Composite memory region descriptor fits. > > + */ > > + if ( sizeof(*region_descr) + region_offs + > > + range_count * sizeof(struct ffa_address_range) > frag_len ) > > + { > > + ret = FFA_RET_INVALID_PARAMETERS; > > + goto out; > > + } > > + > > + ret = get_shm_pages(d, shm, region_descr->address_range_array, range_count, > > + 0, &last_page_idx); > > + if ( ret ) > > + goto out; > > + if ( last_page_idx != shm->page_count ) > > + { > > + ret = FFA_RET_INVALID_PARAMETERS; > > + goto out; > > + } > > + > > + /* Note that share_shm() uses our tx buffer */ > > + spin_lock(&ffa_buffer_lock); > > + ret = share_shm(shm); > > + spin_unlock(&ffa_buffer_lock); > > + if ( ret ) > > + goto out; > > + > > + spin_lock(&ffa_mem_list_lock); > > + list_add_tail(&shm->list, &ffa_mem_list); > > A couple of questions: > - What is the maximum size of the list? Currently, there is no limit. I'm not sure what is a reasonable limit more than five for sure, but depending on the use case more than 100 might be excessive. > - Why is the list is global rather than per domain? In fact, looking > at handle_mem_reclaim() it looks like a domain could potentially reclaim > in memory (we don't seem to sanitize the input other than checking the > handle is used). So it seems to me the list should be per-domain. OK, I'll move it into struct ffa_ctx. > > > + spin_unlock(&ffa_mem_list_lock); > + > > + reg_pair_from_64(&handle_hi, &handle_lo, shm->handle); > > + > > +out: > > + if ( ret && shm ) > > + { > > + put_shm_pages(shm); > > + xfree(shm); > > + } > > +out_unlock: > > + spin_unlock(&ctx->lock); > > + > > + if ( ret > 0 ) > > + set_regs_frag_rx(regs, handle_lo, handle_hi, ret, trans.sender_id); > > + else if ( ret == 0) > > Coding style: missing space before ). OK > > > + set_regs_success(regs, handle_lo, handle_hi); > > + else > > + set_regs_error(regs, ret); > > +} > > + > > I will continue the review later on. Thanks for the comments so far. Cheers, Jens
Hi Bertrand, On Thu, Jul 14, 2022 at 11:51 AM Bertrand Marquis <Bertrand.Marquis@arm.com> wrote: > > Hi Jens, > > > On 22 Jun 2022, at 14:42, Jens Wiklander <jens.wiklander@linaro.org> wrote: > > > > Adds a FF-A version 1.1 [1] mediator to communicate with a Secure > > Partition in secure world. > > > > The implementation is the bare minimum to be able to communicate with > > OP-TEE running as an SPMC at S-EL1. > > > > This is loosely based on the TEE mediator framework and the OP-TEE > > mediator. > > > > [1] https://developer.arm.com/documentation/den0077/latest > > Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> > > I spent quite some time on this patch and on the spec and there are far to > much code and concepts introduced here to be able to do a review in one go. > > Could you try to split the patch to introduce each concept in a specific patch ? > I would suggest something like introducing each call in its own patch, having > a specific patch for the tool support, etc. > > At this stage I am not convinced that there is no issue here where a guest could > access information from an other guest and reviewing smaller patches will help > me following the spec for each subject and ask questions along the way. OK, I'll try to split it up a bit in the next version. Cheers, Jens > > Cheers > Bertrand > > > --- > > SUPPORT.md | 7 + > > tools/libs/light/libxl_arm.c | 3 + > > tools/libs/light/libxl_types.idl | 1 + > > tools/xl/xl_parse.c | 3 + > > xen/arch/arm/Kconfig | 11 + > > xen/arch/arm/Makefile | 1 + > > xen/arch/arm/domain.c | 10 + > > xen/arch/arm/domain_build.c | 1 + > > xen/arch/arm/ffa.c | 1683 +++++++++++++++++++++++++++++ > > xen/arch/arm/include/asm/domain.h | 4 + > > xen/arch/arm/include/asm/ffa.h | 71 ++ > > xen/arch/arm/vsmc.c | 17 +- > > xen/include/public/arch-arm.h | 2 + > > 13 files changed, 1811 insertions(+), 3 deletions(-) > > create mode 100644 xen/arch/arm/ffa.c > > create mode 100644 xen/arch/arm/include/asm/ffa.h > > > > diff --git a/SUPPORT.md b/SUPPORT.md > > index 70e98964cbc0..215bb3c9043b 100644 > > --- a/SUPPORT.md > > +++ b/SUPPORT.md > > @@ -785,6 +785,13 @@ that covers the DMA of the device to be passed through. > > > > No support for QEMU backends in a 16K or 64K domain. > > > > +### ARM: Firmware Framework for Arm A-profile (FF-A) Mediator > > + > > + Status, Arm64: Tech Preview > > + > > +There are still some code paths where a vCPU may hog a pCPU longer than > > +necessary. The FF-A mediator is not yet implemented for Arm32. > > + > > ### ARM: Guest Device Tree support > > > > Status: Supported > > diff --git a/tools/libs/light/libxl_arm.c b/tools/libs/light/libxl_arm.c > > index eef1de093914..a985609861c7 100644 > > --- a/tools/libs/light/libxl_arm.c > > +++ b/tools/libs/light/libxl_arm.c > > @@ -101,6 +101,9 @@ int libxl__arch_domain_prepare_config(libxl__gc *gc, > > return ERROR_FAIL; > > } > > > > + config->arch.ffa_enabled = > > + libxl_defbool_val(d_config->b_info.arch_arm.ffa_enabled); > > + > > return 0; > > } > > > > diff --git a/tools/libs/light/libxl_types.idl b/tools/libs/light/libxl_types.idl > > index 2a42da2f7d78..bf4544bef399 100644 > > --- a/tools/libs/light/libxl_types.idl > > +++ b/tools/libs/light/libxl_types.idl > > @@ -646,6 +646,7 @@ libxl_domain_build_info = Struct("domain_build_info",[ > > > > ("arch_arm", Struct(None, [("gic_version", libxl_gic_version), > > ("vuart", libxl_vuart_type), > > + ("ffa_enabled", libxl_defbool), > > ])), > > ("arch_x86", Struct(None, [("msr_relaxed", libxl_defbool), > > ])), > > diff --git a/tools/xl/xl_parse.c b/tools/xl/xl_parse.c > > index b98c0de378b6..e0e99ed8d2b1 100644 > > --- a/tools/xl/xl_parse.c > > +++ b/tools/xl/xl_parse.c > > @@ -2746,6 +2746,9 @@ skip_usbdev: > > exit(-ERROR_FAIL); > > } > > } > > + libxl_defbool_setdefault(&b_info->arch_arm.ffa_enabled, false); > > + xlu_cfg_get_defbool(config, "ffa_enabled", > > + &b_info->arch_arm.ffa_enabled, 0); > > > > parse_vkb_list(config, d_config); > > > > diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig > > index be9eff014120..e57e1d3757e2 100644 > > --- a/xen/arch/arm/Kconfig > > +++ b/xen/arch/arm/Kconfig > > @@ -139,6 +139,17 @@ config TEE > > > > source "arch/arm/tee/Kconfig" > > > > +config FFA > > + bool "Enable FF-A mediator support" if EXPERT > > + default n > > + depends on ARM_64 > > + help > > + This option enables a minimal FF-A mediator. The mediator is > > + generic as it follows the FF-A specification [1], but it only > > + implements a small subset of the specification. > > + > > + [1] https://developer.arm.com/documentation/den0077/latest > > + > > endmenu > > > > menu "ARM errata workaround via the alternative framework" > > diff --git a/xen/arch/arm/Makefile b/xen/arch/arm/Makefile > > index bb7a6151c13c..af0c69f793d4 100644 > > --- a/xen/arch/arm/Makefile > > +++ b/xen/arch/arm/Makefile > > @@ -20,6 +20,7 @@ obj-y += domain_build.init.o > > obj-y += domctl.o > > obj-$(CONFIG_EARLY_PRINTK) += early_printk.o > > obj-y += efi/ > > +obj-$(CONFIG_FFA) += ffa.o > > obj-y += gic.o > > obj-y += gic-v2.o > > obj-$(CONFIG_GICV3) += gic-v3.o > > diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c > > index 8110c1df8638..a3f00e7e234d 100644 > > --- a/xen/arch/arm/domain.c > > +++ b/xen/arch/arm/domain.c > > @@ -27,6 +27,7 @@ > > #include <asm/cpufeature.h> > > #include <asm/current.h> > > #include <asm/event.h> > > +#include <asm/ffa.h> > > #include <asm/gic.h> > > #include <asm/guest_atomics.h> > > #include <asm/irq.h> > > @@ -756,6 +757,9 @@ int arch_domain_create(struct domain *d, > > if ( (rc = tee_domain_init(d, config->arch.tee_type)) != 0 ) > > goto fail; > > > > + if ( (rc = ffa_domain_init(d, config->arch.ffa_enabled)) != 0 ) > > + goto fail; > > + > > update_domain_wallclock_time(d); > > > > /* > > @@ -998,6 +1002,7 @@ static int relinquish_memory(struct domain *d, struct page_list_head *list) > > enum { > > PROG_pci = 1, > > PROG_tee, > > + PROG_ffa, > > PROG_xen, > > PROG_page, > > PROG_mapping, > > @@ -1043,6 +1048,11 @@ int domain_relinquish_resources(struct domain *d) > > > > PROGRESS(tee): > > ret = tee_relinquish_resources(d); > > + if ( ret ) > > + return ret; > > + > > + PROGRESS(ffa): > > + ret = ffa_relinquish_resources(d); > > if (ret ) > > return ret; > > > > diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c > > index 7ddd16c26da5..d708f76356f7 100644 > > --- a/xen/arch/arm/domain_build.c > > +++ b/xen/arch/arm/domain_build.c > > @@ -3450,6 +3450,7 @@ void __init create_dom0(void) > > if ( gic_number_lines() > 992 ) > > printk(XENLOG_WARNING "Maximum number of vGIC IRQs exceeded.\n"); > > dom0_cfg.arch.tee_type = tee_get_type(); > > + dom0_cfg.arch.ffa_enabled = true; > > dom0_cfg.max_vcpus = dom0_max_vcpus(); > > > > if ( iommu_enabled ) > > diff --git a/xen/arch/arm/ffa.c b/xen/arch/arm/ffa.c > > new file mode 100644 > > index 000000000000..3117ce5cec4d > > --- /dev/null > > +++ b/xen/arch/arm/ffa.c > > @@ -0,0 +1,1683 @@ > > +/* > > + * xen/arch/arm/ffa.c > > + * > > + * Arm Firmware Framework for ARMv8-A (FF-A) mediator > > + * > > + * Copyright (C) 2022 Linaro Limited > > + * > > + * Permission is hereby granted, free of charge, to any person > > + * obtaining a copy of this software and associated documentation > > + * files (the "Software"), to deal in the Software without restriction, > > + * including without limitation the rights to use, copy, modify, merge, > > + * publish, distribute, sublicense, and/or sell copies of the Software, > > + * and to permit persons to whom the Software is furnished to do so, > > + * subject to the following conditions: > > + * > > + * The above copyright notice and this permission notice shall be > > + * included in all copies or substantial portions of the Software. > > + * > > + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, > > + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF > > + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. > > + * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY > > + * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, > > + * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE > > + * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. > > + */ > > + > > +#include <xen/domain_page.h> > > +#include <xen/errno.h> > > +#include <xen/init.h> > > +#include <xen/lib.h> > > +#include <xen/sched.h> > > +#include <xen/types.h> > > +#include <xen/sizes.h> > > +#include <xen/bitops.h> > > + > > +#include <asm/smccc.h> > > +#include <asm/event.h> > > +#include <asm/ffa.h> > > +#include <asm/regs.h> > > + > > +/* Error codes */ > > +#define FFA_RET_OK 0 > > +#define FFA_RET_NOT_SUPPORTED -1 > > +#define FFA_RET_INVALID_PARAMETERS -2 > > +#define FFA_RET_NO_MEMORY -3 > > +#define FFA_RET_BUSY -4 > > +#define FFA_RET_INTERRUPTED -5 > > +#define FFA_RET_DENIED -6 > > +#define FFA_RET_RETRY -7 > > +#define FFA_RET_ABORTED -8 > > + > > +/* FFA_VERSION helpers */ > > +#define FFA_VERSION_MAJOR _AC(1,U) > > +#define FFA_VERSION_MAJOR_SHIFT _AC(16,U) > > +#define FFA_VERSION_MAJOR_MASK _AC(0x7FFF,U) > > +#define FFA_VERSION_MINOR _AC(1,U) > > +#define FFA_VERSION_MINOR_SHIFT _AC(0,U) > > +#define FFA_VERSION_MINOR_MASK _AC(0xFFFF,U) > > +#define MAKE_FFA_VERSION(major, minor) \ > > + ((((major) & FFA_VERSION_MAJOR_MASK) << FFA_VERSION_MAJOR_SHIFT) | \ > > + ((minor) & FFA_VERSION_MINOR_MASK)) > > + > > +#define FFA_MIN_VERSION MAKE_FFA_VERSION(1, 0) > > +#define FFA_VERSION_1_0 MAKE_FFA_VERSION(1, 0) > > +#define FFA_VERSION_1_1 MAKE_FFA_VERSION(1, 1) > > +#define FFA_MY_VERSION MAKE_FFA_VERSION(FFA_VERSION_MAJOR, \ > > + FFA_VERSION_MINOR) > > + > > + > > +#define FFA_HANDLE_HYP_FLAG BIT(63,ULL) > > + > > +/* Memory attributes: Normal memory, Write-Back cacheable, Inner shareable */ > > +#define FFA_NORMAL_MEM_REG_ATTR _AC(0x2f,U) > > + > > +/* Memory access permissions: Read-write */ > > +#define FFA_MEM_ACC_RW _AC(0x2,U) > > + > > +/* Clear memory before mapping in receiver */ > > +#define FFA_MEMORY_REGION_FLAG_CLEAR BIT(0, U) > > +/* Relayer may time slice this operation */ > > +#define FFA_MEMORY_REGION_FLAG_TIME_SLICE BIT(1, U) > > +/* Clear memory after receiver relinquishes it */ > > +#define FFA_MEMORY_REGION_FLAG_CLEAR_RELINQUISH BIT(2, U) > > + > > +/* Share memory transaction */ > > +#define FFA_MEMORY_REGION_TRANSACTION_TYPE_SHARE (_AC(1,U) << 3) > > + > > +#define FFA_HANDLE_INVALID _AC(0xffffffffffffffff,ULL) > > + > > +/* Framework direct request/response */ > > +#define FFA_MSG_FLAG_FRAMEWORK BIT(31, U) > > +#define FFA_MSG_TYPE_MASK _AC(0xFF,U); > > +#define FFA_MSG_PSCI _AC(0x0,U) > > +#define FFA_MSG_SEND_VM_CREATED _AC(0x4,U) > > +#define FFA_MSG_RESP_VM_CREATED _AC(0x5,U) > > +#define FFA_MSG_SEND_VM_DESTROYED _AC(0x6,U) > > +#define FFA_MSG_RESP_VM_DESTROYED _AC(0x7,U) > > + > > +/* > > + * Flags used for the FFA_PARTITION_INFO_GET return message: > > + * BIT(0): Supports receipt of direct requests > > + * BIT(1): Can send direct requests > > + * BIT(2): Can send and receive indirect messages > > + * BIT(3): Supports receipt of notifications > > + * BIT(4-5): Partition ID is a PE endpoint ID > > + */ > > +#define FFA_PART_PROP_DIRECT_REQ_RECV BIT(0,U) > > +#define FFA_PART_PROP_DIRECT_REQ_SEND BIT(1,U) > > +#define FFA_PART_PROP_INDIRECT_MSGS BIT(2,U) > > +#define FFA_PART_PROP_RECV_NOTIF BIT(3,U) > > +#define FFA_PART_PROP_IS_PE_ID (_AC(0,U) << 4) > > +#define FFA_PART_PROP_IS_SEPID_INDEP (_AC(1,U) << 4) > > +#define FFA_PART_PROP_IS_SEPID_DEP (_AC(2,U) << 4) > > +#define FFA_PART_PROP_IS_AUX_ID (_AC(3,U) << 4) > > +#define FFA_PART_PROP_NOTIF_CREATED BIT(6,U) > > +#define FFA_PART_PROP_NOTIF_DESTROYED BIT(7,U) > > +#define FFA_PART_PROP_AARCH64_STATE BIT(8,U) > > + > > +/* Function IDs */ > > +#define FFA_ERROR _AC(0x84000060,U) > > +#define FFA_SUCCESS_32 _AC(0x84000061,U) > > +#define FFA_SUCCESS_64 _AC(0xC4000061,U) > > +#define FFA_INTERRUPT _AC(0x84000062,U) > > +#define FFA_VERSION _AC(0x84000063,U) > > +#define FFA_FEATURES _AC(0x84000064,U) > > +#define FFA_RX_ACQUIRE _AC(0x84000084,U) > > +#define FFA_RX_RELEASE _AC(0x84000065,U) > > +#define FFA_RXTX_MAP_32 _AC(0x84000066,U) > > +#define FFA_RXTX_MAP_64 _AC(0xC4000066,U) > > +#define FFA_RXTX_UNMAP _AC(0x84000067,U) > > +#define FFA_PARTITION_INFO_GET _AC(0x84000068,U) > > +#define FFA_ID_GET _AC(0x84000069,U) > > +#define FFA_SPM_ID_GET _AC(0x84000085,U) > > +#define FFA_MSG_WAIT _AC(0x8400006B,U) > > +#define FFA_MSG_YIELD _AC(0x8400006C,U) > > +#define FFA_MSG_RUN _AC(0x8400006D,U) > > +#define FFA_MSG_SEND2 _AC(0x84000086,U) > > +#define FFA_MSG_SEND_DIRECT_REQ_32 _AC(0x8400006F,U) > > +#define FFA_MSG_SEND_DIRECT_REQ_64 _AC(0xC400006F,U) > > +#define FFA_MSG_SEND_DIRECT_RESP_32 _AC(0x84000070,U) > > +#define FFA_MSG_SEND_DIRECT_RESP_64 _AC(0xC4000070,U) > > +#define FFA_MEM_DONATE_32 _AC(0x84000071,U) > > +#define FFA_MEM_DONATE_64 _AC(0xC4000071,U) > > +#define FFA_MEM_LEND_32 _AC(0x84000072,U) > > +#define FFA_MEM_LEND_64 _AC(0xC4000072,U) > > +#define FFA_MEM_SHARE_32 _AC(0x84000073,U) > > +#define FFA_MEM_SHARE_64 _AC(0xC4000073,U) > > +#define FFA_MEM_RETRIEVE_REQ_32 _AC(0x84000074,U) > > +#define FFA_MEM_RETRIEVE_REQ_64 _AC(0xC4000074,U) > > +#define FFA_MEM_RETRIEVE_RESP _AC(0x84000075,U) > > +#define FFA_MEM_RELINQUISH _AC(0x84000076,U) > > +#define FFA_MEM_RECLAIM _AC(0x84000077,U) > > +#define FFA_MEM_FRAG_RX _AC(0x8400007A,U) > > +#define FFA_MEM_FRAG_TX _AC(0x8400007B,U) > > +#define FFA_MSG_SEND _AC(0x8400006E,U) > > +#define FFA_MSG_POLL _AC(0x8400006A,U) > > + > > +/* Partition information descriptor */ > > +struct ffa_partition_info_1_0 { > > + uint16_t id; > > + uint16_t execution_context; > > + uint32_t partition_properties; > > +}; > > + > > +struct ffa_partition_info_1_1 { > > + uint16_t id; > > + uint16_t execution_context; > > + uint32_t partition_properties; > > + uint8_t uuid[16]; > > +}; > > + > > +/* Constituent memory region descriptor */ > > +struct ffa_address_range { > > + uint64_t address; > > + uint32_t page_count; > > + uint32_t reserved; > > +}; > > + > > +/* Composite memory region descriptor */ > > +struct ffa_mem_region { > > + uint32_t total_page_count; > > + uint32_t address_range_count; > > + uint64_t reserved; > > + struct ffa_address_range address_range_array[]; > > +}; > > + > > +/* Memory access permissions descriptor */ > > +struct ffa_mem_access_perm { > > + uint16_t endpoint_id; > > + uint8_t perm; > > + uint8_t flags; > > +}; > > + > > +/* Endpoint memory access descriptor */ > > +struct ffa_mem_access { > > + struct ffa_mem_access_perm access_perm; > > + uint32_t region_offs; > > + uint64_t reserved; > > +}; > > + > > +/* Lend, donate or share memory transaction descriptor */ > > +struct ffa_mem_transaction_1_0 { > > + uint16_t sender_id; > > + uint8_t mem_reg_attr; > > + uint8_t reserved0; > > + uint32_t flags; > > + uint64_t global_handle; > > + uint64_t tag; > > + uint32_t reserved1; > > + uint32_t mem_access_count; > > + struct ffa_mem_access mem_access_array[]; > > +}; > > + > > +struct ffa_mem_transaction_1_1 { > > + uint16_t sender_id; > > + uint16_t mem_reg_attr; > > + uint32_t flags; > > + uint64_t global_handle; > > + uint64_t tag; > > + uint32_t mem_access_size; > > + uint32_t mem_access_count; > > + uint32_t mem_access_offs; > > + uint8_t reserved[12]; > > +}; > > + > > +/* > > + * The parts needed from struct ffa_mem_transaction_1_0 or struct > > + * ffa_mem_transaction_1_1, used to provide an abstraction of difference in > > + * data structures between version 1.0 and 1.1. This is just an internal > > + * interface and can be changed without changing any ABI. > > + */ > > +struct ffa_mem_transaction_x { > > + uint16_t sender_id; > > + uint8_t mem_reg_attr; > > + uint8_t flags; > > + uint8_t mem_access_size; > > + uint8_t mem_access_count; > > + uint16_t mem_access_offs; > > + uint64_t global_handle; > > + uint64_t tag; > > +}; > > + > > +/* Endpoint RX/TX descriptor */ > > +struct ffa_endpoint_rxtx_descriptor_1_0 { > > + uint16_t sender_id; > > + uint16_t reserved; > > + uint32_t rx_range_count; > > + uint32_t tx_range_count; > > +}; > > + > > +struct ffa_endpoint_rxtx_descriptor_1_1 { > > + uint16_t sender_id; > > + uint16_t reserved; > > + uint32_t rx_region_offs; > > + uint32_t tx_region_offs; > > +}; > > + > > +struct ffa_ctx { > > + void *rx; > > + void *tx; > > + struct page_info *rx_pg; > > + struct page_info *tx_pg; > > + unsigned int page_count; > > + uint32_t guest_vers; > > + bool tx_is_mine; > > + bool interrupted; > > + struct list_head frag_list; > > + spinlock_t lock; > > +}; > > + > > +struct ffa_shm_mem { > > + struct list_head list; > > + uint16_t sender_id; > > + uint16_t ep_id; /* endpoint, the one lending */ > > + uint64_t handle; /* FFA_HANDLE_INVALID if not set yet */ > > + unsigned int page_count; > > + struct page_info *pages[]; > > +}; > > + > > +struct mem_frag_state { > > + struct list_head list; > > + struct ffa_shm_mem *shm; > > + uint32_t range_count; > > + unsigned int current_page_idx; > > + unsigned int frag_offset; > > + unsigned int range_offset; > > + uint8_t *buf; > > + unsigned int buf_size; > > + struct ffa_address_range range; > > +}; > > + > > +/* > > + * Our rx/rx buffer shared with the SPMC > > + */ > > +static uint32_t ffa_version; > > +static uint16_t *subsr_vm_created; > > +static unsigned int subsr_vm_created_count; > > +static uint16_t *subsr_vm_destroyed; > > +static unsigned int subsr_vm_destroyed_count; > > +static void *ffa_rx; > > +static void *ffa_tx; > > +static unsigned int ffa_page_count; > > +static DEFINE_SPINLOCK(ffa_buffer_lock); > > + > > +static LIST_HEAD(ffa_mem_list); > > +static DEFINE_SPINLOCK(ffa_mem_list_lock); > > + > > +static uint64_t next_handle = FFA_HANDLE_HYP_FLAG; > > + > > +static inline uint64_t reg_pair_to_64(uint32_t reg0, uint32_t reg1) > > +{ > > + return (uint64_t)reg0 << 32 | reg1; > > +} > > + > > +static void inline reg_pair_from_64(uint32_t *reg0, uint32_t *reg1, > > + uint64_t val) > > +{ > > + *reg0 = val >> 32; > > + *reg1 = val; > > +} > > + > > +static bool ffa_get_version(uint32_t *vers) > > +{ > > + const struct arm_smccc_1_2_regs arg = { > > + .a0 = FFA_VERSION, .a1 = FFA_MY_VERSION, > > + }; > > + struct arm_smccc_1_2_regs resp; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + if ( resp.a0 == FFA_RET_NOT_SUPPORTED ) > > + { > > + printk(XENLOG_ERR "ffa: FFA_VERSION returned not supported\n"); > > + return false; > > + } > > + > > + *vers = resp.a0; > > + return true; > > +} > > + > > +static uint32_t get_ffa_ret_code(const struct arm_smccc_1_2_regs *resp) > > +{ > > + switch ( resp->a0 ) > > + { > > + case FFA_ERROR: > > + if ( resp->a2 ) > > + return resp->a2; > > + else > > + return FFA_RET_NOT_SUPPORTED; > > + case FFA_SUCCESS_32: > > + case FFA_SUCCESS_64: > > + return FFA_RET_OK; > > + default: > > + return FFA_RET_NOT_SUPPORTED; > > + } > > +} > > + > > +static uint32_t ffa_features(uint32_t id) > > +{ > > + const struct arm_smccc_1_2_regs arg = { .a0 = FFA_FEATURES, .a1 = id, }; > > + struct arm_smccc_1_2_regs resp; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + return get_ffa_ret_code(&resp); > > +} > > + > > +static bool check_mandatory_feature(uint32_t id) > > +{ > > + uint32_t ret = ffa_features(id); > > + > > + if (ret) > > + printk(XENLOG_ERR "ffa: mandatory feature id %#x missing\n", id); > > + return !ret; > > +} > > + > > +static uint32_t ffa_rxtx_map(register_t tx_addr, register_t rx_addr, > > + uint32_t page_count) > > +{ > > + const struct arm_smccc_1_2_regs arg = { > > +#ifdef CONFIG_ARM_64 > > + .a0 = FFA_RXTX_MAP_64, > > +#endif > > +#ifdef CONFIG_ARM_32 > > + .a0 = FFA_RXTX_MAP_32, > > +#endif > > + .a1 = tx_addr, .a2 = rx_addr, > > + .a3 = page_count, > > + }; > > + struct arm_smccc_1_2_regs resp; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + > > + return get_ffa_ret_code(&resp); > > +} > > + > > +static uint32_t ffa_rxtx_unmap(uint16_t vm_id) > > +{ > > + const struct arm_smccc_1_2_regs arg = { > > + .a0 = FFA_RXTX_UNMAP, .a1 = vm_id, > > + }; > > + struct arm_smccc_1_2_regs resp; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + > > + return get_ffa_ret_code(&resp); > > +} > > + > > +static uint32_t ffa_partition_info_get(uint32_t w1, uint32_t w2, uint32_t w3, > > + uint32_t w4, uint32_t w5, > > + uint32_t *count) > > +{ > > + const struct arm_smccc_1_2_regs arg = { > > + .a0 = FFA_PARTITION_INFO_GET, .a1 = w1, .a2 = w2, .a3 = w3, .a4 = w4, > > + .a5 = w5, > > + }; > > + struct arm_smccc_1_2_regs resp; > > + uint32_t ret; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + > > + ret = get_ffa_ret_code(&resp); > > + if ( !ret ) > > + *count = resp.a2; > > + > > + return ret; > > +} > > + > > +static uint32_t ffa_rx_release(void) > > +{ > > + const struct arm_smccc_1_2_regs arg = { .a0 = FFA_RX_RELEASE, }; > > + struct arm_smccc_1_2_regs resp; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + > > + return get_ffa_ret_code(&resp); > > +} > > + > > +static int32_t ffa_mem_share(uint32_t tot_len, uint32_t frag_len, > > + register_t addr, uint32_t pg_count, > > + uint64_t *handle) > > +{ > > + struct arm_smccc_1_2_regs arg = { > > + .a0 = FFA_MEM_SHARE_32, .a1 = tot_len, .a2 = frag_len, .a3 = addr, > > + .a4 = pg_count, > > + }; > > + struct arm_smccc_1_2_regs resp; > > + > > + /* > > + * For arm64 we must use 64-bit calling convention if the buffer isn't > > + * passed in our tx buffer. > > + */ > > + if (sizeof(addr) > 4 && addr) > > + arg.a0 = FFA_MEM_SHARE_64; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + > > + switch ( resp.a0 ) > > + { > > + case FFA_ERROR: > > + if ( resp.a2 ) > > + return resp.a2; > > + else > > + return FFA_RET_NOT_SUPPORTED; > > + case FFA_SUCCESS_32: > > + *handle = reg_pair_to_64(resp.a3, resp.a2); > > + return FFA_RET_OK; > > + case FFA_MEM_FRAG_RX: > > + *handle = reg_pair_to_64(resp.a2, resp.a1); > > + return resp.a3; > > + default: > > + return FFA_RET_NOT_SUPPORTED; > > + } > > +} > > + > > +static int32_t ffa_mem_frag_tx(uint64_t handle, uint32_t frag_len, > > + uint16_t sender_id) > > +{ > > + struct arm_smccc_1_2_regs arg = { > > + .a0 = FFA_MEM_FRAG_TX, .a1 = handle & UINT32_MAX, .a2 = handle >> 32, > > + .a3 = frag_len, .a4 = (uint32_t)sender_id << 16, > > + }; > > + struct arm_smccc_1_2_regs resp; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + > > + switch ( resp.a0 ) > > + { > > + case FFA_ERROR: > > + if ( resp.a2 ) > > + return resp.a2; > > + else > > + return FFA_RET_NOT_SUPPORTED; > > + case FFA_SUCCESS_32: > > + return FFA_RET_OK; > > + case FFA_MEM_FRAG_RX: > > + return resp.a3; > > + default: > > + return FFA_RET_NOT_SUPPORTED; > > + } > > +} > > + > > +static uint32_t ffa_mem_reclaim(uint32_t handle_lo, uint32_t handle_hi, > > + uint32_t flags) > > +{ > > + const struct arm_smccc_1_2_regs arg = { > > + .a0 = FFA_MEM_RECLAIM, .a1 = handle_lo, .a2 = handle_hi, .a3 = flags, > > + }; > > + struct arm_smccc_1_2_regs resp; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + > > + return get_ffa_ret_code(&resp); > > +} > > + > > +static int32_t ffa_direct_req_send_vm(uint16_t sp_id, uint16_t vm_id, > > + uint8_t msg) > > +{ > > + uint32_t exp_resp = FFA_MSG_FLAG_FRAMEWORK; > > + int32_t res; > > + > > + if ( msg != FFA_MSG_SEND_VM_CREATED && msg !=FFA_MSG_SEND_VM_DESTROYED ) > > + return FFA_RET_INVALID_PARAMETERS; > > + > > + if ( msg == FFA_MSG_SEND_VM_CREATED ) > > + exp_resp |= FFA_MSG_RESP_VM_CREATED; > > + else > > + exp_resp |= FFA_MSG_RESP_VM_DESTROYED; > > + > > + do { > > + const struct arm_smccc_1_2_regs arg = { > > + .a0 = FFA_MSG_SEND_DIRECT_REQ_32, > > + .a1 = sp_id, > > + .a2 = FFA_MSG_FLAG_FRAMEWORK | msg, > > + .a5 = vm_id, > > + }; > > + struct arm_smccc_1_2_regs resp; > > + > > + arm_smccc_1_2_smc(&arg, &resp); > > + if ( resp.a0 != FFA_MSG_SEND_DIRECT_RESP_32 || resp.a2 != exp_resp ) > > + { > > + /* > > + * This is an invalid response, likely due to some error in the > > + * implementation of the ABI. > > + */ > > + return FFA_RET_INVALID_PARAMETERS; > > + } > > + res = resp.a3; > > + } while ( res == FFA_RET_INTERRUPTED || res == FFA_RET_RETRY ); > > + > > + return res; > > +} > > + > > +static u16 get_vm_id(struct domain *d) > > +{ > > + /* +1 since 0 is reserved for the hypervisor in FF-A */ > > + return d->domain_id + 1; > > +} > > + > > +static void set_regs(struct cpu_user_regs *regs, register_t v0, register_t v1, > > + register_t v2, register_t v3, register_t v4, register_t v5, > > + register_t v6, register_t v7) > > +{ > > + set_user_reg(regs, 0, v0); > > + set_user_reg(regs, 1, v1); > > + set_user_reg(regs, 2, v2); > > + set_user_reg(regs, 3, v3); > > + set_user_reg(regs, 4, v4); > > + set_user_reg(regs, 5, v5); > > + set_user_reg(regs, 6, v6); > > + set_user_reg(regs, 7, v7); > > +} > > + > > +static void set_regs_error(struct cpu_user_regs *regs, uint32_t error_code) > > +{ > > + set_regs(regs, FFA_ERROR, 0, error_code, 0, 0, 0, 0, 0); > > +} > > + > > +static void set_regs_success(struct cpu_user_regs *regs, uint32_t w2, > > + uint32_t w3) > > +{ > > + set_regs(regs, FFA_SUCCESS_32, 0, w2, w3, 0, 0, 0, 0); > > +} > > + > > +static void set_regs_frag_rx(struct cpu_user_regs *regs, uint32_t handle_lo, > > + uint32_t handle_hi, uint32_t frag_offset, > > + uint16_t sender_id) > > +{ > > + set_regs(regs, FFA_MEM_FRAG_RX, handle_lo, handle_hi, frag_offset, > > + (uint32_t)sender_id << 16, 0, 0, 0); > > +} > > + > > +static void handle_version(struct cpu_user_regs *regs) > > +{ > > + struct domain *d = current->domain; > > + struct ffa_ctx *ctx = d->arch.ffa; > > + uint32_t vers = get_user_reg(regs, 1); > > + > > + if ( vers < FFA_VERSION_1_1 ) > > + vers = FFA_VERSION_1_0; > > + else > > + vers = FFA_VERSION_1_1; > > + > > + ctx->guest_vers = vers; > > + set_regs(regs, vers, 0, 0, 0, 0, 0, 0, 0); > > +} > > + > > +static uint32_t handle_rxtx_map(uint32_t fid, register_t tx_addr, > > + register_t rx_addr, uint32_t page_count) > > +{ > > + uint32_t ret = FFA_RET_INVALID_PARAMETERS; > > + struct domain *d = current->domain; > > + struct ffa_ctx *ctx = d->arch.ffa; > > + struct page_info *tx_pg; > > + struct page_info *rx_pg; > > + p2m_type_t t; > > + void *rx; > > + void *tx; > > + > > + if ( !smccc_is_conv_64(fid) ) > > + { > > + tx_addr &= UINT32_MAX; > > + rx_addr &= UINT32_MAX; > > + } > > + > > + /* For now to keep things simple, only deal with a single page */ > > + if ( page_count != 1 ) > > + return FFA_RET_NOT_SUPPORTED; > > + > > + /* Already mapped */ > > + if ( ctx->rx ) > > + return FFA_RET_DENIED; > > + > > + tx_pg = get_page_from_gfn(d, gaddr_to_gfn(tx_addr), &t, P2M_ALLOC); > > + if ( !tx_pg ) > > + return FFA_RET_INVALID_PARAMETERS; > > + /* Only normal RAM for now */ > > + if (t != p2m_ram_rw) > > + goto err_put_tx_pg; > > + > > + rx_pg = get_page_from_gfn(d, gaddr_to_gfn(rx_addr), &t, P2M_ALLOC); > > + if ( !tx_pg ) > > + goto err_put_tx_pg; > > + /* Only normal RAM for now */ > > + if ( t != p2m_ram_rw ) > > + goto err_put_rx_pg; > > + > > + tx = __map_domain_page_global(tx_pg); > > + if ( !tx ) > > + goto err_put_rx_pg; > > + > > + rx = __map_domain_page_global(rx_pg); > > + if ( !rx ) > > + goto err_unmap_tx; > > + > > + ctx->rx = rx; > > + ctx->tx = tx; > > + ctx->rx_pg = rx_pg; > > + ctx->tx_pg = tx_pg; > > + ctx->page_count = 1; > > + ctx->tx_is_mine = true; > > + return FFA_RET_OK; > > + > > +err_unmap_tx: > > + unmap_domain_page_global(tx); > > +err_put_rx_pg: > > + put_page(rx_pg); > > +err_put_tx_pg: > > + put_page(tx_pg); > > + return ret; > > +} > > + > > +static uint32_t handle_rxtx_unmap(void) > > +{ > > + struct domain *d = current->domain; > > + struct ffa_ctx *ctx = d->arch.ffa; > > + uint32_t ret; > > + > > + if ( !ctx->rx ) > > + return FFA_RET_INVALID_PARAMETERS; > > + > > + ret = ffa_rxtx_unmap(get_vm_id(d)); > > + if ( ret ) > > + return ret; > > + > > + unmap_domain_page_global(ctx->rx); > > + unmap_domain_page_global(ctx->tx); > > + put_page(ctx->rx_pg); > > + put_page(ctx->tx_pg); > > + ctx->rx = NULL; > > + ctx->tx = NULL; > > + ctx->rx_pg = NULL; > > + ctx->tx_pg = NULL; > > + ctx->page_count = 0; > > + ctx->tx_is_mine = false; > > + > > + return FFA_RET_OK; > > +} > > + > > +static uint32_t handle_partition_info_get(uint32_t w1, uint32_t w2, uint32_t w3, > > + uint32_t w4, uint32_t w5, > > + uint32_t *count) > > +{ > > + uint32_t ret = FFA_RET_DENIED; > > + struct domain *d = current->domain; > > + struct ffa_ctx *ctx = d->arch.ffa; > > + > > + if ( !ffa_page_count ) > > + return FFA_RET_DENIED; > > + > > + spin_lock(&ctx->lock); > > + if ( !ctx->page_count || !ctx->tx_is_mine ) > > + goto out; > > + ret = ffa_partition_info_get(w1, w2, w3, w4, w5, count); > > + if ( ret ) > > + goto out; > > + if ( ctx->guest_vers == FFA_VERSION_1_0 ) > > + { > > + size_t n; > > + struct ffa_partition_info_1_1 *src = ffa_rx; > > + struct ffa_partition_info_1_0 *dst = ctx->rx; > > + > > + for ( n = 0; n < *count; n++ ) > > + { > > + dst[n].id = src[n].id; > > + dst[n].execution_context = src[n].execution_context; > > + dst[n].partition_properties = src[n].partition_properties; > > + } > > + } > > + else > > + { > > + size_t sz = *count * sizeof(struct ffa_partition_info_1_1); > > + > > + memcpy(ctx->rx, ffa_rx, sz); > > + } > > + ffa_rx_release(); > > + ctx->tx_is_mine = false; > > +out: > > + spin_unlock(&ctx->lock); > > + > > + return ret; > > +} > > + > > +static uint32_t handle_rx_release(void) > > +{ > > + uint32_t ret = FFA_RET_DENIED; > > + struct domain *d = current->domain; > > + struct ffa_ctx *ctx = d->arch.ffa; > > + > > + spin_lock(&ctx->lock); > > + if ( !ctx->page_count || ctx->tx_is_mine ) > > + goto out; > > + ret = FFA_RET_OK; > > + ctx->tx_is_mine = true; > > +out: > > + spin_unlock(&ctx->lock); > > + > > + return ret; > > +} > > + > > +static void handle_msg_send_direct_req(struct cpu_user_regs *regs, uint32_t fid) > > +{ > > + struct arm_smccc_1_2_regs arg = { .a0 = fid, }; > > + struct arm_smccc_1_2_regs resp = { }; > > + struct domain *d = current->domain; > > + struct ffa_ctx *ctx = d->arch.ffa; > > + uint32_t src_dst; > > + uint64_t mask; > > + > > + if ( smccc_is_conv_64(fid) ) > > + mask = 0xffffffffffffffff; > > + else > > + mask = 0xffffffff; > > + > > + src_dst = get_user_reg(regs, 1); > > + if ( (src_dst >> 16) != get_vm_id(d) ) > > + { > > + resp.a0 = FFA_ERROR; > > + resp.a2 = FFA_RET_INVALID_PARAMETERS; > > + goto out; > > + } > > + > > + arg.a1 = src_dst; > > + arg.a2 = get_user_reg(regs, 2) & mask; > > + arg.a3 = get_user_reg(regs, 3) & mask; > > + arg.a4 = get_user_reg(regs, 4) & mask; > > + arg.a5 = get_user_reg(regs, 5) & mask; > > + arg.a6 = get_user_reg(regs, 6) & mask; > > + arg.a7 = get_user_reg(regs, 7) & mask; > > + > > + while ( true ) > > + { > > + arm_smccc_1_2_smc(&arg, &resp); > > + > > + switch ( resp.a0 ) > > + { > > + case FFA_INTERRUPT: > > + ctx->interrupted = true; > > + goto out; > > + case FFA_ERROR: > > + case FFA_SUCCESS_32: > > + case FFA_SUCCESS_64: > > + case FFA_MSG_SEND_DIRECT_RESP_32: > > + case FFA_MSG_SEND_DIRECT_RESP_64: > > + goto out; > > + default: > > + /* Bad fid, report back. */ > > + memset(&arg, 0, sizeof(arg)); > > + arg.a0 = FFA_ERROR; > > + arg.a1 = src_dst; > > + arg.a2 = FFA_RET_NOT_SUPPORTED; > > + continue; > > + } > > + } > > + > > +out: > > + set_user_reg(regs, 0, resp.a0); > > + set_user_reg(regs, 1, resp.a1 & mask); > > + set_user_reg(regs, 2, resp.a2 & mask); > > + set_user_reg(regs, 3, resp.a3 & mask); > > + set_user_reg(regs, 4, resp.a4 & mask); > > + set_user_reg(regs, 5, resp.a5 & mask); > > + set_user_reg(regs, 6, resp.a6 & mask); > > + set_user_reg(regs, 7, resp.a7 & mask); > > +} > > + > > +static int get_shm_pages(struct domain *d, struct ffa_shm_mem *shm, > > + struct ffa_address_range *range, uint32_t range_count, > > + unsigned int start_page_idx, > > + unsigned int *last_page_idx) > > +{ > > + unsigned int pg_idx = start_page_idx; > > + unsigned long gfn; > > + unsigned int n; > > + unsigned int m; > > + p2m_type_t t; > > + uint64_t addr; > > + > > + for ( n = 0; n < range_count; n++ ) > > + { > > + for ( m = 0; m < range[n].page_count; m++ ) > > + { > > + if ( pg_idx >= shm->page_count ) > > + return FFA_RET_INVALID_PARAMETERS; > > + > > + addr = read_atomic(&range[n].address); > > + gfn = gaddr_to_gfn(addr + m * PAGE_SIZE); > > + shm->pages[pg_idx] = get_page_from_gfn(d, gfn, &t, P2M_ALLOC); > > + if ( !shm->pages[pg_idx] ) > > + return FFA_RET_DENIED; > > + pg_idx++; > > + /* Only normal RAM for now */ > > + if ( t != p2m_ram_rw ) > > + return FFA_RET_DENIED; > > + } > > + } > > + > > + *last_page_idx = pg_idx; > > + > > + return FFA_RET_OK; > > +} > > + > > +static void put_shm_pages(struct ffa_shm_mem *shm) > > +{ > > + unsigned int n; > > + > > + for ( n = 0; n < shm->page_count && shm->pages[n]; n++ ) > > + { > > + put_page(shm->pages[n]); > > + shm->pages[n] = NULL; > > + } > > +} > > + > > +static void init_range(struct ffa_address_range *addr_range, > > + paddr_t pa) > > +{ > > + memset(addr_range, 0, sizeof(*addr_range)); > > + addr_range->address = pa; > > + addr_range->page_count = 1; > > +} > > + > > +static int share_shm(struct ffa_shm_mem *shm) > > +{ > > + uint32_t max_frag_len = ffa_page_count * PAGE_SIZE; > > + struct ffa_mem_transaction_1_1 *descr = ffa_tx; > > + struct ffa_mem_access *mem_access_array; > > + struct ffa_mem_region *region_descr; > > + struct ffa_address_range *addr_range; > > + paddr_t pa; > > + paddr_t last_pa; > > + unsigned int n; > > + uint32_t frag_len; > > + uint32_t tot_len; > > + int ret; > > + unsigned int range_count; > > + unsigned int range_base; > > + bool first; > > + > > + memset(descr, 0, sizeof(*descr)); > > + descr->sender_id = shm->sender_id; > > + descr->global_handle = shm->handle; > > + descr->mem_reg_attr = FFA_NORMAL_MEM_REG_ATTR; > > + descr->mem_access_count = 1; > > + descr->mem_access_size = sizeof(*mem_access_array); > > + descr->mem_access_offs = sizeof(*descr); > > + mem_access_array = (void *)(descr + 1); > > + region_descr = (void *)(mem_access_array + 1); > > + > > + memset(mem_access_array, 0, sizeof(*mem_access_array)); > > + mem_access_array[0].access_perm.endpoint_id = shm->ep_id; > > + mem_access_array[0].access_perm.perm = FFA_MEM_ACC_RW; > > + mem_access_array[0].region_offs = (vaddr_t)region_descr - (vaddr_t)ffa_tx; > > + > > + memset(region_descr, 0, sizeof(*region_descr)); > > + region_descr->total_page_count = shm->page_count; > > + > > + region_descr->address_range_count = 1; > > + last_pa = page_to_maddr(shm->pages[0]); > > + for ( n = 1; n < shm->page_count; last_pa = pa, n++ ) > > + { > > + pa = page_to_maddr(shm->pages[n]); > > + if ( last_pa + PAGE_SIZE == pa ) > > + { > > + continue; > > + } > > + region_descr->address_range_count++; > > + } > > + > > + tot_len = sizeof(*descr) + sizeof(*mem_access_array) + > > + sizeof(*region_descr) + > > + region_descr->address_range_count * sizeof(*addr_range); > > + > > + addr_range = region_descr->address_range_array; > > + frag_len = (vaddr_t)(addr_range + 1) - (vaddr_t)ffa_tx; > > + last_pa = page_to_maddr(shm->pages[0]); > > + init_range(addr_range, last_pa); > > + first = true; > > + range_count = 1; > > + range_base = 0; > > + for ( n = 1; n < shm->page_count; last_pa = pa, n++ ) > > + { > > + pa = page_to_maddr(shm->pages[n]); > > + if ( last_pa + PAGE_SIZE == pa ) > > + { > > + addr_range->page_count++; > > + continue; > > + } > > + > > + if ( frag_len == max_frag_len ) > > + { > > + if ( first ) > > + { > > + ret = ffa_mem_share(tot_len, frag_len, 0, 0, &shm->handle); > > + first = false; > > + } > > + else > > + { > > + ret = ffa_mem_frag_tx(shm->handle, frag_len, shm->sender_id); > > + } > > + if ( ret <= 0) > > + return ret; > > + range_base = range_count; > > + range_count = 0; > > + frag_len = sizeof(*addr_range); > > + addr_range = ffa_tx; > > + } > > + else > > + { > > + frag_len += sizeof(*addr_range); > > + addr_range++; > > + } > > + init_range(addr_range, pa); > > + range_count++; > > + } > > + > > + if ( first ) > > + return ffa_mem_share(tot_len, frag_len, 0, 0, &shm->handle); > > + else > > + return ffa_mem_frag_tx(shm->handle, frag_len, shm->sender_id); > > +} > > + > > +static int read_mem_transaction(uint32_t ffa_vers, void *buf, size_t blen, > > + struct ffa_mem_transaction_x *trans) > > +{ > > + uint16_t mem_reg_attr; > > + uint32_t flags; > > + uint32_t count; > > + uint32_t offs; > > + uint32_t size; > > + > > + if ( ffa_vers >= FFA_VERSION_1_1 ) > > + { > > + struct ffa_mem_transaction_1_1 *descr; > > + > > + if ( blen < sizeof(*descr) ) > > + return FFA_RET_INVALID_PARAMETERS; > > + > > + descr = buf; > > + trans->sender_id = read_atomic(&descr->sender_id); > > + mem_reg_attr = read_atomic(&descr->mem_reg_attr); > > + flags = read_atomic(&descr->flags); > > + trans->global_handle = read_atomic(&descr->global_handle); > > + trans->tag = read_atomic(&descr->tag); > > + > > + count = read_atomic(&descr->mem_access_count); > > + size = read_atomic(&descr->mem_access_size); > > + offs = read_atomic(&descr->mem_access_offs); > > + } > > + else > > + { > > + struct ffa_mem_transaction_1_0 *descr; > > + > > + if ( blen < sizeof(*descr) ) > > + return FFA_RET_INVALID_PARAMETERS; > > + > > + descr = buf; > > + trans->sender_id = read_atomic(&descr->sender_id); > > + mem_reg_attr = read_atomic(&descr->mem_reg_attr); > > + flags = read_atomic(&descr->flags); > > + trans->global_handle = read_atomic(&descr->global_handle); > > + trans->tag = read_atomic(&descr->tag); > > + > > + count = read_atomic(&descr->mem_access_count); > > + size = sizeof(struct ffa_mem_access); > > + offs = offsetof(struct ffa_mem_transaction_1_0, mem_access_array); > > + } > > + > > + if ( mem_reg_attr > UINT8_MAX || flags > UINT8_MAX || size > UINT8_MAX || > > + count > UINT8_MAX || offs > UINT16_MAX ) > > + return FFA_RET_INVALID_PARAMETERS; > > + > > + /* Check that the endpoint memory access descriptor array fits */ > > + if ( size * count + offs > blen ) > > + return FFA_RET_INVALID_PARAMETERS; > > + > > + trans->mem_reg_attr = mem_reg_attr; > > + trans->flags = flags; > > + trans->mem_access_size = size; > > + trans->mem_access_count = count; > > + trans->mem_access_offs = offs; > > + return 0; > > +} > > + > > +static int add_mem_share_frag(struct mem_frag_state *s, unsigned int offs, > > + unsigned int frag_len) > > +{ > > + struct domain *d = current->domain; > > + unsigned int o = offs; > > + unsigned int l; > > + int ret; > > + > > + if ( frag_len < o ) > > + return FFA_RET_INVALID_PARAMETERS; > > + > > + /* Fill up the first struct ffa_address_range */ > > + l = min_t(unsigned int, frag_len - o, sizeof(s->range) - s->range_offset); > > + memcpy((uint8_t *)&s->range + s->range_offset, s->buf + o, l); > > + s->range_offset += l; > > + o += l; > > + if ( s->range_offset != sizeof(s->range) ) > > + goto out; > > + s->range_offset = 0; > > + > > + while ( true ) > > + { > > + ret = get_shm_pages(d, s->shm, &s->range, 1, s->current_page_idx, > > + &s->current_page_idx); > > + if ( ret ) > > + return ret; > > + if ( s->range_count == 1 ) > > + return 0; > > + s->range_count--; > > + if ( frag_len - o < sizeof(s->range) ) > > + break; > > + memcpy(&s->range, s->buf + o, sizeof(s->range)); > > + o += sizeof(s->range); > > + } > > + > > + /* Collect any remaining bytes for the next struct ffa_address_range */ > > + s->range_offset = frag_len - o; > > + memcpy(&s->range, s->buf + o, frag_len - o); > > +out: > > + s->frag_offset += frag_len; > > + return s->frag_offset; > > +} > > + > > +static void handle_mem_share(struct cpu_user_regs *regs) > > +{ > > + uint32_t tot_len = get_user_reg(regs, 1); > > + uint32_t frag_len = get_user_reg(regs, 2); > > + uint64_t addr = get_user_reg(regs, 3); > > + uint32_t page_count = get_user_reg(regs, 4); > > + struct ffa_mem_transaction_x trans; > > + struct ffa_mem_access *mem_access; > > + struct ffa_mem_region *region_descr; > > + struct domain *d = current->domain; > > + struct ffa_ctx *ctx = d->arch.ffa; > > + struct ffa_shm_mem *shm = NULL; > > + unsigned int last_page_idx = 0; > > + uint32_t range_count; > > + uint32_t region_offs; > > + int ret = FFA_RET_DENIED; > > + uint32_t handle_hi = 0; > > + uint32_t handle_lo = 0; > > + > > + /* > > + * We're only accepting memory transaction descriptors via the rx/tx > > + * buffer. > > + */ > > + if ( addr ) > > + { > > + ret = FFA_RET_NOT_SUPPORTED; > > + goto out_unlock; > > + } > > + > > + /* Check that fragment legnth doesn't exceed total length */ > > + if ( frag_len > tot_len ) > > + { > > + ret = FFA_RET_INVALID_PARAMETERS; > > + goto out_unlock; > > + } > > + > > + spin_lock(&ctx->lock); > > + > > + if ( frag_len > ctx->page_count * PAGE_SIZE ) > > + goto out_unlock; > > + > > + if ( !ffa_page_count ) > > + { > > + ret = FFA_RET_NO_MEMORY; > > + goto out_unlock; > > + } > > + > > + ret = read_mem_transaction(ctx->guest_vers, ctx->tx, frag_len, &trans); > > + if ( ret ) > > + goto out_unlock; > > + > > + if ( trans.mem_reg_attr != FFA_NORMAL_MEM_REG_ATTR ) > > + { > > + ret = FFA_RET_NOT_SUPPORTED; > > + goto out; > > + } > > + > > + /* Only supports sharing it with one SP for now */ > > + if ( trans.mem_access_count != 1 ) > > + { > > + ret = FFA_RET_NOT_SUPPORTED; > > + goto out_unlock; > > + } > > + > > + if ( trans.sender_id != get_vm_id(d) ) > > + { > > + ret = FFA_RET_INVALID_PARAMETERS; > > + goto out_unlock; > > + } > > + > > + /* Check that it fits in the supplied data */ > > + if ( trans.mem_access_offs + trans.mem_access_size > frag_len ) > > + goto out_unlock; > > + > > + mem_access = (void *)((vaddr_t)ctx->tx + trans.mem_access_offs); > > + if ( read_atomic(&mem_access->access_perm.perm) != FFA_MEM_ACC_RW ) > > + { > > + ret = FFA_RET_NOT_SUPPORTED; > > + goto out_unlock; > > + } > > + > > + region_offs = read_atomic(&mem_access->region_offs); > > + if ( sizeof(*region_descr) + region_offs > frag_len ) > > + { > > + ret = FFA_RET_NOT_SUPPORTED; > > + goto out_unlock; > > + } > > + > > + region_descr = (void *)((vaddr_t)ctx->tx + region_offs); > > + range_count = read_atomic(®ion_descr->address_range_count); > > + page_count = read_atomic(®ion_descr->total_page_count); > > + > > + shm = xzalloc_flex_struct(struct ffa_shm_mem, pages, page_count); > > + if ( !shm ) > > + { > > + ret = FFA_RET_NO_MEMORY; > > + goto out; > > + } > > + shm->sender_id = trans.sender_id; > > + shm->ep_id = read_atomic(&mem_access->access_perm.endpoint_id); > > + shm->page_count = page_count; > > + > > + if ( frag_len != tot_len ) > > + { > > + struct mem_frag_state *s = xzalloc(struct mem_frag_state); > > + > > + if ( !s ) > > + { > > + ret = FFA_RET_NO_MEMORY; > > + goto out; > > + } > > + s->shm = shm; > > + s->range_count = range_count; > > + s->buf = ctx->tx; > > + s->buf_size = ffa_page_count * PAGE_SIZE; > > + ret = add_mem_share_frag(s, sizeof(*region_descr) + region_offs, > > + frag_len); > > + if ( ret <= 0 ) > > + { > > + xfree(s); > > + if ( ret < 0 ) > > + goto out; > > + } > > + else > > + { > > + shm->handle = next_handle++; > > + reg_pair_from_64(&handle_hi, &handle_lo, shm->handle); > > + list_add_tail(&s->list, &ctx->frag_list); > > + } > > + goto out_unlock; > > + } > > + > > + /* > > + * Check that the Composite memory region descriptor fits. > > + */ > > + if ( sizeof(*region_descr) + region_offs + > > + range_count * sizeof(struct ffa_address_range) > frag_len ) > > + { > > + ret = FFA_RET_INVALID_PARAMETERS; > > + goto out; > > + } > > + > > + ret = get_shm_pages(d, shm, region_descr->address_range_array, range_count, > > + 0, &last_page_idx); > > + if ( ret ) > > + goto out; > > + if ( last_page_idx != shm->page_count ) > > + { > > + ret = FFA_RET_INVALID_PARAMETERS; > > + goto out; > > + } > > + > > + /* Note that share_shm() uses our tx buffer */ > > + spin_lock(&ffa_buffer_lock); > > + ret = share_shm(shm); > > + spin_unlock(&ffa_buffer_lock); > > + if ( ret ) > > + goto out; > > + > > + spin_lock(&ffa_mem_list_lock); > > + list_add_tail(&shm->list, &ffa_mem_list); > > + spin_unlock(&ffa_mem_list_lock); > > + > > + reg_pair_from_64(&handle_hi, &handle_lo, shm->handle); > > + > > +out: > > + if ( ret && shm ) > > + { > > + put_shm_pages(shm); > > + xfree(shm); > > + } > > +out_unlock: > > + spin_unlock(&ctx->lock); > > + > > + if ( ret > 0 ) > > + set_regs_frag_rx(regs, handle_lo, handle_hi, ret, trans.sender_id); > > + else if ( ret == 0) > > + set_regs_success(regs, handle_lo, handle_hi); > > + else > > + set_regs_error(regs, ret); > > +} > > + > > +static struct mem_frag_state *find_frag_state(struct ffa_ctx *ctx, > > + uint64_t handle) > > +{ > > + struct mem_frag_state *s; > > + > > + list_for_each_entry(s, &ctx->frag_list, list) > > + if ( s->shm->handle == handle ) > > + return s; > > + > > + return NULL; > > +} > > + > > +static void handle_mem_frag_tx(struct cpu_user_regs *regs) > > +{ > > + struct domain *d = current->domain; > > + struct ffa_ctx *ctx = d->arch.ffa; > > + uint32_t frag_len = get_user_reg(regs, 3); > > + uint32_t handle_lo = get_user_reg(regs, 1); > > + uint32_t handle_hi = get_user_reg(regs, 2); > > + uint64_t handle = reg_pair_to_64(handle_hi, handle_lo); > > + struct mem_frag_state *s; > > + uint16_t sender_id = 0; > > + int ret; > > + > > + spin_lock(&ctx->lock); > > + s = find_frag_state(ctx, handle); > > + if ( !s ) > > + { > > + ret = FFA_RET_INVALID_PARAMETERS; > > + goto out; > > + } > > + sender_id = s->shm->sender_id; > > + > > + if ( frag_len > s->buf_size ) > > + { > > + ret = FFA_RET_INVALID_PARAMETERS; > > + goto out; > > + } > > + > > + ret = add_mem_share_frag(s, 0, frag_len); > > + if ( ret == 0 ) > > + { > > + /* Note that share_shm() uses our tx buffer */ > > + spin_lock(&ffa_buffer_lock); > > + ret = share_shm(s->shm); > > + spin_unlock(&ffa_buffer_lock); > > + if ( ret == 0 ) > > + { > > + spin_lock(&ffa_mem_list_lock); > > + list_add_tail(&s->shm->list, &ffa_mem_list); > > + spin_unlock(&ffa_mem_list_lock); > > + } > > + else > > + { > > + put_shm_pages(s->shm); > > + xfree(s->shm); > > + } > > + list_del(&s->list); > > + xfree(s); > > + } > > + else if ( ret < 0 ) > > + { > > + put_shm_pages(s->shm); > > + xfree(s->shm); > > + list_del(&s->list); > > + xfree(s); > > + } > > +out: > > + spin_unlock(&ctx->lock); > > + > > + if ( ret > 0 ) > > + set_regs_frag_rx(regs, handle_lo, handle_hi, ret, sender_id); > > + else if ( ret == 0) > > + set_regs_success(regs, handle_lo, handle_hi); > > + else > > + set_regs_error(regs, ret); > > +} > > + > > +static int handle_mem_reclaim(uint64_t handle, uint32_t flags) > > +{ > > + struct ffa_shm_mem *shm; > > + uint32_t handle_hi; > > + uint32_t handle_lo; > > + int ret; > > + > > + spin_lock(&ffa_mem_list_lock); > > + list_for_each_entry(shm, &ffa_mem_list, list) > > + { > > + if ( shm->handle == handle ) > > + goto found_it; > > + } > > + shm = NULL; > > +found_it: > > + spin_unlock(&ffa_mem_list_lock); > > + > > + if ( !shm ) > > + return FFA_RET_INVALID_PARAMETERS; > > + > > + reg_pair_from_64(&handle_hi, &handle_lo, handle); > > + ret = ffa_mem_reclaim(handle_lo, handle_hi, flags); > > + if ( ret ) > > + return ret; > > + > > + spin_lock(&ffa_mem_list_lock); > > + list_del(&shm->list); > > + spin_unlock(&ffa_mem_list_lock); > > + > > + put_shm_pages(shm); > > + xfree(shm); > > + > > + return ret; > > +} > > + > > +bool ffa_handle_call(struct cpu_user_regs *regs, uint32_t fid) > > +{ > > + struct domain *d = current->domain; > > + struct ffa_ctx *ctx = d->arch.ffa; > > + uint32_t count; > > + uint32_t e; > > + > > + if ( !ctx ) > > + return false; > > + > > + switch ( fid ) > > + { > > + case FFA_VERSION: > > + handle_version(regs); > > + return true; > > + case FFA_ID_GET: > > + set_regs_success(regs, get_vm_id(d), 0); > > + return true; > > + case FFA_RXTX_MAP_32: > > +#ifdef CONFIG_ARM_64 > > + case FFA_RXTX_MAP_64: > > +#endif > > + e = handle_rxtx_map(fid, get_user_reg(regs, 1), get_user_reg(regs, 2), > > + get_user_reg(regs, 3)); > > + if ( e ) > > + set_regs_error(regs, e); > > + else > > + set_regs_success(regs, 0, 0); > > + return true; > > + case FFA_RXTX_UNMAP: > > + e = handle_rxtx_unmap(); > > + if ( e ) > > + set_regs_error(regs, e); > > + else > > + set_regs_success(regs, 0, 0); > > + return true; > > + case FFA_PARTITION_INFO_GET: > > + e = handle_partition_info_get(get_user_reg(regs, 1), > > + get_user_reg(regs, 2), > > + get_user_reg(regs, 3), > > + get_user_reg(regs, 4), > > + get_user_reg(regs, 5), &count); > > + if ( e ) > > + set_regs_error(regs, e); > > + else > > + set_regs_success(regs, count, 0); > > + return true; > > + case FFA_RX_RELEASE: > > + e = handle_rx_release(); > > + if ( e ) > > + set_regs_error(regs, e); > > + else > > + set_regs_success(regs, 0, 0); > > + return true; > > + case FFA_MSG_SEND_DIRECT_REQ_32: > > +#ifdef CONFIG_ARM_64 > > + case FFA_MSG_SEND_DIRECT_REQ_64: > > +#endif > > + handle_msg_send_direct_req(regs, fid); > > + return true; > > + case FFA_MEM_SHARE_32: > > +#ifdef CONFIG_ARM_64 > > + case FFA_MEM_SHARE_64: > > +#endif > > + handle_mem_share(regs); > > + return true; > > + case FFA_MEM_RECLAIM: > > + e = handle_mem_reclaim(reg_pair_to_64(get_user_reg(regs, 2), > > + get_user_reg(regs, 1)), > > + get_user_reg(regs, 3)); > > + if ( e ) > > + set_regs_error(regs, e); > > + else > > + set_regs_success(regs, 0, 0); > > + return true; > > + case FFA_MEM_FRAG_TX: > > + handle_mem_frag_tx(regs); > > + return true; > > + > > + default: > > + printk(XENLOG_ERR "ffa: unhandled fid 0x%x\n", fid); > > + return false; > > + } > > +} > > + > > +int ffa_domain_init(struct domain *d, bool ffa_enabled) > > +{ > > + struct ffa_ctx *ctx; > > + unsigned int n; > > + unsigned int m; > > + unsigned int c_pos; > > + int32_t res; > > + > > + if ( !ffa_version || !ffa_enabled ) > > + return 0; > > + > > + ctx = xzalloc(struct ffa_ctx); > > + if ( !ctx ) > > + return -ENOMEM; > > + > > + for ( n = 0; n < subsr_vm_created_count; n++ ) > > + { > > + res = ffa_direct_req_send_vm(subsr_vm_created[n], get_vm_id(d), > > + FFA_MSG_SEND_VM_CREATED); > > + if ( res ) > > + { > > + printk(XENLOG_ERR "ffa: Failed to report creation of vm_id %u to %u: res %d\n", > > + get_vm_id(d), subsr_vm_created[n], res); > > + c_pos = n; > > + goto err; > > + } > > + } > > + > > + INIT_LIST_HEAD(&ctx->frag_list); > > + > > + d->arch.ffa = ctx; > > + > > + return 0; > > + > > +err: > > + /* Undo any already sent vm created messaged */ > > + for ( n = 0; n < c_pos; n++ ) > > + for ( m = 0; m < subsr_vm_destroyed_count; m++ ) > > + if ( subsr_vm_destroyed[m] == subsr_vm_created[n] ) > > + ffa_direct_req_send_vm(subsr_vm_destroyed[n], get_vm_id(d), > > + FFA_MSG_SEND_VM_DESTROYED); > > + return -ENOMEM; > > +} > > + > > +int ffa_relinquish_resources(struct domain *d) > > +{ > > + struct ffa_ctx *ctx = d->arch.ffa; > > + unsigned int n; > > + int32_t res; > > + > > + if ( !ctx ) > > + return 0; > > + > > + for ( n = 0; n < subsr_vm_destroyed_count; n++ ) > > + { > > + res = ffa_direct_req_send_vm(subsr_vm_destroyed[n], get_vm_id(d), > > + FFA_MSG_SEND_VM_DESTROYED); > > + > > + if ( res ) > > + printk(XENLOG_ERR "ffa: Failed to report destruction of vm_id %u to %u: res %d\n", > > + get_vm_id(d), subsr_vm_destroyed[n], res); > > + } > > + > > + XFREE(d->arch.ffa); > > + > > + return 0; > > +} > > + > > +static bool __init init_subscribers(void) > > +{ > > + struct ffa_partition_info_1_1 *fpi; > > + bool ret = false; > > + uint32_t count; > > + uint32_t e; > > + uint32_t n; > > + uint32_t c_pos; > > + uint32_t d_pos; > > + > > + if ( ffa_version < FFA_VERSION_1_1 ) > > + return true; > > + > > + e = ffa_partition_info_get(0, 0, 0, 0, 1, &count); > > + ffa_rx_release(); > > + if ( e ) > > + { > > + printk(XENLOG_ERR "ffa: Failed to get list of SPs: %d\n", (int)e); > > + goto out; > > + } > > + > > + fpi = ffa_rx; > > + subsr_vm_created_count = 0; > > + subsr_vm_destroyed_count = 0; > > + for ( n = 0; n < count; n++ ) > > + { > > + if (fpi[n].partition_properties & FFA_PART_PROP_NOTIF_CREATED) > > + subsr_vm_created_count++; > > + if (fpi[n].partition_properties & FFA_PART_PROP_NOTIF_DESTROYED) > > + subsr_vm_destroyed_count++; > > + } > > + > > + if ( subsr_vm_created_count ) > > + subsr_vm_created = xzalloc_array(uint16_t, subsr_vm_created_count); > > + if ( subsr_vm_destroyed_count ) > > + subsr_vm_destroyed = xzalloc_array(uint16_t, subsr_vm_destroyed_count); > > + if ( (subsr_vm_created_count && !subsr_vm_created) || > > + (subsr_vm_destroyed_count && !subsr_vm_destroyed) ) > > + { > > + printk(XENLOG_ERR "ffa: Failed to allocate subscription lists\n"); > > + subsr_vm_created_count = 0; > > + subsr_vm_destroyed_count = 0; > > + XFREE(subsr_vm_created); > > + XFREE(subsr_vm_destroyed); > > + goto out; > > + } > > + > > + for ( c_pos = 0, d_pos = 0, n = 0; n < count; n++ ) > > + { > > + if ( fpi[n].partition_properties & FFA_PART_PROP_NOTIF_CREATED ) > > + subsr_vm_created[c_pos++] = fpi[n].id; > > + if ( fpi[n].partition_properties & FFA_PART_PROP_NOTIF_DESTROYED ) > > + subsr_vm_destroyed[d_pos++] = fpi[n].id; > > + } > > + > > + ret = true; > > +out: > > + ffa_rx_release(); > > + return ret; > > +} > > + > > +static int __init ffa_init(void) > > +{ > > + uint32_t vers; > > + uint32_t e; > > + unsigned int major_vers; > > + unsigned int minor_vers; > > + > > + /* > > + * psci_init_smccc() updates this value with what's reported by EL-3 > > + * or secure world. > > + */ > > + if ( smccc_ver < ARM_SMCCC_VERSION_1_2 ) > > + { > > + printk(XENLOG_ERR > > + "ffa: unsupported SMCCC version %#x (need at least %#x)\n", > > + smccc_ver, ARM_SMCCC_VERSION_1_2); > > + return 0; > > + } > > + > > + if ( !ffa_get_version(&vers) ) > > + return 0; > > + > > + if ( vers < FFA_MIN_VERSION || vers > FFA_MY_VERSION ) > > + { > > + printk(XENLOG_ERR "ffa: Incompatible version %#x found\n", vers); > > + return 0; > > + } > > + > > + major_vers = (vers >> FFA_VERSION_MAJOR_SHIFT) & FFA_VERSION_MAJOR_MASK; > > + minor_vers = vers & FFA_VERSION_MINOR_MASK; > > + printk(XENLOG_INFO "ARM FF-A Mediator version %u.%u\n", > > + FFA_VERSION_MAJOR, FFA_VERSION_MINOR); > > + printk(XENLOG_INFO "ARM FF-A Firmware version %u.%u\n", > > + major_vers, minor_vers); > > + > > + if ( !check_mandatory_feature(FFA_PARTITION_INFO_GET) || > > + !check_mandatory_feature(FFA_RX_RELEASE) || > > +#ifdef CONFIG_ARM_64 > > + !check_mandatory_feature(FFA_RXTX_MAP_64) || > > + !check_mandatory_feature(FFA_MEM_SHARE_64) || > > +#endif > > +#ifdef CONFIG_ARM_32 > > + !check_mandatory_feature(FFA_RXTX_MAP_32) || > > +#endif > > + !check_mandatory_feature(FFA_RXTX_UNMAP) || > > + !check_mandatory_feature(FFA_MEM_SHARE_32) || > > + !check_mandatory_feature(FFA_MEM_FRAG_TX) || > > + !check_mandatory_feature(FFA_MEM_RECLAIM) || > > + !check_mandatory_feature(FFA_MSG_SEND_DIRECT_REQ_32) ) > > + return 0; > > + > > + ffa_rx = alloc_xenheap_pages(0, 0); > > + if ( !ffa_rx ) > > + return 0; > > + > > + ffa_tx = alloc_xenheap_pages(0, 0); > > + if ( !ffa_tx ) > > + goto err_free_ffa_rx; > > + > > + e = ffa_rxtx_map(__pa(ffa_tx), __pa(ffa_rx), 1); > > + if ( e ) > > + { > > + printk(XENLOG_ERR "ffa: Failed to map rxtx: error %d\n", (int)e); > > + goto err_free_ffa_tx; > > + } > > + ffa_page_count = 1; > > + ffa_version = vers; > > + > > + if ( !init_subscribers() ) > > + goto err_free_ffa_tx; > > + > > + return 0; > > + > > +err_free_ffa_tx: > > + free_xenheap_pages(ffa_tx, 0); > > + ffa_tx = NULL; > > +err_free_ffa_rx: > > + free_xenheap_pages(ffa_rx, 0); > > + ffa_rx = NULL; > > + ffa_page_count = 0; > > + ffa_version = 0; > > + XFREE(subsr_vm_created); > > + subsr_vm_created_count = 0; > > + XFREE(subsr_vm_destroyed); > > + subsr_vm_destroyed_count = 0; > > + return 0; > > +} > > + > > +__initcall(ffa_init); > > diff --git a/xen/arch/arm/include/asm/domain.h b/xen/arch/arm/include/asm/domain.h > > index ed63c2b6f91f..b3dee269bced 100644 > > --- a/xen/arch/arm/include/asm/domain.h > > +++ b/xen/arch/arm/include/asm/domain.h > > @@ -103,6 +103,10 @@ struct arch_domain > > void *tee; > > #endif > > > > +#ifdef CONFIG_FFA > > + void *ffa; > > +#endif > > + > > bool directmap; > > } __cacheline_aligned; > > > > diff --git a/xen/arch/arm/include/asm/ffa.h b/xen/arch/arm/include/asm/ffa.h > > new file mode 100644 > > index 000000000000..4f4a739345bd > > --- /dev/null > > +++ b/xen/arch/arm/include/asm/ffa.h > > @@ -0,0 +1,71 @@ > > +/* > > + * xen/arch/arm/ffa.c > > + * > > + * Arm Firmware Framework for ARMv8-A(FFA) mediator > > + * > > + * Copyright (C) 2021 Linaro Limited > > + * > > + * Permission is hereby granted, free of charge, to any person > > + * obtaining a copy of this software and associated documentation > > + * files (the "Software"), to deal in the Software without restriction, > > + * including without limitation the rights to use, copy, modify, merge, > > + * publish, distribute, sublicense, and/or sell copies of the Software, > > + * and to permit persons to whom the Software is furnished to do so, > > + * subject to the following conditions: > > + * > > + * The above copyright notice and this permission notice shall be > > + * included in all copies or substantial portions of the Software. > > + * > > + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, > > + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF > > + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. > > + * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY > > + * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, > > + * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE > > + * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. > > + */ > > + > > +#ifndef __ASM_ARM_FFA_H__ > > +#define __ASM_ARM_FFA_H__ > > + > > +#include <xen/const.h> > > + > > +#include <asm/smccc.h> > > +#include <asm/types.h> > > + > > +#define FFA_FNUM_MIN_VALUE _AC(0x60,U) > > +#define FFA_FNUM_MAX_VALUE _AC(0x86,U) > > + > > +static inline bool is_ffa_fid(uint32_t fid) > > +{ > > + uint32_t fn = fid & ARM_SMCCC_FUNC_MASK; > > + > > + return fn >= FFA_FNUM_MIN_VALUE && fn <= FFA_FNUM_MAX_VALUE; > > +} > > + > > +#ifdef CONFIG_FFA > > +#define FFA_NR_FUNCS 11 > > + > > +bool ffa_handle_call(struct cpu_user_regs *regs, uint32_t fid); > > +int ffa_domain_init(struct domain *d, bool ffa_enabled); > > +int ffa_relinquish_resources(struct domain *d); > > +#else > > +#define FFA_NR_FUNCS 0 > > + > > +static inline bool ffa_handle_call(struct cpu_user_regs *regs, uint32_t fid) > > +{ > > + return false; > > +} > > + > > +static inline int ffa_domain_init(struct domain *d, bool ffa_enabled) > > +{ > > + return 0; > > +} > > + > > +static inline int ffa_relinquish_resources(struct domain *d) > > +{ > > + return 0; > > +} > > +#endif > > + > > +#endif /*__ASM_ARM_FFA_H__*/ > > diff --git a/xen/arch/arm/vsmc.c b/xen/arch/arm/vsmc.c > > index 6f90c08a6304..34586025eff8 100644 > > --- a/xen/arch/arm/vsmc.c > > +++ b/xen/arch/arm/vsmc.c > > @@ -20,6 +20,7 @@ > > #include <public/arch-arm/smccc.h> > > #include <asm/cpuerrata.h> > > #include <asm/cpufeature.h> > > +#include <asm/ffa.h> > > #include <asm/monitor.h> > > #include <asm/regs.h> > > #include <asm/smccc.h> > > @@ -32,7 +33,7 @@ > > #define XEN_SMCCC_FUNCTION_COUNT 3 > > > > /* Number of functions currently supported by Standard Service Service Calls. */ > > -#define SSSC_SMCCC_FUNCTION_COUNT (3 + VPSCI_NR_FUNCS) > > +#define SSSC_SMCCC_FUNCTION_COUNT (3 + VPSCI_NR_FUNCS + FFA_NR_FUNCS) > > > > static bool fill_uid(struct cpu_user_regs *regs, xen_uuid_t uuid) > > { > > @@ -196,13 +197,23 @@ static bool handle_existing_apis(struct cpu_user_regs *regs) > > return do_vpsci_0_1_call(regs, fid); > > } > > > > +static bool is_psci_fid(uint32_t fid) > > +{ > > + uint32_t fn = fid & ARM_SMCCC_FUNC_MASK; > > + > > + return fn >= 0 && fn <= 0x1fU; > > +} > > + > > /* PSCI 0.2 interface and other Standard Secure Calls */ > > static bool handle_sssc(struct cpu_user_regs *regs) > > { > > uint32_t fid = (uint32_t)get_user_reg(regs, 0); > > > > - if ( do_vpsci_0_2_call(regs, fid) ) > > - return true; > > + if ( is_psci_fid(fid) ) > > + return do_vpsci_0_2_call(regs, fid); > > + > > + if ( is_ffa_fid(fid) ) > > + return ffa_handle_call(regs, fid); > > > > switch ( fid ) > > { > > diff --git a/xen/include/public/arch-arm.h b/xen/include/public/arch-arm.h > > index ab05fe12b0de..53f8d44a6a8e 100644 > > --- a/xen/include/public/arch-arm.h > > +++ b/xen/include/public/arch-arm.h > > @@ -318,6 +318,8 @@ struct xen_arch_domainconfig { > > /* IN/OUT */ > > uint8_t gic_version; > > /* IN */ > > + uint8_t ffa_enabled; > > + /* IN */ > > uint16_t tee_type; > > /* IN */ > > uint32_t nr_spis; > > -- > > 2.31.1 > > >
Hi, On 26/07/2022 07:17, Jens Wiklander wrote: > On Fri, Jul 8, 2022 at 3:41 PM Julien Grall <julien@xen.org> wrote: >> >> Hi Jens, >> >> I haven't checked whether the FFA driver is complaint with the spec. I >> mainly checked whether the code makes sense from Xen PoV. >> >> This is a fairly long patch to review. So I will split my review in >> multiple session/e-mail. >> >> On 22/06/2022 14:42, Jens Wiklander wrote: >>> Adds a FF-A version 1.1 [1] mediator to communicate with a Secure >>> Partition in secure world. >>> >>> The implementation is the bare minimum to be able to communicate with >>> OP-TEE running as an SPMC at S-EL1. >>> >>> This is loosely based on the TEE mediator framework and the OP-TEE >>> mediator. >>> >>> [1] https://developer.arm.com/documentation/den0077/latest >>> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> >>> --- >>> SUPPORT.md | 7 + >>> tools/libs/light/libxl_arm.c | 3 + >>> tools/libs/light/libxl_types.idl | 1 + >>> tools/xl/xl_parse.c | 3 + >> >> These changes would need an ack from the toolstack maintainers. > > OK, I'll keep them in CC. > >> >>> xen/arch/arm/Kconfig | 11 + >>> xen/arch/arm/Makefile | 1 + >>> xen/arch/arm/domain.c | 10 + >>> xen/arch/arm/domain_build.c | 1 + >>> xen/arch/arm/ffa.c | 1683 +++++++++++++++++++++++++++++ >>> xen/arch/arm/include/asm/domain.h | 4 + >>> xen/arch/arm/include/asm/ffa.h | 71 ++ >>> xen/arch/arm/vsmc.c | 17 +- >>> xen/include/public/arch-arm.h | 2 + >>> 13 files changed, 1811 insertions(+), 3 deletions(-) >>> create mode 100644 xen/arch/arm/ffa.c >>> create mode 100644 xen/arch/arm/include/asm/ffa.h >>> >>> diff --git a/SUPPORT.md b/SUPPORT.md >>> index 70e98964cbc0..215bb3c9043b 100644 >>> --- a/SUPPORT.md >>> +++ b/SUPPORT.md >>> @@ -785,6 +785,13 @@ that covers the DMA of the device to be passed through. >>> >>> No support for QEMU backends in a 16K or 64K domain. >>> >>> +### ARM: Firmware Framework for Arm A-profile (FF-A) Mediator >>> + >>> + Status, Arm64: Tech Preview >>> + >>> +There are still some code paths where a vCPU may hog a pCPU longer than >>> +necessary. The FF-A mediator is not yet implemented for Arm32. >>> + >>> ### ARM: Guest Device Tree support >>> >>> Status: Supported >>> diff --git a/tools/libs/light/libxl_arm.c b/tools/libs/light/libxl_arm.c >>> index eef1de093914..a985609861c7 100644 >>> --- a/tools/libs/light/libxl_arm.c >>> +++ b/tools/libs/light/libxl_arm.c >>> @@ -101,6 +101,9 @@ int libxl__arch_domain_prepare_config(libxl__gc *gc, >>> return ERROR_FAIL; >>> } >>> >>> + config->arch.ffa_enabled = >>> + libxl_defbool_val(d_config->b_info.arch_arm.ffa_enabled); >>> + >>> return 0; >>> } >>> >>> diff --git a/tools/libs/light/libxl_types.idl b/tools/libs/light/libxl_types.idl >>> index 2a42da2f7d78..bf4544bef399 100644 >>> --- a/tools/libs/light/libxl_types.idl >>> +++ b/tools/libs/light/libxl_types.idl >>> @@ -646,6 +646,7 @@ libxl_domain_build_info = Struct("domain_build_info",[ >>> >>> ("arch_arm", Struct(None, [("gic_version", libxl_gic_version), >>> ("vuart", libxl_vuart_type), >>> + ("ffa_enabled", libxl_defbool), >> >> This needs to be accompagnied with a define LIBXL_HAVE_* in >> tools/include/libxl.h. Please see the examples in the header. > > OK, I'll add something. I'm not entirely sure how this is used so I'm > afraid it will be a bit of Cargo Cult programming from my side. The LIBXL_HAVE* by toolstack built on top of libxl (like virtio) to know whether a future is supported by the current library. [...] >> >>> + >>> +static inline uint64_t reg_pair_to_64(uint32_t reg0, uint32_t reg1) >>> +{ >>> + return (uint64_t)reg0 << 32 | reg1; >>> +} >>> + >>> +static void inline reg_pair_from_64(uint32_t *reg0, uint32_t *reg1, >>> + uint64_t val) >>> +{ >>> + *reg0 = val >> 32; >>> + *reg1 = val; >>> +} >> >> Those two functions are the same as optee.c but with a different. I >> would rather prefer if we avoid the duplication and provide generic >> helpers in a pre-requisite. > > These functions are trivial but at the same time for a special purpose > which happens to coincide with the usage in optee.c. I can't find a > suitable common .h file and creating a new one seems a bit much. I would implement it in regs.h. [...] >>> + .a4 = pg_count, >>> + }; >>> + struct arm_smccc_1_2_regs resp; >>> + >>> + /* >>> + * For arm64 we must use 64-bit calling convention if the buffer isn't >>> + * passed in our tx buffer. >>> + */ >> >> Can you explain why we would want to use the 32-bit calling convention >> if addr is 0? > > I was trying to avoid the 64-bit calling convention where possible, OOI, why are you trying to avoid the 64-bit calling convention? [...]
Hi, On 27/07/2022 07:33, Jens Wiklander wrote: > On Fri, Jul 8, 2022 at 9:54 PM Julien Grall <julien@xen.org> wrote: >>> + unsigned int n; >>> + unsigned int m; >>> + p2m_type_t t; >>> + uint64_t addr; >>> + >>> + for ( n = 0; n < range_count; n++ ) >>> + { >>> + for ( m = 0; m < range[n].page_count; m++ ) >>> + { >>> + if ( pg_idx >= shm->page_count ) >>> + return FFA_RET_INVALID_PARAMETERS; >> >> Shouldn't we call put_page() to drop the references taken by >> get_page_from_gfn()? > > Yes, and that's done by put_shm_pages(). One would normally expect > get_shm_pages() to do this on error, but that's not needed here since > we're always calling put_shm_pages() just before freeing the shm. I > can change to let get_shm_pages() do the cleanup on error instead if > you prefer that. I am fine with the current approach. I would suggest to document it on top of get_shm_pages(). Also, if you expect put_shm_pages() to always be called before freeing shm, then I think it would be worth adding an helper that is doing the two. So the requirement is clearer. [...] >> >> How do you guarantee that both Xen and the domain agree on the page size? > > For now, I'll add a BUILD_BUG_ON() to check that the hypervisor page > size is 4K to simplify the initial implementation. We can update to > support a larger minimal memory granule later on. I am fine with that. FWIW, this is also what we did in the OP-TEE case. >>> + for ( n = 1; n < shm->page_count; last_pa = pa, n++ ) >>> + { >>> + pa = page_to_maddr(shm->pages[n]); >>> + if ( last_pa + PAGE_SIZE == pa ) >>> + { >> >> Coding style: We usually avoid {} for single line. > > OK > >> >>> + continue; >>> + } >>> + region_descr->address_range_count++; >>> + } >>> + >>> + tot_len = sizeof(*descr) + sizeof(*mem_access_array) + >>> + sizeof(*region_descr) + >>> + region_descr->address_range_count * sizeof(*addr_range); >> >> How do you make sure that you will not write past the end of ffa_tx? >> >> I think it would be worth to consider adding an helper that would allow >> you to allocate space in ffa_tx and zero it. This would return an error >> if there is not enough space. > > That's what I'm doing with frag_len. If the descriptor cannot fit it's > divided into fragments that will fit. Oh, so this is what the loop below is for, am I correct? If so, I would suggest to document a bit the code because this function is fairly confusing to understand. [...] >>> + if ( read_atomic(&mem_access->access_perm.perm) != FFA_MEM_ACC_RW ) >>> + { >>> + ret = FFA_RET_NOT_SUPPORTED; >>> + goto out_unlock; >>> + } >>> + >>> + region_offs = read_atomic(&mem_access->region_offs); >>> + if ( sizeof(*region_descr) + region_offs > frag_len ) >>> + { >>> + ret = FFA_RET_NOT_SUPPORTED; >>> + goto out_unlock; >>> + } >>> + >>> + region_descr = (void *)((vaddr_t)ctx->tx + region_offs); >>> + range_count = read_atomic(®ion_descr->address_range_count); >>> + page_count = read_atomic(®ion_descr->total_page_count); >>> + >>> + shm = xzalloc_flex_struct(struct ffa_shm_mem, pages, page_count) >> This will allow a guest to allocate an arbitrarily large array in Xen. >> So please sanitize page_count before using it. > > This is tricky, what is a reasonable limit? Indeed. We need a limit that will prevent an untrusted domain to DoS Xen and at the same doesn't prevent the majority of well-behave domain to function. How is this call going to be used? > If we do set a limit the > guest can still share many separate memory ranges. This would also need to be limited if there is a desire to support untrusted domain. [...] >>> + ret = get_shm_pages(d, shm, region_descr->address_range_array, range_count, >>> + 0, &last_page_idx); >>> + if ( ret ) >>> + goto out; >>> + if ( last_page_idx != shm->page_count ) >>> + { >>> + ret = FFA_RET_INVALID_PARAMETERS; >>> + goto out; >>> + } >>> + >>> + /* Note that share_shm() uses our tx buffer */ >>> + spin_lock(&ffa_buffer_lock); >>> + ret = share_shm(shm); >>> + spin_unlock(&ffa_buffer_lock); >>> + if ( ret ) >>> + goto out; >>> + >>> + spin_lock(&ffa_mem_list_lock); >>> + list_add_tail(&shm->list, &ffa_mem_list); >> >> A couple of questions: >> - What is the maximum size of the list? > > Currently, there is no limit. I'm not sure what is a reasonable limit > more than five for sure, but depending on the use case more than 100 > might be excessive. This is fine to be excessive so long it doesn't allow a guest to drive Xen out of memory or allow long running operations. As I wrote above, the idea is we need limits that protect Xen but at the same time doesn't prevent the majority well-behave guest to function. As this is a tech preview, the limits can be low. We can raise the limits as we get a better understanding how this will be used. Cheers,
Hi, On Thu, Jul 28, 2022 at 9:15 PM Julien Grall <julien@xen.org> wrote: > > Hi, > > On 26/07/2022 07:17, Jens Wiklander wrote: > > On Fri, Jul 8, 2022 at 3:41 PM Julien Grall <julien@xen.org> wrote: > >> > >> Hi Jens, > >> > >> I haven't checked whether the FFA driver is complaint with the spec. I > >> mainly checked whether the code makes sense from Xen PoV. > >> > >> This is a fairly long patch to review. So I will split my review in > >> multiple session/e-mail. > >> > >> On 22/06/2022 14:42, Jens Wiklander wrote: > >>> Adds a FF-A version 1.1 [1] mediator to communicate with a Secure > >>> Partition in secure world. > >>> > >>> The implementation is the bare minimum to be able to communicate with > >>> OP-TEE running as an SPMC at S-EL1. > >>> > >>> This is loosely based on the TEE mediator framework and the OP-TEE > >>> mediator. > >>> > >>> [1] https://developer.arm.com/documentation/den0077/latest > >>> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> > >>> --- > >>> SUPPORT.md | 7 + > >>> tools/libs/light/libxl_arm.c | 3 + > >>> tools/libs/light/libxl_types.idl | 1 + > >>> tools/xl/xl_parse.c | 3 + > >> > >> These changes would need an ack from the toolstack maintainers. > > > > OK, I'll keep them in CC. > > > >> > >>> xen/arch/arm/Kconfig | 11 + > >>> xen/arch/arm/Makefile | 1 + > >>> xen/arch/arm/domain.c | 10 + > >>> xen/arch/arm/domain_build.c | 1 + > >>> xen/arch/arm/ffa.c | 1683 +++++++++++++++++++++++++++++ > >>> xen/arch/arm/include/asm/domain.h | 4 + > >>> xen/arch/arm/include/asm/ffa.h | 71 ++ > >>> xen/arch/arm/vsmc.c | 17 +- > >>> xen/include/public/arch-arm.h | 2 + > >>> 13 files changed, 1811 insertions(+), 3 deletions(-) > >>> create mode 100644 xen/arch/arm/ffa.c > >>> create mode 100644 xen/arch/arm/include/asm/ffa.h > >>> > >>> diff --git a/SUPPORT.md b/SUPPORT.md > >>> index 70e98964cbc0..215bb3c9043b 100644 > >>> --- a/SUPPORT.md > >>> +++ b/SUPPORT.md > >>> @@ -785,6 +785,13 @@ that covers the DMA of the device to be passed through. > >>> > >>> No support for QEMU backends in a 16K or 64K domain. > >>> > >>> +### ARM: Firmware Framework for Arm A-profile (FF-A) Mediator > >>> + > >>> + Status, Arm64: Tech Preview > >>> + > >>> +There are still some code paths where a vCPU may hog a pCPU longer than > >>> +necessary. The FF-A mediator is not yet implemented for Arm32. > >>> + > >>> ### ARM: Guest Device Tree support > >>> > >>> Status: Supported > >>> diff --git a/tools/libs/light/libxl_arm.c b/tools/libs/light/libxl_arm.c > >>> index eef1de093914..a985609861c7 100644 > >>> --- a/tools/libs/light/libxl_arm.c > >>> +++ b/tools/libs/light/libxl_arm.c > >>> @@ -101,6 +101,9 @@ int libxl__arch_domain_prepare_config(libxl__gc *gc, > >>> return ERROR_FAIL; > >>> } > >>> > >>> + config->arch.ffa_enabled = > >>> + libxl_defbool_val(d_config->b_info.arch_arm.ffa_enabled); > >>> + > >>> return 0; > >>> } > >>> > >>> diff --git a/tools/libs/light/libxl_types.idl b/tools/libs/light/libxl_types.idl > >>> index 2a42da2f7d78..bf4544bef399 100644 > >>> --- a/tools/libs/light/libxl_types.idl > >>> +++ b/tools/libs/light/libxl_types.idl > >>> @@ -646,6 +646,7 @@ libxl_domain_build_info = Struct("domain_build_info",[ > >>> > >>> ("arch_arm", Struct(None, [("gic_version", libxl_gic_version), > >>> ("vuart", libxl_vuart_type), > >>> + ("ffa_enabled", libxl_defbool), > >> > >> This needs to be accompagnied with a define LIBXL_HAVE_* in > >> tools/include/libxl.h. Please see the examples in the header. > > > > OK, I'll add something. I'm not entirely sure how this is used so I'm > > afraid it will be a bit of Cargo Cult programming from my side. > > The LIBXL_HAVE* by toolstack built on top of libxl (like virtio) to know > whether a future is supported by the current library. > > [...] > > >> > >>> + > >>> +static inline uint64_t reg_pair_to_64(uint32_t reg0, uint32_t reg1) > >>> +{ > >>> + return (uint64_t)reg0 << 32 | reg1; > >>> +} > >>> + > >>> +static void inline reg_pair_from_64(uint32_t *reg0, uint32_t *reg1, > >>> + uint64_t val) > >>> +{ > >>> + *reg0 = val >> 32; > >>> + *reg1 = val; > >>> +} > >> > >> Those two functions are the same as optee.c but with a different. I > >> would rather prefer if we avoid the duplication and provide generic > >> helpers in a pre-requisite. > > > > These functions are trivial but at the same time for a special purpose > > which happens to coincide with the usage in optee.c. I can't find a > > suitable common .h file and creating a new one seems a bit much. > > I would implement it in regs.h. OK, thanks. > > [...] > > >>> + .a4 = pg_count, > >>> + }; > >>> + struct arm_smccc_1_2_regs resp; > >>> + > >>> + /* > >>> + * For arm64 we must use 64-bit calling convention if the buffer isn't > >>> + * passed in our tx buffer. > >>> + */ > >> > >> Can you explain why we would want to use the 32-bit calling convention > >> if addr is 0? > > > > I was trying to avoid the 64-bit calling convention where possible, > > OOI, why are you trying to avoid the 64-bit calling convention? To make it easier to support a use-case where the SPMC is using AArch32, but I'm not sure it's realistic any longer. Cheers, Jens
Hi, On Thu, Jul 28, 2022 at 9:41 PM Julien Grall <julien@xen.org> wrote: > > Hi, > > On 27/07/2022 07:33, Jens Wiklander wrote: > > On Fri, Jul 8, 2022 at 9:54 PM Julien Grall <julien@xen.org> wrote: > >>> + unsigned int n; > >>> + unsigned int m; > >>> + p2m_type_t t; > >>> + uint64_t addr; > >>> + > >>> + for ( n = 0; n < range_count; n++ ) > >>> + { > >>> + for ( m = 0; m < range[n].page_count; m++ ) > >>> + { > >>> + if ( pg_idx >= shm->page_count ) > >>> + return FFA_RET_INVALID_PARAMETERS; > >> > >> Shouldn't we call put_page() to drop the references taken by > >> get_page_from_gfn()? > > > > Yes, and that's done by put_shm_pages(). One would normally expect > > get_shm_pages() to do this on error, but that's not needed here since > > we're always calling put_shm_pages() just before freeing the shm. I > > can change to let get_shm_pages() do the cleanup on error instead if > > you prefer that. > > I am fine with the current approach. I would suggest to document it on > top of get_shm_pages(). > > Also, if you expect put_shm_pages() to always be called before freeing > shm, then I think it would be worth adding an helper that is doing the > two. So the requirement is clearer. OK, I'll fix. > > [...] > > >> > >> How do you guarantee that both Xen and the domain agree on the page size? > > > > For now, I'll add a BUILD_BUG_ON() to check that the hypervisor page > > size is 4K to simplify the initial implementation. We can update to > > support a larger minimal memory granule later on. > > I am fine with that. FWIW, this is also what we did in the OP-TEE case. > > >>> + for ( n = 1; n < shm->page_count; last_pa = pa, n++ ) > >>> + { > >>> + pa = page_to_maddr(shm->pages[n]); > >>> + if ( last_pa + PAGE_SIZE == pa ) > >>> + { > >> > >> Coding style: We usually avoid {} for single line. > > > > OK > > > >> > >>> + continue; > >>> + } > >>> + region_descr->address_range_count++; > >>> + } > >>> + > >>> + tot_len = sizeof(*descr) + sizeof(*mem_access_array) + > >>> + sizeof(*region_descr) + > >>> + region_descr->address_range_count * sizeof(*addr_range); > >> > >> How do you make sure that you will not write past the end of ffa_tx? > >> > >> I think it would be worth to consider adding an helper that would allow > >> you to allocate space in ffa_tx and zero it. This would return an error > >> if there is not enough space. > > > > That's what I'm doing with frag_len. If the descriptor cannot fit it's > > divided into fragments that will fit. > > Oh, so this is what the loop below is for, am I correct? If so, I would > suggest to document a bit the code because this function is fairly > confusing to understand. Yeah, I'm sorry about that. I'll add a comment describing what's going on. > > [...] > > >>> + if ( read_atomic(&mem_access->access_perm.perm) != FFA_MEM_ACC_RW ) > >>> + { > >>> + ret = FFA_RET_NOT_SUPPORTED; > >>> + goto out_unlock; > >>> + } > >>> + > >>> + region_offs = read_atomic(&mem_access->region_offs); > >>> + if ( sizeof(*region_descr) + region_offs > frag_len ) > >>> + { > >>> + ret = FFA_RET_NOT_SUPPORTED; > >>> + goto out_unlock; > >>> + } > >>> + > >>> + region_descr = (void *)((vaddr_t)ctx->tx + region_offs); > >>> + range_count = read_atomic(®ion_descr->address_range_count); > >>> + page_count = read_atomic(®ion_descr->total_page_count); > >>> + > >>> + shm = xzalloc_flex_struct(struct ffa_shm_mem, pages, page_count) > >> This will allow a guest to allocate an arbitrarily large array in Xen. > >> So please sanitize page_count before using it. > > > > This is tricky, what is a reasonable limit? > > Indeed. We need a limit that will prevent an untrusted domain to DoS Xen > and at the same doesn't prevent the majority of well-behave domain to > function. > > How is this call going to be used? > > > If we do set a limit the > > guest can still share many separate memory ranges. > > This would also need to be limited if there is a desire to support > untrusted domain. I see that someone obviously has asked the same questions about the OP-TEE mediator in the TEE mediator framework. I'll try the same approach with limit etc since I guess the use-case there and here at least initially will be similar. > > [...] > > >>> + ret = get_shm_pages(d, shm, region_descr->address_range_array, range_count, > >>> + 0, &last_page_idx); > >>> + if ( ret ) > >>> + goto out; > >>> + if ( last_page_idx != shm->page_count ) > >>> + { > >>> + ret = FFA_RET_INVALID_PARAMETERS; > >>> + goto out; > >>> + } > >>> + > >>> + /* Note that share_shm() uses our tx buffer */ > >>> + spin_lock(&ffa_buffer_lock); > >>> + ret = share_shm(shm); > >>> + spin_unlock(&ffa_buffer_lock); > >>> + if ( ret ) > >>> + goto out; > >>> + > >>> + spin_lock(&ffa_mem_list_lock); > >>> + list_add_tail(&shm->list, &ffa_mem_list); > >> > >> A couple of questions: > >> - What is the maximum size of the list? > > > > Currently, there is no limit. I'm not sure what is a reasonable limit > > more than five for sure, but depending on the use case more than 100 > > might be excessive. > This is fine to be excessive so long it doesn't allow a guest to drive > Xen out of memory or allow long running operations. > > As I wrote above, the idea is we need limits that protect Xen but at the > same time doesn't prevent the majority well-behave guest to function. > > As this is a tech preview, the limits can be low. We can raise the > limits as we get a better understanding how this will be used. OK. Thanks for the review. Cheers, Jens > > Cheers, > > -- > Julien Grall
diff --git a/SUPPORT.md b/SUPPORT.md index 70e98964cbc0..215bb3c9043b 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -785,6 +785,13 @@ that covers the DMA of the device to be passed through. No support for QEMU backends in a 16K or 64K domain. +### ARM: Firmware Framework for Arm A-profile (FF-A) Mediator + + Status, Arm64: Tech Preview + +There are still some code paths where a vCPU may hog a pCPU longer than +necessary. The FF-A mediator is not yet implemented for Arm32. + ### ARM: Guest Device Tree support Status: Supported diff --git a/tools/libs/light/libxl_arm.c b/tools/libs/light/libxl_arm.c index eef1de093914..a985609861c7 100644 --- a/tools/libs/light/libxl_arm.c +++ b/tools/libs/light/libxl_arm.c @@ -101,6 +101,9 @@ int libxl__arch_domain_prepare_config(libxl__gc *gc, return ERROR_FAIL; } + config->arch.ffa_enabled = + libxl_defbool_val(d_config->b_info.arch_arm.ffa_enabled); + return 0; } diff --git a/tools/libs/light/libxl_types.idl b/tools/libs/light/libxl_types.idl index 2a42da2f7d78..bf4544bef399 100644 --- a/tools/libs/light/libxl_types.idl +++ b/tools/libs/light/libxl_types.idl @@ -646,6 +646,7 @@ libxl_domain_build_info = Struct("domain_build_info",[ ("arch_arm", Struct(None, [("gic_version", libxl_gic_version), ("vuart", libxl_vuart_type), + ("ffa_enabled", libxl_defbool), ])), ("arch_x86", Struct(None, [("msr_relaxed", libxl_defbool), ])), diff --git a/tools/xl/xl_parse.c b/tools/xl/xl_parse.c index b98c0de378b6..e0e99ed8d2b1 100644 --- a/tools/xl/xl_parse.c +++ b/tools/xl/xl_parse.c @@ -2746,6 +2746,9 @@ skip_usbdev: exit(-ERROR_FAIL); } } + libxl_defbool_setdefault(&b_info->arch_arm.ffa_enabled, false); + xlu_cfg_get_defbool(config, "ffa_enabled", + &b_info->arch_arm.ffa_enabled, 0); parse_vkb_list(config, d_config); diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig index be9eff014120..e57e1d3757e2 100644 --- a/xen/arch/arm/Kconfig +++ b/xen/arch/arm/Kconfig @@ -139,6 +139,17 @@ config TEE source "arch/arm/tee/Kconfig" +config FFA + bool "Enable FF-A mediator support" if EXPERT + default n + depends on ARM_64 + help + This option enables a minimal FF-A mediator. The mediator is + generic as it follows the FF-A specification [1], but it only + implements a small subset of the specification. + + [1] https://developer.arm.com/documentation/den0077/latest + endmenu menu "ARM errata workaround via the alternative framework" diff --git a/xen/arch/arm/Makefile b/xen/arch/arm/Makefile index bb7a6151c13c..af0c69f793d4 100644 --- a/xen/arch/arm/Makefile +++ b/xen/arch/arm/Makefile @@ -20,6 +20,7 @@ obj-y += domain_build.init.o obj-y += domctl.o obj-$(CONFIG_EARLY_PRINTK) += early_printk.o obj-y += efi/ +obj-$(CONFIG_FFA) += ffa.o obj-y += gic.o obj-y += gic-v2.o obj-$(CONFIG_GICV3) += gic-v3.o diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c index 8110c1df8638..a3f00e7e234d 100644 --- a/xen/arch/arm/domain.c +++ b/xen/arch/arm/domain.c @@ -27,6 +27,7 @@ #include <asm/cpufeature.h> #include <asm/current.h> #include <asm/event.h> +#include <asm/ffa.h> #include <asm/gic.h> #include <asm/guest_atomics.h> #include <asm/irq.h> @@ -756,6 +757,9 @@ int arch_domain_create(struct domain *d, if ( (rc = tee_domain_init(d, config->arch.tee_type)) != 0 ) goto fail; + if ( (rc = ffa_domain_init(d, config->arch.ffa_enabled)) != 0 ) + goto fail; + update_domain_wallclock_time(d); /* @@ -998,6 +1002,7 @@ static int relinquish_memory(struct domain *d, struct page_list_head *list) enum { PROG_pci = 1, PROG_tee, + PROG_ffa, PROG_xen, PROG_page, PROG_mapping, @@ -1043,6 +1048,11 @@ int domain_relinquish_resources(struct domain *d) PROGRESS(tee): ret = tee_relinquish_resources(d); + if ( ret ) + return ret; + + PROGRESS(ffa): + ret = ffa_relinquish_resources(d); if (ret ) return ret; diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c index 7ddd16c26da5..d708f76356f7 100644 --- a/xen/arch/arm/domain_build.c +++ b/xen/arch/arm/domain_build.c @@ -3450,6 +3450,7 @@ void __init create_dom0(void) if ( gic_number_lines() > 992 ) printk(XENLOG_WARNING "Maximum number of vGIC IRQs exceeded.\n"); dom0_cfg.arch.tee_type = tee_get_type(); + dom0_cfg.arch.ffa_enabled = true; dom0_cfg.max_vcpus = dom0_max_vcpus(); if ( iommu_enabled ) diff --git a/xen/arch/arm/ffa.c b/xen/arch/arm/ffa.c new file mode 100644 index 000000000000..3117ce5cec4d --- /dev/null +++ b/xen/arch/arm/ffa.c @@ -0,0 +1,1683 @@ +/* + * xen/arch/arm/ffa.c + * + * Arm Firmware Framework for ARMv8-A (FF-A) mediator + * + * Copyright (C) 2022 Linaro Limited + * + * Permission is hereby granted, free of charge, to any person + * obtaining a copy of this software and associated documentation + * files (the "Software"), to deal in the Software without restriction, + * including without limitation the rights to use, copy, modify, merge, + * publish, distribute, sublicense, and/or sell copies of the Software, + * and to permit persons to whom the Software is furnished to do so, + * subject to the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY + * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, + * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + */ + +#include <xen/domain_page.h> +#include <xen/errno.h> +#include <xen/init.h> +#include <xen/lib.h> +#include <xen/sched.h> +#include <xen/types.h> +#include <xen/sizes.h> +#include <xen/bitops.h> + +#include <asm/smccc.h> +#include <asm/event.h> +#include <asm/ffa.h> +#include <asm/regs.h> + +/* Error codes */ +#define FFA_RET_OK 0 +#define FFA_RET_NOT_SUPPORTED -1 +#define FFA_RET_INVALID_PARAMETERS -2 +#define FFA_RET_NO_MEMORY -3 +#define FFA_RET_BUSY -4 +#define FFA_RET_INTERRUPTED -5 +#define FFA_RET_DENIED -6 +#define FFA_RET_RETRY -7 +#define FFA_RET_ABORTED -8 + +/* FFA_VERSION helpers */ +#define FFA_VERSION_MAJOR _AC(1,U) +#define FFA_VERSION_MAJOR_SHIFT _AC(16,U) +#define FFA_VERSION_MAJOR_MASK _AC(0x7FFF,U) +#define FFA_VERSION_MINOR _AC(1,U) +#define FFA_VERSION_MINOR_SHIFT _AC(0,U) +#define FFA_VERSION_MINOR_MASK _AC(0xFFFF,U) +#define MAKE_FFA_VERSION(major, minor) \ + ((((major) & FFA_VERSION_MAJOR_MASK) << FFA_VERSION_MAJOR_SHIFT) | \ + ((minor) & FFA_VERSION_MINOR_MASK)) + +#define FFA_MIN_VERSION MAKE_FFA_VERSION(1, 0) +#define FFA_VERSION_1_0 MAKE_FFA_VERSION(1, 0) +#define FFA_VERSION_1_1 MAKE_FFA_VERSION(1, 1) +#define FFA_MY_VERSION MAKE_FFA_VERSION(FFA_VERSION_MAJOR, \ + FFA_VERSION_MINOR) + + +#define FFA_HANDLE_HYP_FLAG BIT(63,ULL) + +/* Memory attributes: Normal memory, Write-Back cacheable, Inner shareable */ +#define FFA_NORMAL_MEM_REG_ATTR _AC(0x2f,U) + +/* Memory access permissions: Read-write */ +#define FFA_MEM_ACC_RW _AC(0x2,U) + +/* Clear memory before mapping in receiver */ +#define FFA_MEMORY_REGION_FLAG_CLEAR BIT(0, U) +/* Relayer may time slice this operation */ +#define FFA_MEMORY_REGION_FLAG_TIME_SLICE BIT(1, U) +/* Clear memory after receiver relinquishes it */ +#define FFA_MEMORY_REGION_FLAG_CLEAR_RELINQUISH BIT(2, U) + +/* Share memory transaction */ +#define FFA_MEMORY_REGION_TRANSACTION_TYPE_SHARE (_AC(1,U) << 3) + +#define FFA_HANDLE_INVALID _AC(0xffffffffffffffff,ULL) + +/* Framework direct request/response */ +#define FFA_MSG_FLAG_FRAMEWORK BIT(31, U) +#define FFA_MSG_TYPE_MASK _AC(0xFF,U); +#define FFA_MSG_PSCI _AC(0x0,U) +#define FFA_MSG_SEND_VM_CREATED _AC(0x4,U) +#define FFA_MSG_RESP_VM_CREATED _AC(0x5,U) +#define FFA_MSG_SEND_VM_DESTROYED _AC(0x6,U) +#define FFA_MSG_RESP_VM_DESTROYED _AC(0x7,U) + +/* + * Flags used for the FFA_PARTITION_INFO_GET return message: + * BIT(0): Supports receipt of direct requests + * BIT(1): Can send direct requests + * BIT(2): Can send and receive indirect messages + * BIT(3): Supports receipt of notifications + * BIT(4-5): Partition ID is a PE endpoint ID + */ +#define FFA_PART_PROP_DIRECT_REQ_RECV BIT(0,U) +#define FFA_PART_PROP_DIRECT_REQ_SEND BIT(1,U) +#define FFA_PART_PROP_INDIRECT_MSGS BIT(2,U) +#define FFA_PART_PROP_RECV_NOTIF BIT(3,U) +#define FFA_PART_PROP_IS_PE_ID (_AC(0,U) << 4) +#define FFA_PART_PROP_IS_SEPID_INDEP (_AC(1,U) << 4) +#define FFA_PART_PROP_IS_SEPID_DEP (_AC(2,U) << 4) +#define FFA_PART_PROP_IS_AUX_ID (_AC(3,U) << 4) +#define FFA_PART_PROP_NOTIF_CREATED BIT(6,U) +#define FFA_PART_PROP_NOTIF_DESTROYED BIT(7,U) +#define FFA_PART_PROP_AARCH64_STATE BIT(8,U) + +/* Function IDs */ +#define FFA_ERROR _AC(0x84000060,U) +#define FFA_SUCCESS_32 _AC(0x84000061,U) +#define FFA_SUCCESS_64 _AC(0xC4000061,U) +#define FFA_INTERRUPT _AC(0x84000062,U) +#define FFA_VERSION _AC(0x84000063,U) +#define FFA_FEATURES _AC(0x84000064,U) +#define FFA_RX_ACQUIRE _AC(0x84000084,U) +#define FFA_RX_RELEASE _AC(0x84000065,U) +#define FFA_RXTX_MAP_32 _AC(0x84000066,U) +#define FFA_RXTX_MAP_64 _AC(0xC4000066,U) +#define FFA_RXTX_UNMAP _AC(0x84000067,U) +#define FFA_PARTITION_INFO_GET _AC(0x84000068,U) +#define FFA_ID_GET _AC(0x84000069,U) +#define FFA_SPM_ID_GET _AC(0x84000085,U) +#define FFA_MSG_WAIT _AC(0x8400006B,U) +#define FFA_MSG_YIELD _AC(0x8400006C,U) +#define FFA_MSG_RUN _AC(0x8400006D,U) +#define FFA_MSG_SEND2 _AC(0x84000086,U) +#define FFA_MSG_SEND_DIRECT_REQ_32 _AC(0x8400006F,U) +#define FFA_MSG_SEND_DIRECT_REQ_64 _AC(0xC400006F,U) +#define FFA_MSG_SEND_DIRECT_RESP_32 _AC(0x84000070,U) +#define FFA_MSG_SEND_DIRECT_RESP_64 _AC(0xC4000070,U) +#define FFA_MEM_DONATE_32 _AC(0x84000071,U) +#define FFA_MEM_DONATE_64 _AC(0xC4000071,U) +#define FFA_MEM_LEND_32 _AC(0x84000072,U) +#define FFA_MEM_LEND_64 _AC(0xC4000072,U) +#define FFA_MEM_SHARE_32 _AC(0x84000073,U) +#define FFA_MEM_SHARE_64 _AC(0xC4000073,U) +#define FFA_MEM_RETRIEVE_REQ_32 _AC(0x84000074,U) +#define FFA_MEM_RETRIEVE_REQ_64 _AC(0xC4000074,U) +#define FFA_MEM_RETRIEVE_RESP _AC(0x84000075,U) +#define FFA_MEM_RELINQUISH _AC(0x84000076,U) +#define FFA_MEM_RECLAIM _AC(0x84000077,U) +#define FFA_MEM_FRAG_RX _AC(0x8400007A,U) +#define FFA_MEM_FRAG_TX _AC(0x8400007B,U) +#define FFA_MSG_SEND _AC(0x8400006E,U) +#define FFA_MSG_POLL _AC(0x8400006A,U) + +/* Partition information descriptor */ +struct ffa_partition_info_1_0 { + uint16_t id; + uint16_t execution_context; + uint32_t partition_properties; +}; + +struct ffa_partition_info_1_1 { + uint16_t id; + uint16_t execution_context; + uint32_t partition_properties; + uint8_t uuid[16]; +}; + +/* Constituent memory region descriptor */ +struct ffa_address_range { + uint64_t address; + uint32_t page_count; + uint32_t reserved; +}; + +/* Composite memory region descriptor */ +struct ffa_mem_region { + uint32_t total_page_count; + uint32_t address_range_count; + uint64_t reserved; + struct ffa_address_range address_range_array[]; +}; + +/* Memory access permissions descriptor */ +struct ffa_mem_access_perm { + uint16_t endpoint_id; + uint8_t perm; + uint8_t flags; +}; + +/* Endpoint memory access descriptor */ +struct ffa_mem_access { + struct ffa_mem_access_perm access_perm; + uint32_t region_offs; + uint64_t reserved; +}; + +/* Lend, donate or share memory transaction descriptor */ +struct ffa_mem_transaction_1_0 { + uint16_t sender_id; + uint8_t mem_reg_attr; + uint8_t reserved0; + uint32_t flags; + uint64_t global_handle; + uint64_t tag; + uint32_t reserved1; + uint32_t mem_access_count; + struct ffa_mem_access mem_access_array[]; +}; + +struct ffa_mem_transaction_1_1 { + uint16_t sender_id; + uint16_t mem_reg_attr; + uint32_t flags; + uint64_t global_handle; + uint64_t tag; + uint32_t mem_access_size; + uint32_t mem_access_count; + uint32_t mem_access_offs; + uint8_t reserved[12]; +}; + +/* + * The parts needed from struct ffa_mem_transaction_1_0 or struct + * ffa_mem_transaction_1_1, used to provide an abstraction of difference in + * data structures between version 1.0 and 1.1. This is just an internal + * interface and can be changed without changing any ABI. + */ +struct ffa_mem_transaction_x { + uint16_t sender_id; + uint8_t mem_reg_attr; + uint8_t flags; + uint8_t mem_access_size; + uint8_t mem_access_count; + uint16_t mem_access_offs; + uint64_t global_handle; + uint64_t tag; +}; + +/* Endpoint RX/TX descriptor */ +struct ffa_endpoint_rxtx_descriptor_1_0 { + uint16_t sender_id; + uint16_t reserved; + uint32_t rx_range_count; + uint32_t tx_range_count; +}; + +struct ffa_endpoint_rxtx_descriptor_1_1 { + uint16_t sender_id; + uint16_t reserved; + uint32_t rx_region_offs; + uint32_t tx_region_offs; +}; + +struct ffa_ctx { + void *rx; + void *tx; + struct page_info *rx_pg; + struct page_info *tx_pg; + unsigned int page_count; + uint32_t guest_vers; + bool tx_is_mine; + bool interrupted; + struct list_head frag_list; + spinlock_t lock; +}; + +struct ffa_shm_mem { + struct list_head list; + uint16_t sender_id; + uint16_t ep_id; /* endpoint, the one lending */ + uint64_t handle; /* FFA_HANDLE_INVALID if not set yet */ + unsigned int page_count; + struct page_info *pages[]; +}; + +struct mem_frag_state { + struct list_head list; + struct ffa_shm_mem *shm; + uint32_t range_count; + unsigned int current_page_idx; + unsigned int frag_offset; + unsigned int range_offset; + uint8_t *buf; + unsigned int buf_size; + struct ffa_address_range range; +}; + +/* + * Our rx/rx buffer shared with the SPMC + */ +static uint32_t ffa_version; +static uint16_t *subsr_vm_created; +static unsigned int subsr_vm_created_count; +static uint16_t *subsr_vm_destroyed; +static unsigned int subsr_vm_destroyed_count; +static void *ffa_rx; +static void *ffa_tx; +static unsigned int ffa_page_count; +static DEFINE_SPINLOCK(ffa_buffer_lock); + +static LIST_HEAD(ffa_mem_list); +static DEFINE_SPINLOCK(ffa_mem_list_lock); + +static uint64_t next_handle = FFA_HANDLE_HYP_FLAG; + +static inline uint64_t reg_pair_to_64(uint32_t reg0, uint32_t reg1) +{ + return (uint64_t)reg0 << 32 | reg1; +} + +static void inline reg_pair_from_64(uint32_t *reg0, uint32_t *reg1, + uint64_t val) +{ + *reg0 = val >> 32; + *reg1 = val; +} + +static bool ffa_get_version(uint32_t *vers) +{ + const struct arm_smccc_1_2_regs arg = { + .a0 = FFA_VERSION, .a1 = FFA_MY_VERSION, + }; + struct arm_smccc_1_2_regs resp; + + arm_smccc_1_2_smc(&arg, &resp); + if ( resp.a0 == FFA_RET_NOT_SUPPORTED ) + { + printk(XENLOG_ERR "ffa: FFA_VERSION returned not supported\n"); + return false; + } + + *vers = resp.a0; + return true; +} + +static uint32_t get_ffa_ret_code(const struct arm_smccc_1_2_regs *resp) +{ + switch ( resp->a0 ) + { + case FFA_ERROR: + if ( resp->a2 ) + return resp->a2; + else + return FFA_RET_NOT_SUPPORTED; + case FFA_SUCCESS_32: + case FFA_SUCCESS_64: + return FFA_RET_OK; + default: + return FFA_RET_NOT_SUPPORTED; + } +} + +static uint32_t ffa_features(uint32_t id) +{ + const struct arm_smccc_1_2_regs arg = { .a0 = FFA_FEATURES, .a1 = id, }; + struct arm_smccc_1_2_regs resp; + + arm_smccc_1_2_smc(&arg, &resp); + return get_ffa_ret_code(&resp); +} + +static bool check_mandatory_feature(uint32_t id) +{ + uint32_t ret = ffa_features(id); + + if (ret) + printk(XENLOG_ERR "ffa: mandatory feature id %#x missing\n", id); + return !ret; +} + +static uint32_t ffa_rxtx_map(register_t tx_addr, register_t rx_addr, + uint32_t page_count) +{ + const struct arm_smccc_1_2_regs arg = { +#ifdef CONFIG_ARM_64 + .a0 = FFA_RXTX_MAP_64, +#endif +#ifdef CONFIG_ARM_32 + .a0 = FFA_RXTX_MAP_32, +#endif + .a1 = tx_addr, .a2 = rx_addr, + .a3 = page_count, + }; + struct arm_smccc_1_2_regs resp; + + arm_smccc_1_2_smc(&arg, &resp); + + return get_ffa_ret_code(&resp); +} + +static uint32_t ffa_rxtx_unmap(uint16_t vm_id) +{ + const struct arm_smccc_1_2_regs arg = { + .a0 = FFA_RXTX_UNMAP, .a1 = vm_id, + }; + struct arm_smccc_1_2_regs resp; + + arm_smccc_1_2_smc(&arg, &resp); + + return get_ffa_ret_code(&resp); +} + +static uint32_t ffa_partition_info_get(uint32_t w1, uint32_t w2, uint32_t w3, + uint32_t w4, uint32_t w5, + uint32_t *count) +{ + const struct arm_smccc_1_2_regs arg = { + .a0 = FFA_PARTITION_INFO_GET, .a1 = w1, .a2 = w2, .a3 = w3, .a4 = w4, + .a5 = w5, + }; + struct arm_smccc_1_2_regs resp; + uint32_t ret; + + arm_smccc_1_2_smc(&arg, &resp); + + ret = get_ffa_ret_code(&resp); + if ( !ret ) + *count = resp.a2; + + return ret; +} + +static uint32_t ffa_rx_release(void) +{ + const struct arm_smccc_1_2_regs arg = { .a0 = FFA_RX_RELEASE, }; + struct arm_smccc_1_2_regs resp; + + arm_smccc_1_2_smc(&arg, &resp); + + return get_ffa_ret_code(&resp); +} + +static int32_t ffa_mem_share(uint32_t tot_len, uint32_t frag_len, + register_t addr, uint32_t pg_count, + uint64_t *handle) +{ + struct arm_smccc_1_2_regs arg = { + .a0 = FFA_MEM_SHARE_32, .a1 = tot_len, .a2 = frag_len, .a3 = addr, + .a4 = pg_count, + }; + struct arm_smccc_1_2_regs resp; + + /* + * For arm64 we must use 64-bit calling convention if the buffer isn't + * passed in our tx buffer. + */ + if (sizeof(addr) > 4 && addr) + arg.a0 = FFA_MEM_SHARE_64; + + arm_smccc_1_2_smc(&arg, &resp); + + switch ( resp.a0 ) + { + case FFA_ERROR: + if ( resp.a2 ) + return resp.a2; + else + return FFA_RET_NOT_SUPPORTED; + case FFA_SUCCESS_32: + *handle = reg_pair_to_64(resp.a3, resp.a2); + return FFA_RET_OK; + case FFA_MEM_FRAG_RX: + *handle = reg_pair_to_64(resp.a2, resp.a1); + return resp.a3; + default: + return FFA_RET_NOT_SUPPORTED; + } +} + +static int32_t ffa_mem_frag_tx(uint64_t handle, uint32_t frag_len, + uint16_t sender_id) +{ + struct arm_smccc_1_2_regs arg = { + .a0 = FFA_MEM_FRAG_TX, .a1 = handle & UINT32_MAX, .a2 = handle >> 32, + .a3 = frag_len, .a4 = (uint32_t)sender_id << 16, + }; + struct arm_smccc_1_2_regs resp; + + arm_smccc_1_2_smc(&arg, &resp); + + switch ( resp.a0 ) + { + case FFA_ERROR: + if ( resp.a2 ) + return resp.a2; + else + return FFA_RET_NOT_SUPPORTED; + case FFA_SUCCESS_32: + return FFA_RET_OK; + case FFA_MEM_FRAG_RX: + return resp.a3; + default: + return FFA_RET_NOT_SUPPORTED; + } +} + +static uint32_t ffa_mem_reclaim(uint32_t handle_lo, uint32_t handle_hi, + uint32_t flags) +{ + const struct arm_smccc_1_2_regs arg = { + .a0 = FFA_MEM_RECLAIM, .a1 = handle_lo, .a2 = handle_hi, .a3 = flags, + }; + struct arm_smccc_1_2_regs resp; + + arm_smccc_1_2_smc(&arg, &resp); + + return get_ffa_ret_code(&resp); +} + +static int32_t ffa_direct_req_send_vm(uint16_t sp_id, uint16_t vm_id, + uint8_t msg) +{ + uint32_t exp_resp = FFA_MSG_FLAG_FRAMEWORK; + int32_t res; + + if ( msg != FFA_MSG_SEND_VM_CREATED && msg !=FFA_MSG_SEND_VM_DESTROYED ) + return FFA_RET_INVALID_PARAMETERS; + + if ( msg == FFA_MSG_SEND_VM_CREATED ) + exp_resp |= FFA_MSG_RESP_VM_CREATED; + else + exp_resp |= FFA_MSG_RESP_VM_DESTROYED; + + do { + const struct arm_smccc_1_2_regs arg = { + .a0 = FFA_MSG_SEND_DIRECT_REQ_32, + .a1 = sp_id, + .a2 = FFA_MSG_FLAG_FRAMEWORK | msg, + .a5 = vm_id, + }; + struct arm_smccc_1_2_regs resp; + + arm_smccc_1_2_smc(&arg, &resp); + if ( resp.a0 != FFA_MSG_SEND_DIRECT_RESP_32 || resp.a2 != exp_resp ) + { + /* + * This is an invalid response, likely due to some error in the + * implementation of the ABI. + */ + return FFA_RET_INVALID_PARAMETERS; + } + res = resp.a3; + } while ( res == FFA_RET_INTERRUPTED || res == FFA_RET_RETRY ); + + return res; +} + +static u16 get_vm_id(struct domain *d) +{ + /* +1 since 0 is reserved for the hypervisor in FF-A */ + return d->domain_id + 1; +} + +static void set_regs(struct cpu_user_regs *regs, register_t v0, register_t v1, + register_t v2, register_t v3, register_t v4, register_t v5, + register_t v6, register_t v7) +{ + set_user_reg(regs, 0, v0); + set_user_reg(regs, 1, v1); + set_user_reg(regs, 2, v2); + set_user_reg(regs, 3, v3); + set_user_reg(regs, 4, v4); + set_user_reg(regs, 5, v5); + set_user_reg(regs, 6, v6); + set_user_reg(regs, 7, v7); +} + +static void set_regs_error(struct cpu_user_regs *regs, uint32_t error_code) +{ + set_regs(regs, FFA_ERROR, 0, error_code, 0, 0, 0, 0, 0); +} + +static void set_regs_success(struct cpu_user_regs *regs, uint32_t w2, + uint32_t w3) +{ + set_regs(regs, FFA_SUCCESS_32, 0, w2, w3, 0, 0, 0, 0); +} + +static void set_regs_frag_rx(struct cpu_user_regs *regs, uint32_t handle_lo, + uint32_t handle_hi, uint32_t frag_offset, + uint16_t sender_id) +{ + set_regs(regs, FFA_MEM_FRAG_RX, handle_lo, handle_hi, frag_offset, + (uint32_t)sender_id << 16, 0, 0, 0); +} + +static void handle_version(struct cpu_user_regs *regs) +{ + struct domain *d = current->domain; + struct ffa_ctx *ctx = d->arch.ffa; + uint32_t vers = get_user_reg(regs, 1); + + if ( vers < FFA_VERSION_1_1 ) + vers = FFA_VERSION_1_0; + else + vers = FFA_VERSION_1_1; + + ctx->guest_vers = vers; + set_regs(regs, vers, 0, 0, 0, 0, 0, 0, 0); +} + +static uint32_t handle_rxtx_map(uint32_t fid, register_t tx_addr, + register_t rx_addr, uint32_t page_count) +{ + uint32_t ret = FFA_RET_INVALID_PARAMETERS; + struct domain *d = current->domain; + struct ffa_ctx *ctx = d->arch.ffa; + struct page_info *tx_pg; + struct page_info *rx_pg; + p2m_type_t t; + void *rx; + void *tx; + + if ( !smccc_is_conv_64(fid) ) + { + tx_addr &= UINT32_MAX; + rx_addr &= UINT32_MAX; + } + + /* For now to keep things simple, only deal with a single page */ + if ( page_count != 1 ) + return FFA_RET_NOT_SUPPORTED; + + /* Already mapped */ + if ( ctx->rx ) + return FFA_RET_DENIED; + + tx_pg = get_page_from_gfn(d, gaddr_to_gfn(tx_addr), &t, P2M_ALLOC); + if ( !tx_pg ) + return FFA_RET_INVALID_PARAMETERS; + /* Only normal RAM for now */ + if (t != p2m_ram_rw) + goto err_put_tx_pg; + + rx_pg = get_page_from_gfn(d, gaddr_to_gfn(rx_addr), &t, P2M_ALLOC); + if ( !tx_pg ) + goto err_put_tx_pg; + /* Only normal RAM for now */ + if ( t != p2m_ram_rw ) + goto err_put_rx_pg; + + tx = __map_domain_page_global(tx_pg); + if ( !tx ) + goto err_put_rx_pg; + + rx = __map_domain_page_global(rx_pg); + if ( !rx ) + goto err_unmap_tx; + + ctx->rx = rx; + ctx->tx = tx; + ctx->rx_pg = rx_pg; + ctx->tx_pg = tx_pg; + ctx->page_count = 1; + ctx->tx_is_mine = true; + return FFA_RET_OK; + +err_unmap_tx: + unmap_domain_page_global(tx); +err_put_rx_pg: + put_page(rx_pg); +err_put_tx_pg: + put_page(tx_pg); + return ret; +} + +static uint32_t handle_rxtx_unmap(void) +{ + struct domain *d = current->domain; + struct ffa_ctx *ctx = d->arch.ffa; + uint32_t ret; + + if ( !ctx->rx ) + return FFA_RET_INVALID_PARAMETERS; + + ret = ffa_rxtx_unmap(get_vm_id(d)); + if ( ret ) + return ret; + + unmap_domain_page_global(ctx->rx); + unmap_domain_page_global(ctx->tx); + put_page(ctx->rx_pg); + put_page(ctx->tx_pg); + ctx->rx = NULL; + ctx->tx = NULL; + ctx->rx_pg = NULL; + ctx->tx_pg = NULL; + ctx->page_count = 0; + ctx->tx_is_mine = false; + + return FFA_RET_OK; +} + +static uint32_t handle_partition_info_get(uint32_t w1, uint32_t w2, uint32_t w3, + uint32_t w4, uint32_t w5, + uint32_t *count) +{ + uint32_t ret = FFA_RET_DENIED; + struct domain *d = current->domain; + struct ffa_ctx *ctx = d->arch.ffa; + + if ( !ffa_page_count ) + return FFA_RET_DENIED; + + spin_lock(&ctx->lock); + if ( !ctx->page_count || !ctx->tx_is_mine ) + goto out; + ret = ffa_partition_info_get(w1, w2, w3, w4, w5, count); + if ( ret ) + goto out; + if ( ctx->guest_vers == FFA_VERSION_1_0 ) + { + size_t n; + struct ffa_partition_info_1_1 *src = ffa_rx; + struct ffa_partition_info_1_0 *dst = ctx->rx; + + for ( n = 0; n < *count; n++ ) + { + dst[n].id = src[n].id; + dst[n].execution_context = src[n].execution_context; + dst[n].partition_properties = src[n].partition_properties; + } + } + else + { + size_t sz = *count * sizeof(struct ffa_partition_info_1_1); + + memcpy(ctx->rx, ffa_rx, sz); + } + ffa_rx_release(); + ctx->tx_is_mine = false; +out: + spin_unlock(&ctx->lock); + + return ret; +} + +static uint32_t handle_rx_release(void) +{ + uint32_t ret = FFA_RET_DENIED; + struct domain *d = current->domain; + struct ffa_ctx *ctx = d->arch.ffa; + + spin_lock(&ctx->lock); + if ( !ctx->page_count || ctx->tx_is_mine ) + goto out; + ret = FFA_RET_OK; + ctx->tx_is_mine = true; +out: + spin_unlock(&ctx->lock); + + return ret; +} + +static void handle_msg_send_direct_req(struct cpu_user_regs *regs, uint32_t fid) +{ + struct arm_smccc_1_2_regs arg = { .a0 = fid, }; + struct arm_smccc_1_2_regs resp = { }; + struct domain *d = current->domain; + struct ffa_ctx *ctx = d->arch.ffa; + uint32_t src_dst; + uint64_t mask; + + if ( smccc_is_conv_64(fid) ) + mask = 0xffffffffffffffff; + else + mask = 0xffffffff; + + src_dst = get_user_reg(regs, 1); + if ( (src_dst >> 16) != get_vm_id(d) ) + { + resp.a0 = FFA_ERROR; + resp.a2 = FFA_RET_INVALID_PARAMETERS; + goto out; + } + + arg.a1 = src_dst; + arg.a2 = get_user_reg(regs, 2) & mask; + arg.a3 = get_user_reg(regs, 3) & mask; + arg.a4 = get_user_reg(regs, 4) & mask; + arg.a5 = get_user_reg(regs, 5) & mask; + arg.a6 = get_user_reg(regs, 6) & mask; + arg.a7 = get_user_reg(regs, 7) & mask; + + while ( true ) + { + arm_smccc_1_2_smc(&arg, &resp); + + switch ( resp.a0 ) + { + case FFA_INTERRUPT: + ctx->interrupted = true; + goto out; + case FFA_ERROR: + case FFA_SUCCESS_32: + case FFA_SUCCESS_64: + case FFA_MSG_SEND_DIRECT_RESP_32: + case FFA_MSG_SEND_DIRECT_RESP_64: + goto out; + default: + /* Bad fid, report back. */ + memset(&arg, 0, sizeof(arg)); + arg.a0 = FFA_ERROR; + arg.a1 = src_dst; + arg.a2 = FFA_RET_NOT_SUPPORTED; + continue; + } + } + +out: + set_user_reg(regs, 0, resp.a0); + set_user_reg(regs, 1, resp.a1 & mask); + set_user_reg(regs, 2, resp.a2 & mask); + set_user_reg(regs, 3, resp.a3 & mask); + set_user_reg(regs, 4, resp.a4 & mask); + set_user_reg(regs, 5, resp.a5 & mask); + set_user_reg(regs, 6, resp.a6 & mask); + set_user_reg(regs, 7, resp.a7 & mask); +} + +static int get_shm_pages(struct domain *d, struct ffa_shm_mem *shm, + struct ffa_address_range *range, uint32_t range_count, + unsigned int start_page_idx, + unsigned int *last_page_idx) +{ + unsigned int pg_idx = start_page_idx; + unsigned long gfn; + unsigned int n; + unsigned int m; + p2m_type_t t; + uint64_t addr; + + for ( n = 0; n < range_count; n++ ) + { + for ( m = 0; m < range[n].page_count; m++ ) + { + if ( pg_idx >= shm->page_count ) + return FFA_RET_INVALID_PARAMETERS; + + addr = read_atomic(&range[n].address); + gfn = gaddr_to_gfn(addr + m * PAGE_SIZE); + shm->pages[pg_idx] = get_page_from_gfn(d, gfn, &t, P2M_ALLOC); + if ( !shm->pages[pg_idx] ) + return FFA_RET_DENIED; + pg_idx++; + /* Only normal RAM for now */ + if ( t != p2m_ram_rw ) + return FFA_RET_DENIED; + } + } + + *last_page_idx = pg_idx; + + return FFA_RET_OK; +} + +static void put_shm_pages(struct ffa_shm_mem *shm) +{ + unsigned int n; + + for ( n = 0; n < shm->page_count && shm->pages[n]; n++ ) + { + put_page(shm->pages[n]); + shm->pages[n] = NULL; + } +} + +static void init_range(struct ffa_address_range *addr_range, + paddr_t pa) +{ + memset(addr_range, 0, sizeof(*addr_range)); + addr_range->address = pa; + addr_range->page_count = 1; +} + +static int share_shm(struct ffa_shm_mem *shm) +{ + uint32_t max_frag_len = ffa_page_count * PAGE_SIZE; + struct ffa_mem_transaction_1_1 *descr = ffa_tx; + struct ffa_mem_access *mem_access_array; + struct ffa_mem_region *region_descr; + struct ffa_address_range *addr_range; + paddr_t pa; + paddr_t last_pa; + unsigned int n; + uint32_t frag_len; + uint32_t tot_len; + int ret; + unsigned int range_count; + unsigned int range_base; + bool first; + + memset(descr, 0, sizeof(*descr)); + descr->sender_id = shm->sender_id; + descr->global_handle = shm->handle; + descr->mem_reg_attr = FFA_NORMAL_MEM_REG_ATTR; + descr->mem_access_count = 1; + descr->mem_access_size = sizeof(*mem_access_array); + descr->mem_access_offs = sizeof(*descr); + mem_access_array = (void *)(descr + 1); + region_descr = (void *)(mem_access_array + 1); + + memset(mem_access_array, 0, sizeof(*mem_access_array)); + mem_access_array[0].access_perm.endpoint_id = shm->ep_id; + mem_access_array[0].access_perm.perm = FFA_MEM_ACC_RW; + mem_access_array[0].region_offs = (vaddr_t)region_descr - (vaddr_t)ffa_tx; + + memset(region_descr, 0, sizeof(*region_descr)); + region_descr->total_page_count = shm->page_count; + + region_descr->address_range_count = 1; + last_pa = page_to_maddr(shm->pages[0]); + for ( n = 1; n < shm->page_count; last_pa = pa, n++ ) + { + pa = page_to_maddr(shm->pages[n]); + if ( last_pa + PAGE_SIZE == pa ) + { + continue; + } + region_descr->address_range_count++; + } + + tot_len = sizeof(*descr) + sizeof(*mem_access_array) + + sizeof(*region_descr) + + region_descr->address_range_count * sizeof(*addr_range); + + addr_range = region_descr->address_range_array; + frag_len = (vaddr_t)(addr_range + 1) - (vaddr_t)ffa_tx; + last_pa = page_to_maddr(shm->pages[0]); + init_range(addr_range, last_pa); + first = true; + range_count = 1; + range_base = 0; + for ( n = 1; n < shm->page_count; last_pa = pa, n++ ) + { + pa = page_to_maddr(shm->pages[n]); + if ( last_pa + PAGE_SIZE == pa ) + { + addr_range->page_count++; + continue; + } + + if ( frag_len == max_frag_len ) + { + if ( first ) + { + ret = ffa_mem_share(tot_len, frag_len, 0, 0, &shm->handle); + first = false; + } + else + { + ret = ffa_mem_frag_tx(shm->handle, frag_len, shm->sender_id); + } + if ( ret <= 0) + return ret; + range_base = range_count; + range_count = 0; + frag_len = sizeof(*addr_range); + addr_range = ffa_tx; + } + else + { + frag_len += sizeof(*addr_range); + addr_range++; + } + init_range(addr_range, pa); + range_count++; + } + + if ( first ) + return ffa_mem_share(tot_len, frag_len, 0, 0, &shm->handle); + else + return ffa_mem_frag_tx(shm->handle, frag_len, shm->sender_id); +} + +static int read_mem_transaction(uint32_t ffa_vers, void *buf, size_t blen, + struct ffa_mem_transaction_x *trans) +{ + uint16_t mem_reg_attr; + uint32_t flags; + uint32_t count; + uint32_t offs; + uint32_t size; + + if ( ffa_vers >= FFA_VERSION_1_1 ) + { + struct ffa_mem_transaction_1_1 *descr; + + if ( blen < sizeof(*descr) ) + return FFA_RET_INVALID_PARAMETERS; + + descr = buf; + trans->sender_id = read_atomic(&descr->sender_id); + mem_reg_attr = read_atomic(&descr->mem_reg_attr); + flags = read_atomic(&descr->flags); + trans->global_handle = read_atomic(&descr->global_handle); + trans->tag = read_atomic(&descr->tag); + + count = read_atomic(&descr->mem_access_count); + size = read_atomic(&descr->mem_access_size); + offs = read_atomic(&descr->mem_access_offs); + } + else + { + struct ffa_mem_transaction_1_0 *descr; + + if ( blen < sizeof(*descr) ) + return FFA_RET_INVALID_PARAMETERS; + + descr = buf; + trans->sender_id = read_atomic(&descr->sender_id); + mem_reg_attr = read_atomic(&descr->mem_reg_attr); + flags = read_atomic(&descr->flags); + trans->global_handle = read_atomic(&descr->global_handle); + trans->tag = read_atomic(&descr->tag); + + count = read_atomic(&descr->mem_access_count); + size = sizeof(struct ffa_mem_access); + offs = offsetof(struct ffa_mem_transaction_1_0, mem_access_array); + } + + if ( mem_reg_attr > UINT8_MAX || flags > UINT8_MAX || size > UINT8_MAX || + count > UINT8_MAX || offs > UINT16_MAX ) + return FFA_RET_INVALID_PARAMETERS; + + /* Check that the endpoint memory access descriptor array fits */ + if ( size * count + offs > blen ) + return FFA_RET_INVALID_PARAMETERS; + + trans->mem_reg_attr = mem_reg_attr; + trans->flags = flags; + trans->mem_access_size = size; + trans->mem_access_count = count; + trans->mem_access_offs = offs; + return 0; +} + +static int add_mem_share_frag(struct mem_frag_state *s, unsigned int offs, + unsigned int frag_len) +{ + struct domain *d = current->domain; + unsigned int o = offs; + unsigned int l; + int ret; + + if ( frag_len < o ) + return FFA_RET_INVALID_PARAMETERS; + + /* Fill up the first struct ffa_address_range */ + l = min_t(unsigned int, frag_len - o, sizeof(s->range) - s->range_offset); + memcpy((uint8_t *)&s->range + s->range_offset, s->buf + o, l); + s->range_offset += l; + o += l; + if ( s->range_offset != sizeof(s->range) ) + goto out; + s->range_offset = 0; + + while ( true ) + { + ret = get_shm_pages(d, s->shm, &s->range, 1, s->current_page_idx, + &s->current_page_idx); + if ( ret ) + return ret; + if ( s->range_count == 1 ) + return 0; + s->range_count--; + if ( frag_len - o < sizeof(s->range) ) + break; + memcpy(&s->range, s->buf + o, sizeof(s->range)); + o += sizeof(s->range); + } + + /* Collect any remaining bytes for the next struct ffa_address_range */ + s->range_offset = frag_len - o; + memcpy(&s->range, s->buf + o, frag_len - o); +out: + s->frag_offset += frag_len; + return s->frag_offset; +} + +static void handle_mem_share(struct cpu_user_regs *regs) +{ + uint32_t tot_len = get_user_reg(regs, 1); + uint32_t frag_len = get_user_reg(regs, 2); + uint64_t addr = get_user_reg(regs, 3); + uint32_t page_count = get_user_reg(regs, 4); + struct ffa_mem_transaction_x trans; + struct ffa_mem_access *mem_access; + struct ffa_mem_region *region_descr; + struct domain *d = current->domain; + struct ffa_ctx *ctx = d->arch.ffa; + struct ffa_shm_mem *shm = NULL; + unsigned int last_page_idx = 0; + uint32_t range_count; + uint32_t region_offs; + int ret = FFA_RET_DENIED; + uint32_t handle_hi = 0; + uint32_t handle_lo = 0; + + /* + * We're only accepting memory transaction descriptors via the rx/tx + * buffer. + */ + if ( addr ) + { + ret = FFA_RET_NOT_SUPPORTED; + goto out_unlock; + } + + /* Check that fragment legnth doesn't exceed total length */ + if ( frag_len > tot_len ) + { + ret = FFA_RET_INVALID_PARAMETERS; + goto out_unlock; + } + + spin_lock(&ctx->lock); + + if ( frag_len > ctx->page_count * PAGE_SIZE ) + goto out_unlock; + + if ( !ffa_page_count ) + { + ret = FFA_RET_NO_MEMORY; + goto out_unlock; + } + + ret = read_mem_transaction(ctx->guest_vers, ctx->tx, frag_len, &trans); + if ( ret ) + goto out_unlock; + + if ( trans.mem_reg_attr != FFA_NORMAL_MEM_REG_ATTR ) + { + ret = FFA_RET_NOT_SUPPORTED; + goto out; + } + + /* Only supports sharing it with one SP for now */ + if ( trans.mem_access_count != 1 ) + { + ret = FFA_RET_NOT_SUPPORTED; + goto out_unlock; + } + + if ( trans.sender_id != get_vm_id(d) ) + { + ret = FFA_RET_INVALID_PARAMETERS; + goto out_unlock; + } + + /* Check that it fits in the supplied data */ + if ( trans.mem_access_offs + trans.mem_access_size > frag_len ) + goto out_unlock; + + mem_access = (void *)((vaddr_t)ctx->tx + trans.mem_access_offs); + if ( read_atomic(&mem_access->access_perm.perm) != FFA_MEM_ACC_RW ) + { + ret = FFA_RET_NOT_SUPPORTED; + goto out_unlock; + } + + region_offs = read_atomic(&mem_access->region_offs); + if ( sizeof(*region_descr) + region_offs > frag_len ) + { + ret = FFA_RET_NOT_SUPPORTED; + goto out_unlock; + } + + region_descr = (void *)((vaddr_t)ctx->tx + region_offs); + range_count = read_atomic(®ion_descr->address_range_count); + page_count = read_atomic(®ion_descr->total_page_count); + + shm = xzalloc_flex_struct(struct ffa_shm_mem, pages, page_count); + if ( !shm ) + { + ret = FFA_RET_NO_MEMORY; + goto out; + } + shm->sender_id = trans.sender_id; + shm->ep_id = read_atomic(&mem_access->access_perm.endpoint_id); + shm->page_count = page_count; + + if ( frag_len != tot_len ) + { + struct mem_frag_state *s = xzalloc(struct mem_frag_state); + + if ( !s ) + { + ret = FFA_RET_NO_MEMORY; + goto out; + } + s->shm = shm; + s->range_count = range_count; + s->buf = ctx->tx; + s->buf_size = ffa_page_count * PAGE_SIZE; + ret = add_mem_share_frag(s, sizeof(*region_descr) + region_offs, + frag_len); + if ( ret <= 0 ) + { + xfree(s); + if ( ret < 0 ) + goto out; + } + else + { + shm->handle = next_handle++; + reg_pair_from_64(&handle_hi, &handle_lo, shm->handle); + list_add_tail(&s->list, &ctx->frag_list); + } + goto out_unlock; + } + + /* + * Check that the Composite memory region descriptor fits. + */ + if ( sizeof(*region_descr) + region_offs + + range_count * sizeof(struct ffa_address_range) > frag_len ) + { + ret = FFA_RET_INVALID_PARAMETERS; + goto out; + } + + ret = get_shm_pages(d, shm, region_descr->address_range_array, range_count, + 0, &last_page_idx); + if ( ret ) + goto out; + if ( last_page_idx != shm->page_count ) + { + ret = FFA_RET_INVALID_PARAMETERS; + goto out; + } + + /* Note that share_shm() uses our tx buffer */ + spin_lock(&ffa_buffer_lock); + ret = share_shm(shm); + spin_unlock(&ffa_buffer_lock); + if ( ret ) + goto out; + + spin_lock(&ffa_mem_list_lock); + list_add_tail(&shm->list, &ffa_mem_list); + spin_unlock(&ffa_mem_list_lock); + + reg_pair_from_64(&handle_hi, &handle_lo, shm->handle); + +out: + if ( ret && shm ) + { + put_shm_pages(shm); + xfree(shm); + } +out_unlock: + spin_unlock(&ctx->lock); + + if ( ret > 0 ) + set_regs_frag_rx(regs, handle_lo, handle_hi, ret, trans.sender_id); + else if ( ret == 0) + set_regs_success(regs, handle_lo, handle_hi); + else + set_regs_error(regs, ret); +} + +static struct mem_frag_state *find_frag_state(struct ffa_ctx *ctx, + uint64_t handle) +{ + struct mem_frag_state *s; + + list_for_each_entry(s, &ctx->frag_list, list) + if ( s->shm->handle == handle ) + return s; + + return NULL; +} + +static void handle_mem_frag_tx(struct cpu_user_regs *regs) +{ + struct domain *d = current->domain; + struct ffa_ctx *ctx = d->arch.ffa; + uint32_t frag_len = get_user_reg(regs, 3); + uint32_t handle_lo = get_user_reg(regs, 1); + uint32_t handle_hi = get_user_reg(regs, 2); + uint64_t handle = reg_pair_to_64(handle_hi, handle_lo); + struct mem_frag_state *s; + uint16_t sender_id = 0; + int ret; + + spin_lock(&ctx->lock); + s = find_frag_state(ctx, handle); + if ( !s ) + { + ret = FFA_RET_INVALID_PARAMETERS; + goto out; + } + sender_id = s->shm->sender_id; + + if ( frag_len > s->buf_size ) + { + ret = FFA_RET_INVALID_PARAMETERS; + goto out; + } + + ret = add_mem_share_frag(s, 0, frag_len); + if ( ret == 0 ) + { + /* Note that share_shm() uses our tx buffer */ + spin_lock(&ffa_buffer_lock); + ret = share_shm(s->shm); + spin_unlock(&ffa_buffer_lock); + if ( ret == 0 ) + { + spin_lock(&ffa_mem_list_lock); + list_add_tail(&s->shm->list, &ffa_mem_list); + spin_unlock(&ffa_mem_list_lock); + } + else + { + put_shm_pages(s->shm); + xfree(s->shm); + } + list_del(&s->list); + xfree(s); + } + else if ( ret < 0 ) + { + put_shm_pages(s->shm); + xfree(s->shm); + list_del(&s->list); + xfree(s); + } +out: + spin_unlock(&ctx->lock); + + if ( ret > 0 ) + set_regs_frag_rx(regs, handle_lo, handle_hi, ret, sender_id); + else if ( ret == 0) + set_regs_success(regs, handle_lo, handle_hi); + else + set_regs_error(regs, ret); +} + +static int handle_mem_reclaim(uint64_t handle, uint32_t flags) +{ + struct ffa_shm_mem *shm; + uint32_t handle_hi; + uint32_t handle_lo; + int ret; + + spin_lock(&ffa_mem_list_lock); + list_for_each_entry(shm, &ffa_mem_list, list) + { + if ( shm->handle == handle ) + goto found_it; + } + shm = NULL; +found_it: + spin_unlock(&ffa_mem_list_lock); + + if ( !shm ) + return FFA_RET_INVALID_PARAMETERS; + + reg_pair_from_64(&handle_hi, &handle_lo, handle); + ret = ffa_mem_reclaim(handle_lo, handle_hi, flags); + if ( ret ) + return ret; + + spin_lock(&ffa_mem_list_lock); + list_del(&shm->list); + spin_unlock(&ffa_mem_list_lock); + + put_shm_pages(shm); + xfree(shm); + + return ret; +} + +bool ffa_handle_call(struct cpu_user_regs *regs, uint32_t fid) +{ + struct domain *d = current->domain; + struct ffa_ctx *ctx = d->arch.ffa; + uint32_t count; + uint32_t e; + + if ( !ctx ) + return false; + + switch ( fid ) + { + case FFA_VERSION: + handle_version(regs); + return true; + case FFA_ID_GET: + set_regs_success(regs, get_vm_id(d), 0); + return true; + case FFA_RXTX_MAP_32: +#ifdef CONFIG_ARM_64 + case FFA_RXTX_MAP_64: +#endif + e = handle_rxtx_map(fid, get_user_reg(regs, 1), get_user_reg(regs, 2), + get_user_reg(regs, 3)); + if ( e ) + set_regs_error(regs, e); + else + set_regs_success(regs, 0, 0); + return true; + case FFA_RXTX_UNMAP: + e = handle_rxtx_unmap(); + if ( e ) + set_regs_error(regs, e); + else + set_regs_success(regs, 0, 0); + return true; + case FFA_PARTITION_INFO_GET: + e = handle_partition_info_get(get_user_reg(regs, 1), + get_user_reg(regs, 2), + get_user_reg(regs, 3), + get_user_reg(regs, 4), + get_user_reg(regs, 5), &count); + if ( e ) + set_regs_error(regs, e); + else + set_regs_success(regs, count, 0); + return true; + case FFA_RX_RELEASE: + e = handle_rx_release(); + if ( e ) + set_regs_error(regs, e); + else + set_regs_success(regs, 0, 0); + return true; + case FFA_MSG_SEND_DIRECT_REQ_32: +#ifdef CONFIG_ARM_64 + case FFA_MSG_SEND_DIRECT_REQ_64: +#endif + handle_msg_send_direct_req(regs, fid); + return true; + case FFA_MEM_SHARE_32: +#ifdef CONFIG_ARM_64 + case FFA_MEM_SHARE_64: +#endif + handle_mem_share(regs); + return true; + case FFA_MEM_RECLAIM: + e = handle_mem_reclaim(reg_pair_to_64(get_user_reg(regs, 2), + get_user_reg(regs, 1)), + get_user_reg(regs, 3)); + if ( e ) + set_regs_error(regs, e); + else + set_regs_success(regs, 0, 0); + return true; + case FFA_MEM_FRAG_TX: + handle_mem_frag_tx(regs); + return true; + + default: + printk(XENLOG_ERR "ffa: unhandled fid 0x%x\n", fid); + return false; + } +} + +int ffa_domain_init(struct domain *d, bool ffa_enabled) +{ + struct ffa_ctx *ctx; + unsigned int n; + unsigned int m; + unsigned int c_pos; + int32_t res; + + if ( !ffa_version || !ffa_enabled ) + return 0; + + ctx = xzalloc(struct ffa_ctx); + if ( !ctx ) + return -ENOMEM; + + for ( n = 0; n < subsr_vm_created_count; n++ ) + { + res = ffa_direct_req_send_vm(subsr_vm_created[n], get_vm_id(d), + FFA_MSG_SEND_VM_CREATED); + if ( res ) + { + printk(XENLOG_ERR "ffa: Failed to report creation of vm_id %u to %u: res %d\n", + get_vm_id(d), subsr_vm_created[n], res); + c_pos = n; + goto err; + } + } + + INIT_LIST_HEAD(&ctx->frag_list); + + d->arch.ffa = ctx; + + return 0; + +err: + /* Undo any already sent vm created messaged */ + for ( n = 0; n < c_pos; n++ ) + for ( m = 0; m < subsr_vm_destroyed_count; m++ ) + if ( subsr_vm_destroyed[m] == subsr_vm_created[n] ) + ffa_direct_req_send_vm(subsr_vm_destroyed[n], get_vm_id(d), + FFA_MSG_SEND_VM_DESTROYED); + return -ENOMEM; +} + +int ffa_relinquish_resources(struct domain *d) +{ + struct ffa_ctx *ctx = d->arch.ffa; + unsigned int n; + int32_t res; + + if ( !ctx ) + return 0; + + for ( n = 0; n < subsr_vm_destroyed_count; n++ ) + { + res = ffa_direct_req_send_vm(subsr_vm_destroyed[n], get_vm_id(d), + FFA_MSG_SEND_VM_DESTROYED); + + if ( res ) + printk(XENLOG_ERR "ffa: Failed to report destruction of vm_id %u to %u: res %d\n", + get_vm_id(d), subsr_vm_destroyed[n], res); + } + + XFREE(d->arch.ffa); + + return 0; +} + +static bool __init init_subscribers(void) +{ + struct ffa_partition_info_1_1 *fpi; + bool ret = false; + uint32_t count; + uint32_t e; + uint32_t n; + uint32_t c_pos; + uint32_t d_pos; + + if ( ffa_version < FFA_VERSION_1_1 ) + return true; + + e = ffa_partition_info_get(0, 0, 0, 0, 1, &count); + ffa_rx_release(); + if ( e ) + { + printk(XENLOG_ERR "ffa: Failed to get list of SPs: %d\n", (int)e); + goto out; + } + + fpi = ffa_rx; + subsr_vm_created_count = 0; + subsr_vm_destroyed_count = 0; + for ( n = 0; n < count; n++ ) + { + if (fpi[n].partition_properties & FFA_PART_PROP_NOTIF_CREATED) + subsr_vm_created_count++; + if (fpi[n].partition_properties & FFA_PART_PROP_NOTIF_DESTROYED) + subsr_vm_destroyed_count++; + } + + if ( subsr_vm_created_count ) + subsr_vm_created = xzalloc_array(uint16_t, subsr_vm_created_count); + if ( subsr_vm_destroyed_count ) + subsr_vm_destroyed = xzalloc_array(uint16_t, subsr_vm_destroyed_count); + if ( (subsr_vm_created_count && !subsr_vm_created) || + (subsr_vm_destroyed_count && !subsr_vm_destroyed) ) + { + printk(XENLOG_ERR "ffa: Failed to allocate subscription lists\n"); + subsr_vm_created_count = 0; + subsr_vm_destroyed_count = 0; + XFREE(subsr_vm_created); + XFREE(subsr_vm_destroyed); + goto out; + } + + for ( c_pos = 0, d_pos = 0, n = 0; n < count; n++ ) + { + if ( fpi[n].partition_properties & FFA_PART_PROP_NOTIF_CREATED ) + subsr_vm_created[c_pos++] = fpi[n].id; + if ( fpi[n].partition_properties & FFA_PART_PROP_NOTIF_DESTROYED ) + subsr_vm_destroyed[d_pos++] = fpi[n].id; + } + + ret = true; +out: + ffa_rx_release(); + return ret; +} + +static int __init ffa_init(void) +{ + uint32_t vers; + uint32_t e; + unsigned int major_vers; + unsigned int minor_vers; + + /* + * psci_init_smccc() updates this value with what's reported by EL-3 + * or secure world. + */ + if ( smccc_ver < ARM_SMCCC_VERSION_1_2 ) + { + printk(XENLOG_ERR + "ffa: unsupported SMCCC version %#x (need at least %#x)\n", + smccc_ver, ARM_SMCCC_VERSION_1_2); + return 0; + } + + if ( !ffa_get_version(&vers) ) + return 0; + + if ( vers < FFA_MIN_VERSION || vers > FFA_MY_VERSION ) + { + printk(XENLOG_ERR "ffa: Incompatible version %#x found\n", vers); + return 0; + } + + major_vers = (vers >> FFA_VERSION_MAJOR_SHIFT) & FFA_VERSION_MAJOR_MASK; + minor_vers = vers & FFA_VERSION_MINOR_MASK; + printk(XENLOG_INFO "ARM FF-A Mediator version %u.%u\n", + FFA_VERSION_MAJOR, FFA_VERSION_MINOR); + printk(XENLOG_INFO "ARM FF-A Firmware version %u.%u\n", + major_vers, minor_vers); + + if ( !check_mandatory_feature(FFA_PARTITION_INFO_GET) || + !check_mandatory_feature(FFA_RX_RELEASE) || +#ifdef CONFIG_ARM_64 + !check_mandatory_feature(FFA_RXTX_MAP_64) || + !check_mandatory_feature(FFA_MEM_SHARE_64) || +#endif +#ifdef CONFIG_ARM_32 + !check_mandatory_feature(FFA_RXTX_MAP_32) || +#endif + !check_mandatory_feature(FFA_RXTX_UNMAP) || + !check_mandatory_feature(FFA_MEM_SHARE_32) || + !check_mandatory_feature(FFA_MEM_FRAG_TX) || + !check_mandatory_feature(FFA_MEM_RECLAIM) || + !check_mandatory_feature(FFA_MSG_SEND_DIRECT_REQ_32) ) + return 0; + + ffa_rx = alloc_xenheap_pages(0, 0); + if ( !ffa_rx ) + return 0; + + ffa_tx = alloc_xenheap_pages(0, 0); + if ( !ffa_tx ) + goto err_free_ffa_rx; + + e = ffa_rxtx_map(__pa(ffa_tx), __pa(ffa_rx), 1); + if ( e ) + { + printk(XENLOG_ERR "ffa: Failed to map rxtx: error %d\n", (int)e); + goto err_free_ffa_tx; + } + ffa_page_count = 1; + ffa_version = vers; + + if ( !init_subscribers() ) + goto err_free_ffa_tx; + + return 0; + +err_free_ffa_tx: + free_xenheap_pages(ffa_tx, 0); + ffa_tx = NULL; +err_free_ffa_rx: + free_xenheap_pages(ffa_rx, 0); + ffa_rx = NULL; + ffa_page_count = 0; + ffa_version = 0; + XFREE(subsr_vm_created); + subsr_vm_created_count = 0; + XFREE(subsr_vm_destroyed); + subsr_vm_destroyed_count = 0; + return 0; +} + +__initcall(ffa_init); diff --git a/xen/arch/arm/include/asm/domain.h b/xen/arch/arm/include/asm/domain.h index ed63c2b6f91f..b3dee269bced 100644 --- a/xen/arch/arm/include/asm/domain.h +++ b/xen/arch/arm/include/asm/domain.h @@ -103,6 +103,10 @@ struct arch_domain void *tee; #endif +#ifdef CONFIG_FFA + void *ffa; +#endif + bool directmap; } __cacheline_aligned; diff --git a/xen/arch/arm/include/asm/ffa.h b/xen/arch/arm/include/asm/ffa.h new file mode 100644 index 000000000000..4f4a739345bd --- /dev/null +++ b/xen/arch/arm/include/asm/ffa.h @@ -0,0 +1,71 @@ +/* + * xen/arch/arm/ffa.c + * + * Arm Firmware Framework for ARMv8-A(FFA) mediator + * + * Copyright (C) 2021 Linaro Limited + * + * Permission is hereby granted, free of charge, to any person + * obtaining a copy of this software and associated documentation + * files (the "Software"), to deal in the Software without restriction, + * including without limitation the rights to use, copy, modify, merge, + * publish, distribute, sublicense, and/or sell copies of the Software, + * and to permit persons to whom the Software is furnished to do so, + * subject to the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY + * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, + * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + */ + +#ifndef __ASM_ARM_FFA_H__ +#define __ASM_ARM_FFA_H__ + +#include <xen/const.h> + +#include <asm/smccc.h> +#include <asm/types.h> + +#define FFA_FNUM_MIN_VALUE _AC(0x60,U) +#define FFA_FNUM_MAX_VALUE _AC(0x86,U) + +static inline bool is_ffa_fid(uint32_t fid) +{ + uint32_t fn = fid & ARM_SMCCC_FUNC_MASK; + + return fn >= FFA_FNUM_MIN_VALUE && fn <= FFA_FNUM_MAX_VALUE; +} + +#ifdef CONFIG_FFA +#define FFA_NR_FUNCS 11 + +bool ffa_handle_call(struct cpu_user_regs *regs, uint32_t fid); +int ffa_domain_init(struct domain *d, bool ffa_enabled); +int ffa_relinquish_resources(struct domain *d); +#else +#define FFA_NR_FUNCS 0 + +static inline bool ffa_handle_call(struct cpu_user_regs *regs, uint32_t fid) +{ + return false; +} + +static inline int ffa_domain_init(struct domain *d, bool ffa_enabled) +{ + return 0; +} + +static inline int ffa_relinquish_resources(struct domain *d) +{ + return 0; +} +#endif + +#endif /*__ASM_ARM_FFA_H__*/ diff --git a/xen/arch/arm/vsmc.c b/xen/arch/arm/vsmc.c index 6f90c08a6304..34586025eff8 100644 --- a/xen/arch/arm/vsmc.c +++ b/xen/arch/arm/vsmc.c @@ -20,6 +20,7 @@ #include <public/arch-arm/smccc.h> #include <asm/cpuerrata.h> #include <asm/cpufeature.h> +#include <asm/ffa.h> #include <asm/monitor.h> #include <asm/regs.h> #include <asm/smccc.h> @@ -32,7 +33,7 @@ #define XEN_SMCCC_FUNCTION_COUNT 3 /* Number of functions currently supported by Standard Service Service Calls. */ -#define SSSC_SMCCC_FUNCTION_COUNT (3 + VPSCI_NR_FUNCS) +#define SSSC_SMCCC_FUNCTION_COUNT (3 + VPSCI_NR_FUNCS + FFA_NR_FUNCS) static bool fill_uid(struct cpu_user_regs *regs, xen_uuid_t uuid) { @@ -196,13 +197,23 @@ static bool handle_existing_apis(struct cpu_user_regs *regs) return do_vpsci_0_1_call(regs, fid); } +static bool is_psci_fid(uint32_t fid) +{ + uint32_t fn = fid & ARM_SMCCC_FUNC_MASK; + + return fn >= 0 && fn <= 0x1fU; +} + /* PSCI 0.2 interface and other Standard Secure Calls */ static bool handle_sssc(struct cpu_user_regs *regs) { uint32_t fid = (uint32_t)get_user_reg(regs, 0); - if ( do_vpsci_0_2_call(regs, fid) ) - return true; + if ( is_psci_fid(fid) ) + return do_vpsci_0_2_call(regs, fid); + + if ( is_ffa_fid(fid) ) + return ffa_handle_call(regs, fid); switch ( fid ) { diff --git a/xen/include/public/arch-arm.h b/xen/include/public/arch-arm.h index ab05fe12b0de..53f8d44a6a8e 100644 --- a/xen/include/public/arch-arm.h +++ b/xen/include/public/arch-arm.h @@ -318,6 +318,8 @@ struct xen_arch_domainconfig { /* IN/OUT */ uint8_t gic_version; /* IN */ + uint8_t ffa_enabled; + /* IN */ uint16_t tee_type; /* IN */ uint32_t nr_spis;
Adds a FF-A version 1.1 [1] mediator to communicate with a Secure Partition in secure world. The implementation is the bare minimum to be able to communicate with OP-TEE running as an SPMC at S-EL1. This is loosely based on the TEE mediator framework and the OP-TEE mediator. [1] https://developer.arm.com/documentation/den0077/latest Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> --- SUPPORT.md | 7 + tools/libs/light/libxl_arm.c | 3 + tools/libs/light/libxl_types.idl | 1 + tools/xl/xl_parse.c | 3 + xen/arch/arm/Kconfig | 11 + xen/arch/arm/Makefile | 1 + xen/arch/arm/domain.c | 10 + xen/arch/arm/domain_build.c | 1 + xen/arch/arm/ffa.c | 1683 +++++++++++++++++++++++++++++ xen/arch/arm/include/asm/domain.h | 4 + xen/arch/arm/include/asm/ffa.h | 71 ++ xen/arch/arm/vsmc.c | 17 +- xen/include/public/arch-arm.h | 2 + 13 files changed, 1811 insertions(+), 3 deletions(-) create mode 100644 xen/arch/arm/ffa.c create mode 100644 xen/arch/arm/include/asm/ffa.h