diff --git a/Makefile b/Makefile index 0c3303f..d4fd26f 100644 --- a/Makefile +++ b/Makefile @@ -195,7 +195,8 @@ lib/stdlib/std.c \ plat/common/aarch64/platform_helpers.S -INCLUDES += -Iinclude/bl31 \ +INCLUDES += -Iinclude/bl1 \ + -Iinclude/bl31 \ -Iinclude/bl31/services \ -Iinclude/common \ -Iinclude/drivers \ diff --git a/bl1/aarch64/bl1_exceptions.S b/bl1/aarch64/bl1_exceptions.S index 8802301..9ff6a57 100644 --- a/bl1/aarch64/bl1_exceptions.S +++ b/bl1/aarch64/bl1_exceptions.S @@ -31,6 +31,7 @@ #include #include #include +#include #include .globl bl1_exceptions @@ -181,8 +182,26 @@ func smc_handler64 + /* ---------------------------------------------- - * Switch back to SP_EL0 for the C runtime stack. + * Detect if this is a RUN_IMAGE or other SMC. + * ---------------------------------------------- + */ + mov x30, #BL1_SMC_RUN_IMAGE + cmp x30, x0 + b.ne smc_handler + + /* ------------------------------------------------ + * Make sure only Secure world reaches here. + * ------------------------------------------------ + */ + mrs x30, scr_el3 + tst x30, #SCR_NS_BIT + b.ne unexpected_sync_exception + + /* ---------------------------------------------- + * Handling RUN_IMAGE SMC. First switch back to + * SP_EL0 for the C runtime stack. * ---------------------------------------------- */ ldr x30, [sp, #CTX_EL3STATE_OFFSET + CTX_RUNTIME_SP] @@ -190,20 +209,13 @@ mov sp, x30 /* --------------------------------------------------------------------- - * Only a single SMC exception from BL2 to ask BL1 to pass EL3 control - * to BL31 is expected here. It expects: - * - X0 with RUN_IMAGE SMC function ID; - * - X1 with the address of a entry_point_info_t structure describing - * the BL31 entrypoint. + * Pass EL3 control to BL31. + * Here it expects X1 with the address of a entry_point_info_t + * structure describing the BL31 entrypoint. * --------------------------------------------------------------------- */ - mov x19, x0 mov x20, x1 - mov x0, #RUN_IMAGE - cmp x19, x0 - b.ne unexpected_sync_exception - mov x0, x20 bl bl1_print_bl31_ep_info @@ -238,3 +250,69 @@ bl plat_report_exception wfi b unexpected_sync_exception + + /* ----------------------------------------------------- + * Save Secure/Normal world context and jump to + * BL1 SMC handler. + * ----------------------------------------------------- + */ +smc_handler: + /* ----------------------------------------------------- + * Save the GP registers x0-x29. + * TODO: Revisit to store only SMCC specified registers. + * ----------------------------------------------------- + */ + bl save_gp_registers + + /* ----------------------------------------------------- + * Populate the parameters for the SMC handler. We + * already have x0-x4 in place. x5 will point to a + * cookie (not used now). x6 will point to the context + * structure (SP_EL3) and x7 will contain flags we need + * to pass to the handler. + * ----------------------------------------------------- + */ + mov x5, xzr + mov x6, sp + + /* ----------------------------------------------------- + * Restore the saved C runtime stack value which will + * become the new SP_EL0 i.e. EL3 runtime stack. It was + * saved in the 'cpu_context' structure prior to the last + * ERET from EL3. + * ----------------------------------------------------- + */ + ldr x12, [x6, #CTX_EL3STATE_OFFSET + CTX_RUNTIME_SP] + + /* --------------------------------------------- + * Switch back to SP_EL0 for the C runtime stack. + * --------------------------------------------- + */ + msr spsel, #0 + mov sp, x12 + + /* ----------------------------------------------------- + * Save the SPSR_EL3, ELR_EL3, & SCR_EL3 in case there + * is a world switch during SMC handling. + * ----------------------------------------------------- + */ + mrs x16, spsr_el3 + mrs x17, elr_el3 + mrs x18, scr_el3 + stp x16, x17, [x6, #CTX_EL3STATE_OFFSET + CTX_SPSR_EL3] + str x18, [x6, #CTX_EL3STATE_OFFSET + CTX_SCR_EL3] + + /* Copy SCR_EL3.NS bit to the flag to indicate caller's security */ + bfi x7, x18, #0, #1 + + /* ----------------------------------------------------- + * Go to BL1 SMC handler. + * ----------------------------------------------------- + */ + bl bl1_smc_handler + + /* ----------------------------------------------------- + * Do the transition to next BL image. + * ----------------------------------------------------- + */ + b el3_exit diff --git a/bl1/bl1.mk b/bl1/bl1.mk index a19a330..21e87c7 100644 --- a/bl1/bl1.mk +++ b/bl1/bl1.mk @@ -38,5 +38,8 @@ lib/cpus/aarch64/cpu_helpers.S \ plat/common/plat_bl1_common.c +ifeq (${TRUSTED_BOARD_BOOT},1) +BL1_SOURCES += bl1/bl1_fwu.c +endif BL1_LINKERFILE := bl1/bl1.ld.S diff --git a/bl1/bl1_context_mgmt.c b/bl1/bl1_context_mgmt.c index e9264cb..6355190 100644 --- a/bl1/bl1_context_mgmt.c +++ b/bl1/bl1_context_mgmt.c @@ -32,7 +32,6 @@ #include #include #include -#include #include /* diff --git a/bl1/bl1_fwu.c b/bl1/bl1_fwu.c new file mode 100644 index 0000000..f8b414e --- /dev/null +++ b/bl1/bl1_fwu.c @@ -0,0 +1,503 @@ +/* + * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * Redistributions of source code must retain the above copyright notice, this + * list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * Neither the name of ARM nor the names of its contributors may be used + * to endorse or promote products derived from this software without specific + * prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "bl1_private.h" + +/* + * Function declarations. + */ +static int bl1_fwu_image_copy(unsigned int image_id, + uintptr_t image_addr, + unsigned int block_size, + unsigned int image_size, + unsigned int flags); +static int bl1_fwu_image_auth(unsigned int image_id, + uintptr_t image_addr, + unsigned int image_size, + unsigned int flags); +static int bl1_fwu_image_execute(unsigned int image_id, + void **handle, + unsigned int flags); +static register_t bl1_fwu_image_resume(unsigned int image_id, + register_t image_param, + void **handle, + unsigned int flags); +static int bl1_fwu_sec_image_done(void **handle, + unsigned int flags); +__dead2 static void bl1_fwu_done(void *cookie, void *reserved); + +/* + * This keeps track of last executed secure image id. + */ +static unsigned int sec_exec_image_id = INVALID_IMAGE_ID; + +/******************************************************************************* + * Top level handler for servicing FWU SMCs. + ******************************************************************************/ +register_t bl1_fwu_smc_handler(unsigned int smc_fid, + register_t x1, + register_t x2, + register_t x3, + register_t x4, + void *cookie, + void *handle, + unsigned int flags) +{ + + switch (smc_fid) { + case FWU_SMC_IMAGE_COPY: + SMC_RET1(handle, bl1_fwu_image_copy(x1, x2, x3, x4, flags)); + + case FWU_SMC_IMAGE_AUTH: + SMC_RET1(handle, bl1_fwu_image_auth(x1, x2, x3, flags)); + + case FWU_SMC_IMAGE_EXECUTE: + SMC_RET1(handle, bl1_fwu_image_execute(x1, &handle, flags)); + + case FWU_SMC_IMAGE_RESUME: + SMC_RET1(handle, bl1_fwu_image_resume(x1, x2, &handle, flags)); + + case FWU_SMC_SEC_IMAGE_DONE: + SMC_RET1(handle, bl1_fwu_sec_image_done(&handle, flags)); + + case FWU_SMC_UPDATE_DONE: + bl1_fwu_done(cookie, NULL); + /* We should never return from bl1_fwu_done() */ + + default: + assert(0); + break; + } + + SMC_RET0(handle); +} + +/******************************************************************************* + * This function is responsible for copying secure images in AP Secure RAM. + ******************************************************************************/ +static int bl1_fwu_image_copy(unsigned int image_id, + uintptr_t image_src, + unsigned int block_size, + unsigned int image_size, + unsigned int flags) +{ + uintptr_t base_addr; + meminfo_t *mem_layout; + + /* Get the image descriptor. */ + image_desc_t *image_desc = bl1_plat_get_image_desc(image_id); + + /* Check if we are in correct state. */ + if ((!image_desc) || + ((image_desc->state != IMAGE_STATE_RESET) && + (image_desc->state != IMAGE_STATE_COPYING))) { + WARN("BL1-FWU: Copy not allowed due to invalid state\n"); + return -EPERM; + } + + /* Only Normal world is allowed to copy a Secure image. */ + if ((GET_SEC_STATE(flags) == SECURE) || + (GET_SEC_STATE(image_desc->ep_info.h.attr) == NON_SECURE)) { + WARN("BL1-FWU: Copy not allowed for Non-Secure " + "image from Secure-world\n"); + return -EPERM; + } + + if ((!image_src) || (!block_size)) { + WARN("BL1-FWU: Copy not allowed due to invalid image source" + " or block size\n"); + return -ENOMEM; + } + + /* Get the image base address. */ + base_addr = image_desc->image_info.image_base; + + if (image_desc->state == IMAGE_STATE_COPYING) { + /* + * If last block is more than expected then + * clip the block to the required image size. + */ + if (image_desc->image_info.copied_size + block_size > + image_desc->image_info.image_size) { + block_size = image_desc->image_info.image_size - + image_desc->image_info.copied_size; + WARN("BL1-FWU: Copy argument block_size > remaining image size." + " Clipping block_size\n"); + } + + /* Make sure the image src/size is mapped. */ + if (bl1_plat_mem_check(image_src, block_size, flags)) { + WARN("BL1-FWU: Copy arguments source/size not mapped\n"); + return -ENOMEM; + } + + INFO("BL1-FWU: Continuing image copy in blocks\n"); + + /* Copy image for given block size. */ + base_addr += image_desc->image_info.copied_size; + image_desc->image_info.copied_size += block_size; + memcpy((void *)base_addr, (const void *)image_src, block_size); + flush_dcache_range(base_addr, block_size); + + /* Update the state if last block. */ + if (image_desc->image_info.copied_size == + image_desc->image_info.image_size) { + image_desc->state = IMAGE_STATE_COPIED; + INFO("BL1-FWU: Image copy in blocks completed\n"); + } + } else { + /* This means image is in RESET state and ready to be copied. */ + INFO("BL1-FWU: Fresh call to copy an image\n"); + + if (!image_size) { + WARN("BL1-FWU: Copy not allowed due to invalid image size\n"); + return -ENOMEM; + } + + /* + * If block size is more than total size then + * assume block size as the total image size. + */ + if (block_size > image_size) { + block_size = image_size; + WARN("BL1-FWU: Copy argument block_size > image size." + " Clipping block_size\n"); + } + + /* Make sure the image src/size is mapped. */ + if (bl1_plat_mem_check(image_src, block_size, flags)) { + WARN("BL1-FWU: Copy arguments source/size not mapped\n"); + return -ENOMEM; + } + + /* Find out how much free trusted ram remains after BL1 load */ + mem_layout = bl1_plat_sec_mem_layout(); + if ((image_desc->image_info.image_base < mem_layout->free_base) || + (image_desc->image_info.image_base + image_size > + mem_layout->free_base + mem_layout->free_size)) { + WARN("BL1-FWU: Memory not available to copy\n"); + return -ENOMEM; + } + + /* Update the image size. */ + image_desc->image_info.image_size = image_size; + + /* Copy image for given size. */ + memcpy((void *)base_addr, (const void *)image_src, block_size); + flush_dcache_range(base_addr, block_size); + + /* Update the state. */ + if (block_size == image_size) { + image_desc->state = IMAGE_STATE_COPIED; + INFO("BL1-FWU: Image is copied successfully\n"); + } else { + image_desc->state = IMAGE_STATE_COPYING; + INFO("BL1-FWU: Started image copy in blocks\n"); + } + + image_desc->image_info.copied_size = block_size; + } + + return 0; +} + +/******************************************************************************* + * This function is responsible for authenticating Normal/Secure images. + ******************************************************************************/ +static int bl1_fwu_image_auth(unsigned int image_id, + uintptr_t image_src, + unsigned int image_size, + unsigned int flags) +{ + int result; + uintptr_t base_addr; + unsigned int total_size; + + /* Get the image descriptor. */ + image_desc_t *image_desc = bl1_plat_get_image_desc(image_id); + if (!image_desc) + return -EPERM; + + if (GET_SEC_STATE(flags) == SECURE) { + if (image_desc->state != IMAGE_STATE_RESET) { + WARN("BL1-FWU: Authentication from secure world " + "while in invalid state\n"); + return -EPERM; + } + } else { + if (GET_SEC_STATE(image_desc->ep_info.h.attr) == SECURE) { + if (image_desc->state != IMAGE_STATE_COPIED) { + WARN("BL1-FWU: Authentication of secure image " + "from non-secure world while not in copied state\n"); + return -EPERM; + } + } else { + if (image_desc->state != IMAGE_STATE_RESET) { + WARN("BL1-FWU: Authentication of non-secure image " + "from non-secure world while in invalid state\n"); + return -EPERM; + } + } + } + + if (image_desc->state == IMAGE_STATE_COPIED) { + /* + * Image is in COPIED state. + * Use the stored address and size. + */ + base_addr = image_desc->image_info.image_base; + total_size = image_desc->image_info.image_size; + } else { + if ((!image_src) || (!image_size)) { + WARN("BL1-FWU: Auth not allowed due to invalid" + " image source/size\n"); + return -ENOMEM; + } + + /* + * Image is in RESET state. + * Check the parameters and authenticate the source image in place. + */ + if (bl1_plat_mem_check(image_src, image_size, flags)) { + WARN("BL1-FWU: Authentication arguments source/size not mapped\n"); + return -ENOMEM; + } + + base_addr = image_src; + total_size = image_size; + + /* Update the image size in the descriptor. */ + image_desc->image_info.image_size = total_size; + } + + /* + * Authenticate the image. + */ + INFO("BL1-FWU: Authenticating image_id:%d\n", image_id); + result = auth_mod_verify_img(image_id, (void *)base_addr, total_size); + if (result != 0) { + WARN("BL1-FWU: Authentication Failed err=%d\n", result); + + /* + * Authentication has failed. + * Clear the memory if the image was copied. + * This is to prevent an attack where this contains + * some malicious code that can somehow be executed later. + */ + if (image_desc->state == IMAGE_STATE_COPIED) { + /* Clear the memory.*/ + memset((void *)base_addr, 0, total_size); + flush_dcache_range(base_addr, total_size); + + /* Indicate that image can be copied again*/ + image_desc->state = IMAGE_STATE_RESET; + } + return -EAUTH; + } + + /* Indicate that image is in authenticated state. */ + image_desc->state = IMAGE_STATE_AUTHENTICATED; + + /* + * Flush image_info to memory so that other + * secure world images can see changes. + */ + flush_dcache_range((unsigned long)&image_desc->image_info, + sizeof(image_info_t)); + + INFO("BL1-FWU: Authentication was successful\n"); + + return 0; +} + +/******************************************************************************* + * This function is responsible for executing Secure images. + ******************************************************************************/ +static int bl1_fwu_image_execute(unsigned int image_id, + void **handle, + unsigned int flags) +{ + /* Get the image descriptor. */ + image_desc_t *image_desc = bl1_plat_get_image_desc(image_id); + + /* + * Execution is NOT allowed if: + * Caller is from Secure world OR + * Image is Non-Secure OR + * Image is Non-Executable OR + * Image is NOT in AUTHENTICATED state. + */ + if ((!image_desc) || + (GET_SEC_STATE(flags) == SECURE) || + (GET_SEC_STATE(image_desc->ep_info.h.attr) == NON_SECURE) || + (GET_EXEC_STATE(image_desc->image_info.h.attr) == NON_EXECUTABLE) || + (image_desc->state != IMAGE_STATE_AUTHENTICATED)) { + WARN("BL1-FWU: Execution not allowed due to invalid state/args\n"); + return -EPERM; + } + + INFO("BL1-FWU: Executing Secure image\n"); + + /* Save NS-EL1 system registers. */ + cm_el1_sysregs_context_save(NON_SECURE); + + /* Prepare the image for execution. */ + bl1_prepare_next_image(image_id); + + /* Update the secure image id. */ + sec_exec_image_id = image_id; + + *handle = cm_get_context(SECURE); + return 0; +} + +/******************************************************************************* + * This function is responsible for resuming Secure/Non-Secure images. + ******************************************************************************/ +static register_t bl1_fwu_image_resume(unsigned int image_id, + register_t image_param, + void **handle, + unsigned int flags) +{ + image_desc_t *image_desc; + unsigned int resume_sec_state; + + if (GET_SEC_STATE(flags) == SECURE) { + /* Get the image descriptor for last executed secure image id. */ + image_desc = bl1_plat_get_image_desc(sec_exec_image_id); + + if ((!image_desc) || (image_desc->state != IMAGE_STATE_EXECUTED)) { + WARN("BL1-FWU: Resume not allowed for secure image " + "due to invalid state\n"); + return -EPERM; + } + + /* Update the flags. */ + image_desc->state = IMAGE_STATE_INTERRUPTED; + resume_sec_state = NON_SECURE; + } else { + /* Get the image descriptor for image id to be resumed. */ + image_desc = bl1_plat_get_image_desc(image_id); + + /* Make sure image is secure and was interrupted. */ + if ((!image_desc) || + (GET_SEC_STATE(image_desc->ep_info.h.attr) == NON_SECURE) || + (image_desc->state != IMAGE_STATE_INTERRUPTED)) { + WARN("BL1-FWU: Resume not allowed for NS image/ invalid state\n"); + return -EPERM; + } + + /* Update the flags. */ + image_desc->state = IMAGE_STATE_EXECUTED; + resume_sec_state = SECURE; + } + + /* Save the EL1 system registers of calling world. */ + cm_el1_sysregs_context_save(GET_SEC_STATE(flags)); + + /* Restore the EL1 system registers of resuming world. */ + cm_el1_sysregs_context_restore(resume_sec_state); + + /* Update the next context. */ + cm_set_next_eret_context(resume_sec_state); + + INFO("BL1-FWU: Resuming %s world context\n", + (resume_sec_state == SECURE) ? "Secure" : "Normal"); + + *handle = cm_get_context(resume_sec_state); + return image_param; +} + +/******************************************************************************* + * This function is responsible for resuming normal world context. + ******************************************************************************/ +static int bl1_fwu_sec_image_done(void **handle, unsigned int flags) +{ + + /* Get the image descriptor for last executed secure image id. */ + image_desc_t *image_desc = bl1_plat_get_image_desc(sec_exec_image_id); + + /* + * Make sure caller is from secure world + * and the image is in EXECUTED state. + */ + if ((!image_desc) || + (GET_SEC_STATE(flags) == NON_SECURE) || + (image_desc->state != IMAGE_STATE_EXECUTED)) { + WARN("BL1-FWU: Done not allowed for NS caller/ invalid state\n"); + return -EPERM; + } + + /* Update the flags. */ + image_desc->state = IMAGE_STATE_RESET; + sec_exec_image_id = INVALID_IMAGE_ID; + + /* + * Secure world is done so no need to save the context. + * Just restore the Non-Secure context. + */ + cm_el1_sysregs_context_restore(NON_SECURE); + + /* Update the next context. */ + cm_set_next_eret_context(NON_SECURE); + + INFO("BL1-FWU: Resuming Normal world context\n"); + + *handle = cm_get_context(NON_SECURE); + return 0; +} + +/******************************************************************************* + * This function provides the opportunity for users to perform any + * platform specific handling after the Firmware update is done. + ******************************************************************************/ +__dead2 static void bl1_fwu_done(void *cookie, void *reserved) +{ + NOTICE("BL1-FWU: *******FWU Process Completed*******\n"); + + /* + * Call platform done function. + */ + bl1_plat_fwu_done(cookie, reserved); + assert(0); +} diff --git a/bl1/bl1_main.c b/bl1/bl1_main.c index 54da735..84d5611 100644 --- a/bl1/bl1_main.c +++ b/bl1/bl1_main.c @@ -32,11 +32,19 @@ #include #include #include +#include #include #include #include #include +#include #include "bl1_private.h" +#include + +/* BL1 Service UUID */ +DEFINE_SVC_UUID(bl1_svc_uid, + 0xfd3967d4, 0x72cb, 0x4d9a, 0xb5, 0x75, + 0x67, 0x15, 0xd6, 0xf4, 0xbb, 0x4a); static void bl1_load_bl2(void); @@ -131,8 +139,14 @@ /* Get the image id of next image to load and run. */ image_id = bl1_plat_get_next_image_id(); + /* + * We currently interpret any image id other than + * BL2_IMAGE_ID as the start of firmware update. + */ if (image_id == BL2_IMAGE_ID) bl1_load_bl2(); + else + NOTICE("BL1-FWU: *******FWU Process Started*******\n"); bl1_prepare_next_image(image_id); } @@ -213,3 +227,45 @@ NOTICE("BL1: Please connect the debugger to continue\n"); } #endif + +/******************************************************************************* + * Top level handler for servicing BL1 SMCs. + ******************************************************************************/ +register_t bl1_smc_handler(unsigned int smc_fid, + register_t x1, + register_t x2, + register_t x3, + register_t x4, + void *cookie, + void *handle, + unsigned int flags) +{ + +#if TRUSTED_BOARD_BOOT + /* + * Dispatch FWU calls to FWU SMC handler and return its return + * value + */ + if (is_fwu_fid(smc_fid)) { + return bl1_fwu_smc_handler(smc_fid, x1, x2, x3, x4, cookie, + handle, flags); + } +#endif + + switch (smc_fid) { + case BL1_SMC_CALL_COUNT: + SMC_RET1(handle, BL1_NUM_SMC_CALLS); + + case BL1_SMC_UID: + SMC_UUID_RET(handle, bl1_svc_uid); + + case BL1_SMC_VERSION: + SMC_RET1(handle, BL1_SMC_MAJOR_VER | BL1_SMC_MINOR_VER); + + default: + break; + } + + WARN("Unimplemented BL1 SMC Call: 0x%x \n", smc_fid); + SMC_RET1(handle, SMC_UNK); +} diff --git a/bl1/bl1_private.h b/bl1/bl1_private.h index 7d796f1..283bbb9 100644 --- a/bl1/bl1_private.h +++ b/bl1/bl1_private.h @@ -31,6 +31,8 @@ #ifndef __BL1_PRIVATE_H__ #define __BL1_PRIVATE_H__ +#include + /******************************************************************************* * Declarations of linker defined symbols which will tell us where BL1 lives * in Trusted RAM @@ -47,4 +49,13 @@ void bl1_arch_next_el_setup(void); void bl1_prepare_next_image(unsigned int image_id); + +register_t bl1_fwu_smc_handler(unsigned int smc_fid, + register_t x1, + register_t x2, + register_t x3, + register_t x4, + void *cookie, + void *handle, + unsigned int flags); #endif /* __BL1_PRIVATE_H__ */ diff --git a/bl1/tbbr/tbbr_img_desc.c b/bl1/tbbr/tbbr_img_desc.c new file mode 100644 index 0000000..42de851 --- /dev/null +++ b/bl1/tbbr/tbbr_img_desc.c @@ -0,0 +1,81 @@ +/* + * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * Redistributions of source code must retain the above copyright notice, this + * list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * Neither the name of ARM nor the names of its contributors may be used + * to endorse or promote products derived from this software without specific + * prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include +#include + +image_desc_t bl1_tbbr_image_descs[] = { + { + .image_id = FWU_CERT_ID, + .image_info.h.attr = SET_EXEC_STATE(NON_EXECUTABLE), + .image_info.image_base = BL2_BASE, + .ep_info.h.attr = SET_SEC_STATE(SECURE), + }, +#if NS_BL1U_BASE + { + .image_id = NS_BL1U_IMAGE_ID, + .image_info.h.attr = SET_EXEC_STATE(EXECUTABLE), + .image_info.image_base = NS_BL1U_BASE, + .ep_info.h.attr = SET_SEC_STATE(NON_SECURE), + .ep_info.pc = NS_BL1U_BASE, + }, +#endif +#if SCP_BL2U_BASE + { + .image_id = SCP_BL2U_IMAGE_ID, + .image_info.h.attr = SET_EXEC_STATE(NON_EXECUTABLE), + .image_info.image_base = SCP_BL2U_BASE, + .ep_info.h.attr = SET_SEC_STATE(SECURE), + }, +#endif +#if BL2U_BASE + { + .image_id = BL2U_IMAGE_ID, + .image_info.h.attr = SET_EXEC_STATE(EXECUTABLE), + .image_info.image_base = BL2U_BASE, + .ep_info.h.attr = SET_SEC_STATE(SECURE), + .ep_info.pc = BL2U_BASE, + }, +#endif +#if NS_BL2U_BASE + { + .image_id = NS_BL2U_IMAGE_ID, + .image_info.h.attr = SET_EXEC_STATE(NON_EXECUTABLE), + .image_info.image_base = NS_BL2U_BASE, + .ep_info.h.attr = SET_SEC_STATE(NON_SECURE), + }, +#endif + BL2_IMAGE_DESC, + + { + .image_id = INVALID_IMAGE_ID, + } +}; diff --git a/bl2/bl2_main.c b/bl2/bl2_main.c index a3f016f..f475640 100644 --- a/bl2/bl2_main.c +++ b/bl2/bl2_main.c @@ -32,6 +32,7 @@ #include #include #include +#include #include #include #include @@ -281,5 +282,5 @@ * the BL3-2 (if present) and BL3-3 software images will be passed to * BL3-1 as an argument. */ - smc(RUN_IMAGE, (unsigned long)bl31_ep_info, 0, 0, 0, 0, 0, 0); + smc(BL1_SMC_RUN_IMAGE, (unsigned long)bl31_ep_info, 0, 0, 0, 0, 0, 0); } diff --git a/drivers/auth/tbbr/tbbr_cot.c b/drivers/auth/tbbr/tbbr_cot.c index 79a8965..71634a1 100644 --- a/drivers/auth/tbbr/tbbr_cot.c +++ b/drivers/auth/tbbr/tbbr_cot.c @@ -89,6 +89,12 @@ AUTH_PARAM_HASH, BL32_HASH_OID); static auth_param_type_desc_t bl33_hash = AUTH_PARAM_TYPE_DESC( AUTH_PARAM_HASH, BL33_HASH_OID); +static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, SCP_BL2U_HASH_OID); +static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, BL2U_HASH_OID); +static auth_param_type_desc_t ns_bl2u_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, NS_BL2U_HASH_OID); /* * TBBR Chain of trust definition @@ -438,6 +444,99 @@ } } } + }, + /* + * FWU auth descriptor. + */ + [FWU_CERT_ID] = { + .img_id = FWU_CERT_ID, + .img_type = IMG_CERT, + .parent = NULL, + .img_auth_methods = { + [0] = { + .type = AUTH_METHOD_SIG, + .param.sig = { + .pk = &subject_pk, + .sig = &sig, + .alg = &sig_alg, + .data = &raw_data, + } + } + }, + .authenticated_data = { + [0] = { + .type_desc = &scp_bl2u_hash, + .data = { + .ptr = (void *)plat_bl30_hash_buf, + .len = (unsigned int)HASH_DER_LEN + } + }, + [1] = { + .type_desc = &bl2u_hash, + .data = { + .ptr = (void *)plat_bl2_hash_buf, + .len = (unsigned int)HASH_DER_LEN + } + }, + [2] = { + .type_desc = &ns_bl2u_hash, + .data = { + .ptr = (void *)plat_bl33_hash_buf, + .len = (unsigned int)HASH_DER_LEN + } + } + } + }, + /* + * SCP_BL2U + */ + [SCP_BL2U_IMAGE_ID] = { + .img_id = SCP_BL2U_IMAGE_ID, + .img_type = IMG_RAW, + .parent = &cot_desc[FWU_CERT_ID], + .img_auth_methods = { + [0] = { + .type = AUTH_METHOD_HASH, + .param.hash = { + .data = &raw_data, + .hash = &scp_bl2u_hash, + } + } + } + }, + /* + * BL2U + */ + [BL2U_IMAGE_ID] = { + .img_id = BL2U_IMAGE_ID, + .img_type = IMG_RAW, + .parent = &cot_desc[FWU_CERT_ID], + .img_auth_methods = { + [0] = { + .type = AUTH_METHOD_HASH, + .param.hash = { + .data = &raw_data, + .hash = &bl2u_hash, + } + } + } + }, + /* + * NS_BL2U + */ + [NS_BL2U_IMAGE_ID] = { + .img_id = NS_BL2U_IMAGE_ID, + .img_type = IMG_RAW, + .parent = &cot_desc[FWU_CERT_ID], + .img_auth_methods = { + [0] = { + .type = AUTH_METHOD_HASH, + .param.hash = { + .data = &raw_data, + .hash = &ns_bl2u_hash, + } + } + } } }; diff --git a/include/bl1/bl1.h b/include/bl1/bl1.h new file mode 100644 index 0000000..9fb3cb2 --- /dev/null +++ b/include/bl1/bl1.h @@ -0,0 +1,98 @@ +/* + * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * Redistributions of source code must retain the above copyright notice, this + * list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * Neither the name of ARM nor the names of its contributors may be used + * to endorse or promote products derived from this software without specific + * prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef __BL1_FWU_H__ +#define __BL1_FWU_H__ + +#include + +/* + * Defines for BL1 SMC function ids. + */ +#define BL1_SMC_CALL_COUNT 0x0 +#define BL1_SMC_UID 0x1 +/* SMC #0x2 reserved */ +#define BL1_SMC_VERSION 0x3 + +/* + * Corresponds to the function ID of the SMC that + * the BL1 exception handler service to execute BL31. + */ +#define BL1_SMC_RUN_IMAGE 0x4 + +/* + * BL1 SMC version + */ +#define BL1_SMC_MAJOR_VER 0x0 +#define BL1_SMC_MINOR_VER 0x1 + +/* + * Defines for FWU SMC function ids. + */ + +#define FWU_SMC_IMAGE_COPY 0x10 +#define FWU_SMC_IMAGE_AUTH 0x11 +#define FWU_SMC_IMAGE_EXECUTE 0x12 +#define FWU_SMC_IMAGE_RESUME 0x13 +#define FWU_SMC_SEC_IMAGE_DONE 0x14 +#define FWU_SMC_UPDATE_DONE 0x15 + +/* + * Number of FWU calls (above) implemented + */ +#define FWU_NUM_SMC_CALLS 6 + +#if TRUSTED_BOARD_BOOT +# define BL1_NUM_SMC_CALLS (FWU_NUM_SMC_CALLS + 4) +#else +# define BL1_NUM_SMC_CALLS 4 +#endif + +/* + * The macros below are used to identify FWU + * calls from the SMC function ID + */ +#define FWU_SMC_FID_START FWU_SMC_IMAGE_COPY +#define FWU_SMC_FID_END FWU_SMC_UPDATE_DONE +#define is_fwu_fid(_fid) \ + ((_fid >= FWU_SMC_FID_START) && (_fid <= FWU_SMC_FID_END)) + +#ifndef __ASSEMBLY__ +#include + +/* + * Check if the total number of FWU SMC calls are as expected. + */ +CASSERT(FWU_NUM_SMC_CALLS == \ + (FWU_SMC_FID_END - FWU_SMC_FID_START + 1),\ + assert_FWU_NUM_SMC_CALLS_mismatch); + +#endif /* __ASSEMBLY__ */ +#endif /* __BL1_FWU_H__ */ diff --git a/include/bl1/tbbr/tbbr_img_desc.h b/include/bl1/tbbr/tbbr_img_desc.h new file mode 100644 index 0000000..56f3507 --- /dev/null +++ b/include/bl1/tbbr/tbbr_img_desc.h @@ -0,0 +1,38 @@ +/* + * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * Redistributions of source code must retain the above copyright notice, this + * list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * Neither the name of ARM nor the names of its contributors may be used + * to endorse or promote products derived from this software without specific + * prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef __TBBR_IMG_DESC_H__ +#define __TBBR_IMG_DESC_H__ + +#include + +extern image_desc_t bl1_tbbr_image_descs[]; + +#endif /* __TBBR_IMG_DESC_H__ */ diff --git a/include/common/bl_common.h b/include/common/bl_common.h index bedd496..af83d78 100644 --- a/include/common/bl_common.h +++ b/include/common/bl_common.h @@ -45,13 +45,6 @@ #define TOP 0x1 #define BOTTOM !TOP -/****************************************************************************** - * Corresponds to the function ID of the only SMC that the BL1 exception - * handlers service. That's why the chosen value is the first function ID of - * the ARM SMC64 range. - *****************************************************************************/ -#define RUN_IMAGE 0xC0000000 - /******************************************************************************* * Constants that allow assembler code to access members of and the * 'entry_point_info' structure at their correct offsets. diff --git a/include/common/tbbr/tbbr_img_def.h b/include/common/tbbr/tbbr_img_def.h index c43c395..fabe0b9 100644 --- a/include/common/tbbr/tbbr_img_def.h +++ b/include/common/tbbr/tbbr_img_def.h @@ -63,4 +63,19 @@ #define BL32_CERT_ID 14 #define BL33_CERT_ID 15 +/* Non-Trusted ROM Firmware NS_BL1U */ +#define NS_BL1U_IMAGE_ID 16 + +/* Trusted FWU Certificate */ +#define FWU_CERT_ID 17 + +/* Trusted FWU SCP Firmware SCP_BL2U */ +#define SCP_BL2U_IMAGE_ID 18 + +/* Trusted FWU Boot Firmware BL2U */ +#define BL2U_IMAGE_ID 19 + +/* Non-Trusted FWU Firmware NS_BL2U */ +#define NS_BL2U_IMAGE_ID 20 + #endif /* __TBBR_IMG_DEF_H__ */ diff --git a/include/plat/common/platform.h b/include/plat/common/platform.h index 6d75770..1e72451 100644 --- a/include/plat/common/platform.h +++ b/include/plat/common/platform.h @@ -92,19 +92,38 @@ void bl1_platform_setup(void); struct meminfo *bl1_plat_sec_mem_layout(void); +/* + * The following function is mandatory when the + * firmware update feature is used. + */ +int bl1_plat_mem_check(uintptr_t mem_base, unsigned int mem_size, + unsigned int flags); + /******************************************************************************* * Optional BL1 functions (may be overridden) ******************************************************************************/ void bl1_init_bl2_mem_layout(const struct meminfo *bl1_mem_layout, struct meminfo *bl2_mem_layout); + /* * The following functions are used for image loading process in BL1. */ void bl1_plat_set_ep_info(unsigned int image_id, struct entry_point_info *ep_info); +/* + * The following functions are mandatory when firmware update + * feature is used and optional otherwise. + */ unsigned int bl1_plat_get_next_image_id(void); struct image_desc *bl1_plat_get_image_desc(unsigned int image_id); +/* + * The following functions are used by firmware update + * feature and may optionally be overridden. + */ +__dead2 void bl1_plat_fwu_done(void *cookie, void *reserved); + + /******************************************************************************* * Mandatory BL2 functions ******************************************************************************/ diff --git a/plat/common/plat_bl1_common.c b/plat/common/plat_bl1_common.c index 73362a1..aee9440 100644 --- a/plat/common/plat_bl1_common.c +++ b/plat/common/plat_bl1_common.c @@ -27,19 +27,24 @@ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ + +#include +#include #include #include +#include #include /* * The following platform functions are weakly defined. They - * are default implementations that allow BL1 compile in + * are default implementations that allow BL1 to compile in * absence of real definitions. The Platforms may override * with more complex definitions. */ #pragma weak bl1_plat_get_next_image_id #pragma weak bl1_plat_set_ep_info #pragma weak bl1_plat_get_image_desc +#pragma weak bl1_plat_fwu_done unsigned int bl1_plat_get_next_image_id(void) @@ -63,3 +68,21 @@ static image_desc_t bl2_img_desc = BL2_IMAGE_DESC; return &bl2_img_desc; } + +__dead2 void bl1_plat_fwu_done(void *cookie, void *rsvd_ptr) +{ + while (1) + wfi(); +} + +/* + * The Platforms must override with real definition. + */ +#pragma weak bl1_plat_mem_check + +int bl1_plat_mem_check(uintptr_t mem_base, unsigned int mem_size, + unsigned int flags) +{ + assert(0); + return -ENOMEM; +}