2018-03-05 15:09:30 +08:00
|
|
|
/*
|
|
|
|
|
* Copyright (C) 2018 Intel Corporation. All rights reserved.
|
|
|
|
|
*
|
2018-05-26 01:49:13 +08:00
|
|
|
* SPDX-License-Identifier: BSD-3-Clause
|
2018-03-05 15:09:30 +08:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef TRUSTY_H_
|
|
|
|
|
#define TRUSTY_H_
|
|
|
|
|
|
2018-10-15 13:06:43 +08:00
|
|
|
#define BOOTLOADER_SEED_MAX_ENTRIES 10U
|
|
|
|
|
#define RPMB_MAX_PARTITION_NUMBER 6U
|
|
|
|
|
#define MMC_PROD_NAME_WITH_PSN_LEN 15U
|
2018-07-18 17:08:52 +08:00
|
|
|
#define BUP_MKHI_BOOTLOADER_SEED_LEN 64U
|
2018-03-05 15:09:30 +08:00
|
|
|
|
2018-11-02 02:25:15 +08:00
|
|
|
#define TRUSTY_RAM_SIZE (16UL * 1024UL * 1024UL) /* 16 MB for now */
|
|
|
|
|
|
2018-04-03 18:45:29 +08:00
|
|
|
/* Trusty EPT rebase gpa: 511G */
|
2018-06-26 19:57:53 +08:00
|
|
|
#define TRUSTY_EPT_REBASE_GPA (511UL * 1024UL * 1024UL * 1024UL)
|
2018-04-03 18:45:29 +08:00
|
|
|
|
hv:Refine destroy_secure_world API
-- add clear trusty memory flag
In some cases such as UOS power off or UOS full reset,
need to clear trusty memory,no need to clear memory such as
UOS S3 or UOS system reset,then add a flag to distinguish it
when destroy secure world.
-- Restore trusty memory to guest normal world.
-- Moved free trusty EPT inside destroy_secure_world
In some cases such as UOS S3 or UOS system reset,
only need to free trusty EPT, this patch move free
trusty EPT inside destroy_secure_world.
Because PD/PT are shared in both secure world's EPT
and normal world's EPT,before freeing trusty EPT,
it will memset all PDPTEs except trusty memory,
then call 'free_ept_mem', it can only free trusty EPT,
and does't affect shared normal world EPT.
v2-->v3:
-- Used new mmu api ept_mr_add when restore trusty memory
to SOS and normal world
-- Dropped this patch "Removed reverted page tables for trusty memory"
because map_mem will be removed in future
It will have a patch, need to update this api(ept_mr_add),
it will not create inverted page tables for trusty memory.
v1-->v2:
-- free trusty ept
still use free_ept_mem, not add a new api,but need to
memset pdptes except trusty memory
-- Removed reverted page tables for trusty memory.
Signed-off-by: Mingqiang Chi <mingqiang.chi@intel.com>
Acked-by: Anthony Xu <anthony.xu@intel.com>
2018-08-08 14:17:49 +08:00
|
|
|
#define NON_TRUSTY_PDPT_ENTRIES 511U
|
|
|
|
|
|
2018-03-05 15:09:30 +08:00
|
|
|
/* Structure of seed info */
|
|
|
|
|
struct seed_info {
|
|
|
|
|
uint8_t cse_svn;
|
|
|
|
|
uint8_t bios_svn;
|
|
|
|
|
uint8_t padding[2];
|
|
|
|
|
uint8_t seed[BUP_MKHI_BOOTLOADER_SEED_LEN];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/* Structure of key info */
|
2018-07-27 16:14:46 +08:00
|
|
|
struct trusty_key_info {
|
2018-03-05 15:09:30 +08:00
|
|
|
uint32_t size_of_this_struct;
|
|
|
|
|
|
|
|
|
|
/* version info:
|
|
|
|
|
0: baseline structure
|
|
|
|
|
1: add ** new field
|
|
|
|
|
*/
|
|
|
|
|
uint32_t version;
|
|
|
|
|
|
|
|
|
|
/* platform:
|
|
|
|
|
0: Dummy (fake secret)
|
|
|
|
|
1: APL (APL + ABL)
|
|
|
|
|
2: ICL (ICL + SBL)
|
2018-08-17 05:23:47 +08:00
|
|
|
3: ACRN (APL|ICL + SBL + ACRN)
|
2018-03-05 15:09:30 +08:00
|
|
|
4: Brillo (Android Things)
|
|
|
|
|
*/
|
|
|
|
|
uint32_t platform;
|
|
|
|
|
|
|
|
|
|
/* flags info:
|
|
|
|
|
Bit 0: manufacturing state (0:manufacturing done;
|
|
|
|
|
1:in manufacturing mode)
|
|
|
|
|
Bit 1: secure boot state (0:disabled; 1: enabled)
|
|
|
|
|
Bit 2: test seeds (ICL only - 0:production seeds; 1: test seeds)
|
|
|
|
|
other bits all reserved as 0
|
|
|
|
|
*/
|
|
|
|
|
uint32_t flags;
|
|
|
|
|
|
|
|
|
|
/* Keep 64-bit align */
|
|
|
|
|
uint32_t pad1;
|
|
|
|
|
|
|
|
|
|
/* Seed list, include useeds(user seeds) and dseed(device seeds) */
|
|
|
|
|
uint32_t num_seeds;
|
|
|
|
|
struct seed_info useed_list[BOOTLOADER_SEED_MAX_ENTRIES];
|
|
|
|
|
struct seed_info dseed_list[BOOTLOADER_SEED_MAX_ENTRIES];
|
|
|
|
|
|
|
|
|
|
/* For ICL+ */
|
|
|
|
|
/* rpmb keys, Currently HMAC-SHA256 is used in RPMB spec
|
|
|
|
|
* and 256-bit (32byte) is enough. Hence only lower 32 bytes will be
|
|
|
|
|
* used for now for each entry. But keep higher 32 bytes for future
|
|
|
|
|
* extension. Note that, RPMB keys are already tied to storage device
|
|
|
|
|
* serial number.If there are multiple RPMB partitions, then we will
|
|
|
|
|
* get multiple available RPMB keys. And if rpmb_key[n][64] == 0,
|
|
|
|
|
* then the n-th RPMB key is unavailable (Either because of no such
|
|
|
|
|
* RPMB partition, or because OSloader doesn't want to share
|
|
|
|
|
* the n-th RPMB key with Trusty)
|
|
|
|
|
*/
|
|
|
|
|
uint8_t rpmb_key[RPMB_MAX_PARTITION_NUMBER][64];
|
|
|
|
|
|
|
|
|
|
/* 256-bit AES encryption key to encrypt/decrypt attestation keybox,
|
|
|
|
|
this key should be derived from a fixed key which is RPMB seed.
|
|
|
|
|
RPMB key (HMAC key) and this encryption key (AES key) are both
|
|
|
|
|
derived from the same RPMB seed.
|
|
|
|
|
*/
|
|
|
|
|
uint8_t attkb_enc_key[32];
|
|
|
|
|
|
|
|
|
|
/* For APL only */
|
|
|
|
|
/* RPMB key is derived with dseed together with this serial number,
|
|
|
|
|
* for ICL +, CSE directly provides the rpmb_key which is already
|
|
|
|
|
* tied to serial number. Concatenation of emmc product name
|
|
|
|
|
* with a string representation of PSN
|
|
|
|
|
*/
|
|
|
|
|
char serial[MMC_PROD_NAME_WITH_PSN_LEN];
|
|
|
|
|
char pad2;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct secure_world_memory {
|
2018-05-25 09:30:37 +08:00
|
|
|
/* The original secure world base address allocated by bootloader */
|
|
|
|
|
uint64_t base_gpa_in_uos;
|
2018-03-05 15:09:30 +08:00
|
|
|
/* The secure world base address of HPA */
|
|
|
|
|
uint64_t base_hpa;
|
|
|
|
|
/* Secure world runtime memory size */
|
|
|
|
|
uint64_t length;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct secure_world_control {
|
2018-05-25 09:30:37 +08:00
|
|
|
/* Flag indicates Secure World's state */
|
|
|
|
|
struct {
|
2018-05-25 13:08:04 +08:00
|
|
|
/* sworld supporting: 0(unsupported), 1(supported) */
|
2018-05-25 09:30:37 +08:00
|
|
|
uint64_t supported : 1;
|
2018-05-25 13:08:04 +08:00
|
|
|
/* sworld running status: 0(inactive), 1(active) */
|
2018-05-25 09:30:37 +08:00
|
|
|
uint64_t active : 1;
|
2018-05-25 13:08:04 +08:00
|
|
|
/* sworld context saving status: 0(unsaved), 1(saved) */
|
|
|
|
|
uint64_t ctx_saved : 1;
|
|
|
|
|
uint64_t reserved : 61;
|
2018-05-25 09:30:37 +08:00
|
|
|
} flag;
|
2018-03-05 15:09:30 +08:00
|
|
|
/* Secure world memory structure */
|
|
|
|
|
struct secure_world_memory sworld_memory;
|
|
|
|
|
};
|
|
|
|
|
|
2018-06-01 13:51:16 +08:00
|
|
|
struct trusty_startup_param {
|
|
|
|
|
uint32_t size_of_this_struct;
|
|
|
|
|
uint32_t mem_size;
|
|
|
|
|
uint64_t tsc_per_ms;
|
|
|
|
|
uint64_t trusty_mem_base;
|
|
|
|
|
uint32_t reserved;
|
|
|
|
|
uint8_t padding[4];
|
|
|
|
|
};
|
|
|
|
|
|
2018-12-08 00:30:49 +08:00
|
|
|
void switch_world(struct acrn_vcpu *vcpu, int32_t next_world);
|
2018-12-19 23:41:29 +08:00
|
|
|
bool initialize_trusty(struct acrn_vcpu *vcpu, const struct trusty_boot_param *boot_param);
|
2018-11-05 13:28:23 +08:00
|
|
|
void destroy_secure_world(struct acrn_vm *vm, bool need_clr_mem);
|
2018-11-05 13:25:25 +08:00
|
|
|
void save_sworld_context(struct acrn_vcpu *vcpu);
|
|
|
|
|
void restore_sworld_context(struct acrn_vcpu *vcpu);
|
2018-10-23 11:45:29 +08:00
|
|
|
void trusty_set_dseed(const void *dseed, uint8_t dseed_num);
|
2018-06-05 10:57:34 +08:00
|
|
|
|
2018-03-05 15:09:30 +08:00
|
|
|
#endif /* TRUSTY_H_ */
|