OrgACRN
/
acrn-hypervisor
mirror of https://github.com/projectacrn/acrn-hypervisor.git
1
0
Fork 0
Code Issues Releases Wiki Activity
acrn-hypervisor/hypervisor/common/trusty_hypercall.c

105 lines
2.3 KiB
C
Raw Normal View History

trusty: Simulate Secure Monitor Call(SMC) by Hypercall For ARM, The SMC instruction is used to generate a synchronous exception that is handled by Secure Monitor code running in EL3. In the ARM architecture, synchronous control is transferred between the normal Non-secure state and the Secure state through Secure Monitor Call exceptions. SMC exceptions are generated by the SMC instruction, and handled by the Secure Monitor.The operation of the Secure Monitor is determined by the parameters that are passed in through registers. For ACRN, Hypervisor will simulate SMC by hypercall to switch vCPU State between Normal World and Secure World. There are 4 registers(RDI, RSI, RDX, RBX) reserved for paramters passing between Normal World and Secure World. Signed-off-by: Qi Yadong <yadong.qi@intel.com>
2018-03-27 17:26:38 +08:00
/*
* Copyright (C) 2018 Intel Corporation. All rights reserved.
*
license: Replace license text with SPDX tag Replace the BSD-3-Clause boiler plate license text with an SPDX tag. Fixes: #189 Signed-off-by: David B. Kinder <david.b.kinder@intel.com>
2018-05-26 01:49:13 +08:00
* SPDX-License-Identifier: BSD-3-Clause
trusty: Simulate Secure Monitor Call(SMC) by Hypercall For ARM, The SMC instruction is used to generate a synchronous exception that is handled by Secure Monitor code running in EL3. In the ARM architecture, synchronous control is transferred between the normal Non-secure state and the Secure state through Secure Monitor Call exceptions. SMC exceptions are generated by the SMC instruction, and handled by the Secure Monitor.The operation of the Secure Monitor is determined by the parameters that are passed in through registers. For ACRN, Hypervisor will simulate SMC by hypercall to switch vCPU State between Normal World and Secure World. There are 4 registers(RDI, RSI, RDX, RBX) reserved for paramters passing between Normal World and Secure World. Signed-off-by: Qi Yadong <yadong.qi@intel.com>
2018-03-27 17:26:38 +08:00
*/
#include <hypervisor.h>
#include <hypercall.h>
HV: trusty: log printing cleanup Replace some pr_err() with dev_dbg(). Signed-off-by: Qi Yadong <yadong.qi@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
2018-08-03 09:54:58 +08:00
#define ACRN_DBG_TRUSTY_HYCALL 6U
trusty: init & switch world fix - when init, cr0 & cr4 should read from VMCS - when world switch, cr0/cr4 read shadow should also be save/restore v2: - use context->vmx_cr0/cr4 to save/restore VMX_GUEST_CR0/CR4 - use context->cr0/cr4 to save/restore VMX_CR0/CR4_READ_SHADOW Signed-off-by: Jason Chen CJ <jason.cj.chen@intel.com> Acked-by: Anthony Xu <anthony.xu@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
2018-06-16 14:46:51 +08:00
/* this hcall is only come from trusty enabled vcpu itself, and cannot be
* called from other vcpus
*/
HV: hypercall: make hypercall functions return int32_t The error code in the hypervisor is 32-bit signed integers. To reduce implicit conversions, this patch make hcall_xxx returns int32_t, and finally converts it to uint64_t when assigned to rax whose semantics is properly defined in C99. Signed-off-by: Junjie Mao <junjie.mao@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
2018-07-19 23:17:38 +08:00
int32_t hcall_world_switch(struct vcpu *vcpu)
trusty: Simulate Secure Monitor Call(SMC) by Hypercall For ARM, The SMC instruction is used to generate a synchronous exception that is handled by Secure Monitor code running in EL3. In the ARM architecture, synchronous control is transferred between the normal Non-secure state and the Secure state through Secure Monitor Call exceptions. SMC exceptions are generated by the SMC instruction, and handled by the Secure Monitor.The operation of the Secure Monitor is determined by the parameters that are passed in through registers. For ACRN, Hypervisor will simulate SMC by hypercall to switch vCPU State between Normal World and Secure World. There are 4 registers(RDI, RSI, RDX, RBX) reserved for paramters passing between Normal World and Secure World. Signed-off-by: Qi Yadong <yadong.qi@intel.com>
2018-03-27 17:26:38 +08:00
{
HV:common:transfer local variable type The local variable type should be transfer to non-basic type, chaned it to length-prefix(uint32_t,int32_t ...) type. Char *type or char array type which used to pointer a string will be keeped. V1->V2 add extra comments. Signed-off-by: Huihuang Shi <huihuang.shi@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
2018-06-28 16:27:12 +08:00
int32_t next_world_id = !(vcpu->arch_vcpu.cur_context);
trusty: Simulate Secure Monitor Call(SMC) by Hypercall For ARM, The SMC instruction is used to generate a synchronous exception that is handled by Secure Monitor code running in EL3. In the ARM architecture, synchronous control is transferred between the normal Non-secure state and the Secure state through Secure Monitor Call exceptions. SMC exceptions are generated by the SMC instruction, and handled by the Secure Monitor.The operation of the Secure Monitor is determined by the parameters that are passed in through registers. For ACRN, Hypervisor will simulate SMC by hypercall to switch vCPU State between Normal World and Secure World. There are 4 registers(RDI, RSI, RDX, RBX) reserved for paramters passing between Normal World and Secure World. Signed-off-by: Qi Yadong <yadong.qi@intel.com>
2018-03-27 17:26:38 +08:00
hv: move panic out of hypercall Just return the errno to the caller. Signed-off-by: Li, Fei1 <fei1.li@intel.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com>
2018-05-29 15:47:23 +08:00
if (next_world_id >= NR_WORLD) {
HV: trusty: log printing cleanup Replace some pr_err() with dev_dbg(). Signed-off-by: Qi Yadong <yadong.qi@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
2018-08-03 09:54:58 +08:00
dev_dbg(ACRN_DBG_TRUSTY_HYCALL,
"%s world_id %d exceed max number of Worlds\n",
hv: move panic out of hypercall Just return the errno to the caller. Signed-off-by: Li, Fei1 <fei1.li@intel.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com>
2018-05-29 15:47:23 +08:00
__func__, next_world_id);
return -EINVAL;
}
HV: trusty: refine secure_world_control Define Bitmap flag to indicate secure world's state: supported: 0(not supported), 1(supported) active: 0(inactive), 1(active) Refine secure_world_memory: base_gpa_in_sos: base_gpa from SOS's view base_gpa_in_uos: base_gpa from UOS's view, this is the original base_gpa allocated by bootloader. Recording above GPA is for usage of trusty EPT destroy and re-create. There is an assumption: the secure world's memory address is contiguous in both SOS and physical side. Signed-off-by: Qi Yadong <yadong.qi@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
2018-05-25 09:30:37 +08:00
if (!vcpu->vm->sworld_control.flag.supported) {
HV: trusty: log printing cleanup Replace some pr_err() with dev_dbg(). Signed-off-by: Qi Yadong <yadong.qi@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
2018-08-03 09:54:58 +08:00
dev_dbg(ACRN_DBG_TRUSTY_HYCALL,
"Secure World is not supported!\n");
hv: move panic out of hypercall Just return the errno to the caller. Signed-off-by: Li, Fei1 <fei1.li@intel.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com>
2018-05-29 15:47:23 +08:00
return -EPERM;
trusty: Simulate Secure Monitor Call(SMC) by Hypercall For ARM, The SMC instruction is used to generate a synchronous exception that is handled by Secure Monitor code running in EL3. In the ARM architecture, synchronous control is transferred between the normal Non-secure state and the Secure state through Secure Monitor Call exceptions. SMC exceptions are generated by the SMC instruction, and handled by the Secure Monitor.The operation of the Secure Monitor is determined by the parameters that are passed in through registers. For ACRN, Hypervisor will simulate SMC by hypercall to switch vCPU State between Normal World and Secure World. There are 4 registers(RDI, RSI, RDX, RBX) reserved for paramters passing between Normal World and Secure World. Signed-off-by: Qi Yadong <yadong.qi@intel.com>
2018-03-27 17:26:38 +08:00
}
HV: trusty: refine secure_world_control Define Bitmap flag to indicate secure world's state: supported: 0(not supported), 1(supported) active: 0(inactive), 1(active) Refine secure_world_memory: base_gpa_in_sos: base_gpa from SOS's view base_gpa_in_uos: base_gpa from UOS's view, this is the original base_gpa allocated by bootloader. Recording above GPA is for usage of trusty EPT destroy and re-create. There is an assumption: the secure world's memory address is contiguous in both SOS and physical side. Signed-off-by: Qi Yadong <yadong.qi@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
2018-05-25 09:30:37 +08:00
if (!vcpu->vm->sworld_control.flag.active) {
HV: trusty: log printing cleanup Replace some pr_err() with dev_dbg(). Signed-off-by: Qi Yadong <yadong.qi@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
2018-08-03 09:54:58 +08:00
dev_dbg(ACRN_DBG_TRUSTY_HYCALL,
"Trusty is not initialized!\n");
hv: move panic out of hypercall Just return the errno to the caller. Signed-off-by: Li, Fei1 <fei1.li@intel.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com>
2018-05-29 15:47:23 +08:00
return -EPERM;
trusty: Simulate Secure Monitor Call(SMC) by Hypercall For ARM, The SMC instruction is used to generate a synchronous exception that is handled by Secure Monitor code running in EL3. In the ARM architecture, synchronous control is transferred between the normal Non-secure state and the Secure state through Secure Monitor Call exceptions. SMC exceptions are generated by the SMC instruction, and handled by the Secure Monitor.The operation of the Secure Monitor is determined by the parameters that are passed in through registers. For ACRN, Hypervisor will simulate SMC by hypercall to switch vCPU State between Normal World and Secure World. There are 4 registers(RDI, RSI, RDX, RBX) reserved for paramters passing between Normal World and Secure World. Signed-off-by: Qi Yadong <yadong.qi@intel.com>
2018-03-27 17:26:38 +08:00
}
switch_world(vcpu, next_world_id);
return 0;
}
trusty: implement hypercall to initialize trusty UOS_Loader will trigger boot of Trusty-OS by HC_INITIALIZE_TRUSTY. UOS_Loader will load trusty image and alloc runtime memory for trusty. UOS_Loader will transfer these information include trusty runtime memory base address, entry address and memory size to hypervisor by trusty_boot_param structure. In hypervisor, once HC_INITIALIZE_TRUSTY received, it will create EPT for Secure World, save Normal World vCPU context, init Secure World vCPU context and switch World state to Secure World. Signed-off-by: Qi Yadong <yadong.qi@intel.com>
2018-03-27 17:27:51 +08:00
trusty: init & switch world fix - when init, cr0 & cr4 should read from VMCS - when world switch, cr0/cr4 read shadow should also be save/restore v2: - use context->vmx_cr0/cr4 to save/restore VMX_GUEST_CR0/CR4 - use context->cr0/cr4 to save/restore VMX_CR0/CR4_READ_SHADOW Signed-off-by: Jason Chen CJ <jason.cj.chen@intel.com> Acked-by: Anthony Xu <anthony.xu@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
2018-06-16 14:46:51 +08:00
/* this hcall is only come from trusty enabled vcpu itself, and cannot be
* called from other vcpus
*/
HV: hypercall: make hypercall functions return int32_t The error code in the hypervisor is 32-bit signed integers. To reduce implicit conversions, this patch make hcall_xxx returns int32_t, and finally converts it to uint64_t when assigned to rax whose semantics is properly defined in C99. Signed-off-by: Junjie Mao <junjie.mao@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
2018-07-19 23:17:38 +08:00
int32_t hcall_initialize_trusty(struct vcpu *vcpu, uint64_t param)
trusty: implement hypercall to initialize trusty UOS_Loader will trigger boot of Trusty-OS by HC_INITIALIZE_TRUSTY. UOS_Loader will load trusty image and alloc runtime memory for trusty. UOS_Loader will transfer these information include trusty runtime memory base address, entry address and memory size to hypervisor by trusty_boot_param structure. In hypervisor, once HC_INITIALIZE_TRUSTY received, it will create EPT for Secure World, save Normal World vCPU context, init Secure World vCPU context and switch World state to Secure World. Signed-off-by: Qi Yadong <yadong.qi@intel.com>
2018-03-27 17:27:51 +08:00
{
HV: trusty: refine secure_world_control Define Bitmap flag to indicate secure world's state: supported: 0(not supported), 1(supported) active: 0(inactive), 1(active) Refine secure_world_memory: base_gpa_in_sos: base_gpa from SOS's view base_gpa_in_uos: base_gpa from UOS's view, this is the original base_gpa allocated by bootloader. Recording above GPA is for usage of trusty EPT destroy and re-create. There is an assumption: the secure world's memory address is contiguous in both SOS and physical side. Signed-off-by: Qi Yadong <yadong.qi@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
2018-05-25 09:30:37 +08:00
if (!vcpu->vm->sworld_control.flag.supported) {
HV: trusty: log printing cleanup Replace some pr_err() with dev_dbg(). Signed-off-by: Qi Yadong <yadong.qi@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
2018-08-03 09:54:58 +08:00
dev_dbg(ACRN_DBG_TRUSTY_HYCALL,
"Secure World is not supported!\n");
hv: move panic out of hypercall Just return the errno to the caller. Signed-off-by: Li, Fei1 <fei1.li@intel.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com>
2018-05-29 15:47:23 +08:00
return -EPERM;
trusty: implement hypercall to initialize trusty UOS_Loader will trigger boot of Trusty-OS by HC_INITIALIZE_TRUSTY. UOS_Loader will load trusty image and alloc runtime memory for trusty. UOS_Loader will transfer these information include trusty runtime memory base address, entry address and memory size to hypervisor by trusty_boot_param structure. In hypervisor, once HC_INITIALIZE_TRUSTY received, it will create EPT for Secure World, save Normal World vCPU context, init Secure World vCPU context and switch World state to Secure World. Signed-off-by: Qi Yadong <yadong.qi@intel.com>
2018-03-27 17:27:51 +08:00
}
HV: trusty: refine secure_world_control Define Bitmap flag to indicate secure world's state: supported: 0(not supported), 1(supported) active: 0(inactive), 1(active) Refine secure_world_memory: base_gpa_in_sos: base_gpa from SOS's view base_gpa_in_uos: base_gpa from UOS's view, this is the original base_gpa allocated by bootloader. Recording above GPA is for usage of trusty EPT destroy and re-create. There is an assumption: the secure world's memory address is contiguous in both SOS and physical side. Signed-off-by: Qi Yadong <yadong.qi@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
2018-05-25 09:30:37 +08:00
if (vcpu->vm->sworld_control.flag.active) {
HV: trusty: log printing cleanup Replace some pr_err() with dev_dbg(). Signed-off-by: Qi Yadong <yadong.qi@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
2018-08-03 09:54:58 +08:00
dev_dbg(ACRN_DBG_TRUSTY_HYCALL,
"Trusty already initialized!\n");
hv: move panic out of hypercall Just return the errno to the caller. Signed-off-by: Li, Fei1 <fei1.li@intel.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com>
2018-05-29 15:47:23 +08:00
return -EPERM;
trusty: implement hypercall to initialize trusty UOS_Loader will trigger boot of Trusty-OS by HC_INITIALIZE_TRUSTY. UOS_Loader will load trusty image and alloc runtime memory for trusty. UOS_Loader will transfer these information include trusty runtime memory base address, entry address and memory size to hypervisor by trusty_boot_param structure. In hypervisor, once HC_INITIALIZE_TRUSTY received, it will create EPT for Secure World, save Normal World vCPU context, init Secure World vCPU context and switch World state to Secure World. Signed-off-by: Qi Yadong <yadong.qi@intel.com>
2018-03-27 17:27:51 +08:00
}
hv: move panic out of hypercall Just return the errno to the caller. Signed-off-by: Li, Fei1 <fei1.li@intel.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com>
2018-05-29 15:47:23 +08:00
if (vcpu->arch_vcpu.cur_context != NORMAL_WORLD) {
HV: trusty: log printing cleanup Replace some pr_err() with dev_dbg(). Signed-off-by: Qi Yadong <yadong.qi@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
2018-08-03 09:54:58 +08:00
dev_dbg(ACRN_DBG_TRUSTY_HYCALL,
"%s, must initialize Trusty from Normal World!\n",
hv: move panic out of hypercall Just return the errno to the caller. Signed-off-by: Li, Fei1 <fei1.li@intel.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com>
2018-05-29 15:47:23 +08:00
__func__);
return -EPERM;
trusty: implement hypercall to initialize trusty UOS_Loader will trigger boot of Trusty-OS by HC_INITIALIZE_TRUSTY. UOS_Loader will load trusty image and alloc runtime memory for trusty. UOS_Loader will transfer these information include trusty runtime memory base address, entry address and memory size to hypervisor by trusty_boot_param structure. In hypervisor, once HC_INITIALIZE_TRUSTY received, it will create EPT for Secure World, save Normal World vCPU context, init Secure World vCPU context and switch World state to Secure World. Signed-off-by: Qi Yadong <yadong.qi@intel.com>
2018-03-27 17:27:51 +08:00
}
HV: Fix missing brackets for MISRA C Violations Patch 6 of 7. Added changes to make sure Misra C violations are fixed for rules 11S and 12S. Signed-off-by: Arindam Roy <arindam.roy@intel.com>
2018-07-13 06:02:55 +08:00
if (!initialize_trusty(vcpu, param)) {
hv: move panic out of hypercall Just return the errno to the caller. Signed-off-by: Li, Fei1 <fei1.li@intel.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com>
2018-05-29 15:47:23 +08:00
return -ENODEV;
HV: Fix missing brackets for MISRA C Violations Patch 6 of 7. Added changes to make sure Misra C violations are fixed for rules 11S and 12S. Signed-off-by: Arindam Roy <arindam.roy@intel.com>
2018-07-13 06:02:55 +08:00
}
hv: move panic out of hypercall Just return the errno to the caller. Signed-off-by: Li, Fei1 <fei1.li@intel.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com>
2018-05-29 15:47:23 +08:00
HV: trusty: refine secure_world_control Define Bitmap flag to indicate secure world's state: supported: 0(not supported), 1(supported) active: 0(inactive), 1(active) Refine secure_world_memory: base_gpa_in_sos: base_gpa from SOS's view base_gpa_in_uos: base_gpa from UOS's view, this is the original base_gpa allocated by bootloader. Recording above GPA is for usage of trusty EPT destroy and re-create. There is an assumption: the secure world's memory address is contiguous in both SOS and physical side. Signed-off-by: Qi Yadong <yadong.qi@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
2018-05-25 09:30:37 +08:00
vcpu->vm->sworld_control.flag.active = 1UL;
trusty: implement hypercall to initialize trusty UOS_Loader will trigger boot of Trusty-OS by HC_INITIALIZE_TRUSTY. UOS_Loader will load trusty image and alloc runtime memory for trusty. UOS_Loader will transfer these information include trusty runtime memory base address, entry address and memory size to hypervisor by trusty_boot_param structure. In hypervisor, once HC_INITIALIZE_TRUSTY received, it will create EPT for Secure World, save Normal World vCPU context, init Secure World vCPU context and switch World state to Secure World. Signed-off-by: Qi Yadong <yadong.qi@intel.com>
2018-03-27 17:27:51 +08:00
return 0;
}
HV: trusty: new hypercall to save/restore context of secure world New field in VM's structure: sworld_snapshot: save cpu_context of secure world. New hypercall: HC_SAVE_RESTORE_SWORLD_CTX In UOS S3 suspend path: trusty kernel driver will call this hypercall to require Hypervisor save context of secure world. In UOS S3 resume path: virtual firmware will call this hypercall to require Hypervisor restore context of secure world. New bit in secure_world_control.flag: ctx_saved: indicate whether cpu_context of secure world is saved. Signed-off-by: Qi Yadong <yadong.qi@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
2018-05-25 13:08:04 +08:00
int64_t hcall_save_restore_sworld_ctx(struct vcpu *vcpu)
{
struct vm *vm = vcpu->vm;
if (!vm->sworld_control.flag.supported) {
dev_dbg(ACRN_DBG_TRUSTY_HYCALL,
"Secure World is not supported!\n");
return -EPERM;
}
/* Currently, Secure World is only running on vCPU0 */
if (!is_vcpu_bsp(vcpu)) {
dev_dbg(ACRN_DBG_TRUSTY_HYCALL,
"This hypercall is only allowed from vcpu0!");
return -EPERM;
}
if (vm->sworld_control.flag.active) {
save_sworld_context(vcpu);
vm->sworld_control.flag.ctx_saved = 1UL;
} else {
if (vm->sworld_control.flag.ctx_saved) {
restore_sworld_context(vcpu);
vm->sworld_control.flag.ctx_saved = 0UL;
vm->sworld_control.flag.active = 1UL;
}
}
return 0;
}