From patchwork Mon Mar 24 13:52:59 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bertrand Marquis X-Patchwork-Id: 14027394 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 13B29C36002 for ; Mon, 24 Mar 2025 13:53:34 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.925581.1328459 (Exim 4.92) (envelope-from ) id 1twiF4-000065-6F; Mon, 24 Mar 2025 13:53:26 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 925581.1328459; Mon, 24 Mar 2025 13:53:26 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1twiF4-00005u-2p; Mon, 24 Mar 2025 13:53:26 +0000 Received: by outflank-mailman (input) for mailman id 925581; Mon, 24 Mar 2025 13:53:24 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1twiF2-000052-Tl for xen-devel@lists.xenproject.org; Mon, 24 Mar 2025 13:53:24 +0000 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by se1-gles-flk1.inumbo.com (Halon) with ESMTP id 5993f547-08b7-11f0-9ffa-bf95429c2676; Mon, 24 Mar 2025 14:53:22 +0100 (CET) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 4E18C16F3; Mon, 24 Mar 2025 06:53:28 -0700 (PDT) Received: from C3HXLD123V.arm.com (unknown [10.57.86.79]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id B5EB73F58B; Mon, 24 Mar 2025 06:53:19 -0700 (PDT) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 5993f547-08b7-11f0-9ffa-bf95429c2676 From: Bertrand Marquis To: xen-devel@lists.xenproject.org Cc: jens.wiklander@linaro.org, Andrew Cooper , Anthony PERARD , Michal Orzel , Jan Beulich , Julien Grall , =?utf-8?q?Roger_Pau_Monn=C3=A9?= , Stefano Stabellini , Volodymyr Babchuk Subject: [PATCH v4 1/5] xen/arm: Create tee command line parameter Date: Mon, 24 Mar 2025 14:52:59 +0100 Message-ID: X-Mailer: git-send-email 2.47.1 In-Reply-To: References: MIME-Version: 1.0 Add a new command line parameter "tee=" to be used to explicitly select what tee mediator is to be used by Xen and fail if it does not exist or the probe function for it failed. Without specifying which tee is to be used, Xen will use the first one for which the probe function succeeds which depends on the order of the mediator list which depends on the compiler. Using the command line argument, it is now possible to explicit request a specific TEE mediator and panic on boot if it is not available. Signed-off-by: Bertrand Marquis Reviewed-by: Jens Wiklander --- Changes in v4: - None Changes in v3: - Properly classify tee as arm specific (Jan) Changes in v2: - Patch introduced to add a command line selection of the TEE --- docs/misc/xen-command-line.pandoc | 14 ++++++++++++++ xen/arch/arm/include/asm/tee/tee.h | 4 ++++ xen/arch/arm/tee/tee.c | 31 ++++++++++++++++++++++++++++++ 3 files changed, 49 insertions(+) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index 89db6e83be66..0c2ff542a138 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2651,6 +2651,20 @@ Specify the per-cpu trace buffer size in pages. Flag to enable TSC deadline as the APIC timer mode. +### tee (arm) +> `= ` + +Specify the TEE mediator to be probed and use. + +The default behaviour is to probe all supported TEEs supported by Xen and use +the first one successfully probed. When this parameter is passed, Xen will +probe only the TEE mediator passed as argument and boot will fail if this +mediator is not properly probed or if the requested TEE is not supported by +Xen. + +This parameter can be set to `optee` of `ffa` if the corresponding mediators +are compiled in. + ### tevt_mask > `= ` diff --git a/xen/arch/arm/include/asm/tee/tee.h b/xen/arch/arm/include/asm/tee/tee.h index 0169fd746bcd..15d664e28dce 100644 --- a/xen/arch/arm/include/asm/tee/tee.h +++ b/xen/arch/arm/include/asm/tee/tee.h @@ -55,6 +55,9 @@ struct tee_mediator_desc { /* Printable name of the TEE. */ const char *name; + /* Command line name of the TEE (to be used with tee= cmdline option) */ + const char *cmdline_name; + /* Mediator callbacks as described above. */ const struct tee_mediator_ops *ops; @@ -77,6 +80,7 @@ void tee_free_domain_ctx(struct domain *d); static const struct tee_mediator_desc __tee_desc_##_name __used \ __section(".teemediator.info") = { \ .name = _namestr, \ + .cmdline_name = #_name, \ .ops = _ops, \ .tee_type = _type \ } diff --git a/xen/arch/arm/tee/tee.c b/xen/arch/arm/tee/tee.c index 3f65e45a7892..066b5ba40f9d 100644 --- a/xen/arch/arm/tee/tee.c +++ b/xen/arch/arm/tee/tee.c @@ -19,12 +19,17 @@ #include #include #include +#include #include extern const struct tee_mediator_desc _steemediator[], _eteemediator[]; static const struct tee_mediator_desc __read_mostly *cur_mediator; +/* Select the TEE mediator using a name on command line. */ +static char __initdata opt_mediator[16] = ""; +string_param("tee", opt_mediator); + /* * TODO: Add function to alter Dom0 DTB, so we can properly describe * present TEE. @@ -81,14 +86,40 @@ static int __init tee_init(void) { const struct tee_mediator_desc *desc; + if ( strcmp(opt_mediator, "") ) + printk(XENLOG_INFO "TEE Mediator %s selected from command line\n", + opt_mediator); + + /* + * When a specific TEE is selected using the 'tee=' command line + * argument, we panic if the probe fails or if the requested TEE is not + * supported. + */ for ( desc = _steemediator; desc != _eteemediator; desc++ ) { + if ( strcmp(opt_mediator, "") && + strncmp(opt_mediator, desc->cmdline_name, sizeof(opt_mediator)) ) + continue; + if ( desc->ops->probe() ) { printk(XENLOG_INFO "Using TEE mediator for %s\n", desc->name); cur_mediator = desc; return 0; } + else if ( strcmp(opt_mediator, "") ) + { + panic("TEE mediator %s from command line probe failed\n", + opt_mediator); + return -EFAULT; + } + } + + if ( strcmp(opt_mediator, "") ) + { + panic("TEE Mediator %s from command line not supported\n", + opt_mediator); + return -EINVAL; } return 0; From patchwork Mon Mar 24 13:53:00 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bertrand Marquis X-Patchwork-Id: 14027395 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 560CFC3600B for ; Mon, 24 Mar 2025 13:53:33 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.925582.1328464 (Exim 4.92) (envelope-from ) id 1twiF4-00008U-FI; Mon, 24 Mar 2025 13:53:26 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 925582.1328464; Mon, 24 Mar 2025 13:53:26 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1twiF4-00007l-A2; Mon, 24 Mar 2025 13:53:26 +0000 Received: by outflank-mailman (input) for mailman id 925582; Mon, 24 Mar 2025 13:53:25 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1twiF3-0008HJ-0q for xen-devel@lists.xenproject.org; Mon, 24 Mar 2025 13:53:25 +0000 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by se1-gles-sth1.inumbo.com (Halon) with ESMTP id 5aacbaec-08b7-11f0-9ea2-5ba50f476ded; Mon, 24 Mar 2025 14:53:24 +0100 (CET) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 2FBB21C14; Mon, 24 Mar 2025 06:53:30 -0700 (PDT) Received: from C3HXLD123V.arm.com (unknown [10.57.86.79]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 70BE33F58B; Mon, 24 Mar 2025 06:53:22 -0700 (PDT) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 5aacbaec-08b7-11f0-9ea2-5ba50f476ded From: Bertrand Marquis To: xen-devel@lists.xenproject.org Cc: jens.wiklander@linaro.org, Volodymyr Babchuk , Stefano Stabellini , Julien Grall , Michal Orzel Subject: [PATCH v4 2/5] xen/arm: ffa: Introduce VM to VM support Date: Mon, 24 Mar 2025 14:53:00 +0100 Message-ID: <8f0928b4e94b47d6fed201dcd8cfb1068573b297.1742824138.git.bertrand.marquis@arm.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: References: MIME-Version: 1.0 Create a CONFIG_FFA_VM_TO_VM parameter to activate FFA communication between VMs. When activated list VMs in the system with FF-A support in part_info_get. When VM to VM is activated, Xen will be tainted as Insecure and a message is displayed to the user during the boot as there is no filtering of VMs in FF-A so any VM can communicate or see any other VM in the system. WARNING: There is no filtering for now and all VMs are listed !! Signed-off-by: Bertrand Marquis Reviewed-by: Jens Wiklander --- Changes in v4: - properly handle SPMC version 1.0 header size case in partinfo_get - switch to local counting variables instead of *pointer += 1 form - coding style issue with missing spaces in if () Changes in v3: - break partinfo_get in several sub functions to make the implementation easier to understand and lock handling easier - rework implementation to check size along the way and prevent previous implementation limits which had to check that the number of VMs or SPs did not change - taint Xen as INSECURE when VM to VM is enabled Changes in v2: - Switch ifdef to IS_ENABLED - dom was not switched to d as requested by Jan because there is already a variable d pointing to the current domain and it must not be shadowed. --- xen/arch/arm/tee/Kconfig | 11 ++ xen/arch/arm/tee/ffa.c | 12 ++ xen/arch/arm/tee/ffa_partinfo.c | 274 +++++++++++++++++++++----------- xen/arch/arm/tee/ffa_private.h | 12 ++ 4 files changed, 218 insertions(+), 91 deletions(-) diff --git a/xen/arch/arm/tee/Kconfig b/xen/arch/arm/tee/Kconfig index c5b0f88d7522..88a4c4c99154 100644 --- a/xen/arch/arm/tee/Kconfig +++ b/xen/arch/arm/tee/Kconfig @@ -28,5 +28,16 @@ config FFA [1] https://developer.arm.com/documentation/den0077/latest +config FFA_VM_TO_VM + bool "Enable FF-A between VMs (UNSUPPORTED)" if UNSUPPORTED + default n + depends on FFA + help + This option enables to use FF-A between VMs. + This is experimental and there is no access control so any + guest can communicate with any other guest. + + If unsure, say N. + endmenu diff --git a/xen/arch/arm/tee/ffa.c b/xen/arch/arm/tee/ffa.c index 3bbdd7168a6b..e41ab5f8ada6 100644 --- a/xen/arch/arm/tee/ffa.c +++ b/xen/arch/arm/tee/ffa.c @@ -464,6 +464,18 @@ static bool ffa_probe(void) printk(XENLOG_INFO "ARM FF-A Mediator version %u.%u\n", FFA_MY_VERSION_MAJOR, FFA_MY_VERSION_MINOR); + if ( IS_ENABLED(CONFIG_FFA_VM_TO_VM) ) + { + /* + * When FFA VM to VM is enabled, the current implementation does not + * offer any way to limit which VM can communicate with which VM using + * FF-A. + * Signal this in the xen console and taint the system as insecure. + * TODO: Introduce a solution to limit what a VM can do through FFA. + */ + printk(XENLOG_ERR "ffa: VM to VM is enabled, system is insecure !!\n"); + add_taint(TAINT_MACHINE_INSECURE); + } /* * psci_init_smccc() updates this value with what's reported by EL-3 * or secure world. diff --git a/xen/arch/arm/tee/ffa_partinfo.c b/xen/arch/arm/tee/ffa_partinfo.c index c0510ceb8338..406c57b95f77 100644 --- a/xen/arch/arm/tee/ffa_partinfo.c +++ b/xen/arch/arm/tee/ffa_partinfo.c @@ -63,9 +63,156 @@ static int32_t ffa_partition_info_get(uint32_t *uuid, uint32_t flags, return ret; } -void ffa_handle_partition_info_get(struct cpu_user_regs *regs) +static int32_t ffa_get_sp_count(uint32_t *uuid, uint32_t *sp_count) +{ + uint32_t src_size; + + return ffa_partition_info_get(uuid, FFA_PARTITION_INFO_GET_COUNT_FLAG, + sp_count, &src_size); +} + +static int32_t ffa_get_sp_partinfo(uint32_t *uuid, uint32_t *sp_count, + void *dst_buf, void *end_buf, + uint32_t dst_size) { int32_t ret; + uint32_t src_size, real_sp_count; + void *src_buf = ffa_rx; + uint32_t count = 0; + + /* Do we have a RX buffer with the SPMC */ + if ( !ffa_rx ) + return FFA_RET_DENIED; + + /* We need to use the RX buffer to receive the list */ + spin_lock(&ffa_rx_buffer_lock); + + ret = ffa_partition_info_get(uuid, 0, &real_sp_count, &src_size); + if ( ret ) + goto out; + + /* We now own the RX buffer */ + + /* We only support a 1.1 firmware version */ + if ( src_size < sizeof(struct ffa_partition_info_1_0) ) + { + ret = FFA_RET_NOT_SUPPORTED; + goto out_release; + } + + for ( uint32_t sp_num = 0; sp_num < real_sp_count; sp_num++ ) + { + struct ffa_partition_info_1_1 *fpi = src_buf; + + /* filter out SP not following bit 15 convention if any */ + if ( FFA_ID_IS_SECURE(fpi->id) ) + { + if ( dst_buf + dst_size > end_buf ) + { + ret = FFA_RET_NO_MEMORY; + goto out_release; + } + + memcpy(dst_buf, src_buf, MIN(src_size, dst_size)); + if ( dst_size > src_size ) + memset(dst_buf + src_size, 0, dst_size - src_size); + + dst_buf += dst_size; + count++; + } + + src_buf += src_size; + } + + *sp_count = count; + +out_release: + ffa_hyp_rx_release(); +out: + spin_unlock(&ffa_rx_buffer_lock); + return ret; +} + +static uint32_t ffa_get_vm_count(void) +{ + struct domain *d = current->domain; + struct domain *dom; + uint32_t vm_count = 0; + + /* Count the number of VM with FF-A support */ + rcu_read_lock(&domlist_read_lock); + for_each_domain( dom ) + { + struct ffa_ctx *vm = dom->arch.tee; + + if ( dom != d && vm != NULL && vm->guest_vers != 0 ) + vm_count++; + } + rcu_read_unlock(&domlist_read_lock); + + return vm_count; +} + +static int32_t ffa_get_vm_partinfo(uint32_t *vm_count, void *dst_buf, + void *end_buf, uint32_t dst_size) +{ + struct domain *d = current->domain; + struct domain *dom; + int32_t ret = FFA_RET_OK; + uint32_t count = 0; + + rcu_read_lock(&domlist_read_lock); + for_each_domain( dom ) + { + struct ffa_ctx *vm = dom->arch.tee; + + /* + * we do not add the VM calling to the list and only VMs with + * FF-A support + */ + if ( dom != d && vm != NULL && vm->guest_vers != 0 ) + { + /* + * We do not have UUID info for VMs so use + * the 1.0 structure so that we set UUIDs to + * zero using memset + */ + struct ffa_partition_info_1_0 srcvm; + + if ( dst_buf + dst_size > end_buf ) + { + ret = FFA_RET_NO_MEMORY; + goto out; + } + + srcvm.id = ffa_get_vm_id(dom); + srcvm.execution_context = dom->max_vcpus; + srcvm.partition_properties = FFA_PART_VM_PROP; + if ( is_64bit_domain(dom) ) + srcvm.partition_properties |= FFA_PART_PROP_AARCH64_STATE; + + memcpy(dst_buf, &srcvm, MIN(sizeof(srcvm), dst_size)); + + if ( dst_size > sizeof(srcvm) ) + memset(dst_buf + sizeof(srcvm), 0, + dst_size - sizeof(srcvm)); + + dst_buf += dst_size; + count++; + } + } + *vm_count = count; + +out: + rcu_read_unlock(&domlist_read_lock); + + return ret; +} + + +void ffa_handle_partition_info_get(struct cpu_user_regs *regs) +{ + int32_t ret = FFA_RET_OK; struct domain *d = current->domain; struct ffa_ctx *ctx = d->arch.tee; uint32_t flags = get_user_reg(regs, 5); @@ -75,9 +222,9 @@ void ffa_handle_partition_info_get(struct cpu_user_regs *regs) get_user_reg(regs, 3), get_user_reg(regs, 4), }; - uint32_t src_size, dst_size; - void *dst_buf; - uint32_t ffa_sp_count = 0; + uint32_t dst_size = 0; + void *dst_buf, *end_buf; + uint32_t ffa_vm_count = 0, ffa_sp_count = 0; /* * If the guest is v1.0, he does not get back the entry size so we must @@ -89,118 +236,63 @@ void ffa_handle_partition_info_get(struct cpu_user_regs *regs) else dst_size = sizeof(struct ffa_partition_info_1_1); - /* - * FF-A v1.0 has w5 MBZ while v1.1 allows - * FFA_PARTITION_INFO_GET_COUNT_FLAG to be non-zero. - * - * FFA_PARTITION_INFO_GET_COUNT is only using registers and not the - * rxtx buffer so do the partition_info_get directly. - */ - if ( flags == FFA_PARTITION_INFO_GET_COUNT_FLAG && - ctx->guest_vers == FFA_VERSION_1_1 ) + /* Only count requested */ + if ( flags ) { - if ( ffa_fw_supports_fid(FFA_PARTITION_INFO_GET) ) - ret = ffa_partition_info_get(uuid, flags, &ffa_sp_count, - &src_size); - else - ret = FFA_RET_OK; + /* + * FF-A v1.0 has w5 MBZ while v1.1 allows + * FFA_PARTITION_INFO_GET_COUNT_FLAG to be non-zero. + */ + if ( ctx->guest_vers == FFA_VERSION_1_0 || + flags != FFA_PARTITION_INFO_GET_COUNT_FLAG ) + { + ret = FFA_RET_INVALID_PARAMETERS; + goto out; + } - goto out; - } + if ( ffa_fw_supports_fid(FFA_PARTITION_INFO_GET) ) + { + ret = ffa_get_sp_count(uuid, &ffa_sp_count); + if ( ret ) + goto out; + } - if ( flags ) - { - ret = FFA_RET_INVALID_PARAMETERS; - goto out; - } + if ( IS_ENABLED(CONFIG_FFA_VM_TO_VM) ) + ffa_vm_count = ffa_get_vm_count(); - if ( !ffa_fw_supports_fid(FFA_PARTITION_INFO_GET) ) - { - /* Just give an empty partition list to the caller */ - ret = FFA_RET_OK; goto out; } + /* Get the RX buffer to write the list of partitions */ ret = ffa_rx_acquire(d); if ( ret != FFA_RET_OK ) goto out; dst_buf = ctx->rx; + end_buf = ctx->rx + ctx->page_count * FFA_PAGE_SIZE; - if ( !ffa_rx ) + if ( ffa_fw_supports_fid(FFA_PARTITION_INFO_GET) ) { - ret = FFA_RET_DENIED; - goto out_rx_release; - } - - spin_lock(&ffa_rx_buffer_lock); - - ret = ffa_partition_info_get(uuid, 0, &ffa_sp_count, &src_size); - - if ( ret ) - goto out_rx_hyp_unlock; + ret = ffa_get_sp_partinfo(uuid, &ffa_sp_count, dst_buf, end_buf, + dst_size); - /* - * ffa_partition_info_get() succeeded so we now own the RX buffer we - * share with the SPMC. We must give it back using ffa_hyp_rx_release() - * once we've copied the content. - */ + if ( ret ) + goto out_rx_release; - /* we cannot have a size smaller than 1.0 structure */ - if ( src_size < sizeof(struct ffa_partition_info_1_0) ) - { - ret = FFA_RET_NOT_SUPPORTED; - goto out_rx_hyp_release; + dst_buf += ffa_sp_count * dst_size; } - if ( ctx->page_count * FFA_PAGE_SIZE < ffa_sp_count * dst_size ) - { - ret = FFA_RET_NO_MEMORY; - goto out_rx_hyp_release; - } + if ( IS_ENABLED(CONFIG_FFA_VM_TO_VM) ) + ret = ffa_get_vm_partinfo(&ffa_vm_count, dst_buf, end_buf, dst_size); - if ( ffa_sp_count > 0 ) - { - uint32_t n, n_limit = ffa_sp_count; - void *src_buf = ffa_rx; - - /* copy the secure partitions info */ - for ( n = 0; n < n_limit; n++ ) - { - struct ffa_partition_info_1_1 *fpi = src_buf; - - /* filter out SP not following bit 15 convention if any */ - if ( FFA_ID_IS_SECURE(fpi->id) ) - { - memcpy(dst_buf, src_buf, dst_size); - dst_buf += dst_size; - } - else - ffa_sp_count--; - - src_buf += src_size; - } - } - -out_rx_hyp_release: - ffa_hyp_rx_release(); -out_rx_hyp_unlock: - spin_unlock(&ffa_rx_buffer_lock); out_rx_release: - /* - * The calling VM RX buffer only contains data to be used by the VM if the - * call was successful, in which case the VM has to release the buffer - * once it has used the data. - * If something went wrong during the call, we have to release the RX - * buffer back to the SPMC as the VM will not do it. - */ - if ( ret != FFA_RET_OK ) + if ( ret ) ffa_rx_release(d); out: if ( ret ) ffa_set_regs_error(regs, ret); else - ffa_set_regs_success(regs, ffa_sp_count, dst_size); + ffa_set_regs_success(regs, ffa_sp_count + ffa_vm_count, dst_size); } static int32_t ffa_direct_req_send_vm(uint16_t sp_id, uint16_t vm_id, diff --git a/xen/arch/arm/tee/ffa_private.h b/xen/arch/arm/tee/ffa_private.h index c4cd65538908..bd6877d8c632 100644 --- a/xen/arch/arm/tee/ffa_private.h +++ b/xen/arch/arm/tee/ffa_private.h @@ -187,6 +187,18 @@ */ #define FFA_PARTITION_INFO_GET_COUNT_FLAG BIT(0, U) +/* + * Partition properties we give for a normal world VM: + * - can send direct message but not receive them + * - can handle indirect messages + * - can receive notifications + * 32/64 bit flag is set depending on the VM + */ +#define FFA_PART_VM_PROP (FFA_PART_PROP_DIRECT_REQ_SEND | \ + FFA_PART_PROP_INDIRECT_MSGS | \ + FFA_PART_PROP_RECV_NOTIF | \ + FFA_PART_PROP_IS_PE_ID) + /* Flags used in calls to FFA_NOTIFICATION_GET interface */ #define FFA_NOTIF_FLAG_BITMAP_SP BIT(0, U) #define FFA_NOTIF_FLAG_BITMAP_VM BIT(1, U) From patchwork Mon Mar 24 13:53:01 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bertrand Marquis X-Patchwork-Id: 14027396 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 0015EC3600C for ; Mon, 24 Mar 2025 13:53:34 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.925584.1328479 (Exim 4.92) (envelope-from ) id 1twiF5-0000b6-TI; Mon, 24 Mar 2025 13:53:27 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 925584.1328479; Mon, 24 Mar 2025 13:53:27 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1twiF5-0000az-Pl; Mon, 24 Mar 2025 13:53:27 +0000 Received: by outflank-mailman (input) for mailman id 925584; Mon, 24 Mar 2025 13:53:26 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1twiF4-0008HJ-PM for xen-devel@lists.xenproject.org; Mon, 24 Mar 2025 13:53:26 +0000 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by se1-gles-sth1.inumbo.com (Halon) with ESMTP id 5bbb003a-08b7-11f0-9ea2-5ba50f476ded; Mon, 24 Mar 2025 14:53:26 +0100 (CET) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id E4B3816F3; Mon, 24 Mar 2025 06:53:31 -0700 (PDT) Received: from C3HXLD123V.arm.com (unknown [10.57.86.79]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 3CCC03F58B; Mon, 24 Mar 2025 06:53:24 -0700 (PDT) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 5bbb003a-08b7-11f0-9ea2-5ba50f476ded From: Bertrand Marquis To: xen-devel@lists.xenproject.org Cc: jens.wiklander@linaro.org, Volodymyr Babchuk , Stefano Stabellini , Julien Grall , Michal Orzel Subject: [PATCH v4 3/5] xen/arm: ffa: Add buffer full notification support Date: Mon, 24 Mar 2025 14:53:01 +0100 Message-ID: X-Mailer: git-send-email 2.47.1 In-Reply-To: References: MIME-Version: 1.0 Add support to raise a Rx buffer full notification to a VM. This function will be used for indirect message support between VM and is only activated if CONFIG_FFA_VM_TO_VM is selected. Even if there are 32 framework notifications possible, right now only one is defined so the implementation is simplified to only handle the buffer full notification using a boolean. If other framework notifications have to be supported one day, the design will have to be modified to handle it properly. Signed-off-by: Bertrand Marquis Reviewed-by: Jens Wiklander --- Changes in v4: - Add Jens R-b Changes in v3: - introduce a vm_pending boolean to track if VM notifications are pending and allow to decorelate pending secure notifications from pending vm ones - remove ifdef around boolean entries for notifications and make use of IS_ENABLED instead of ifdefs when possible - Fix notification number signaled to VMs for buffer full to use the proper GUEST_FFA_NOTIF_PEND_INTR_ID instead of the identifier received from the SPMC. - Move back into this patch ffa_private.h part which was wrongly in the patch for indirect messages between VM Changes in v2: - Switch ifdef to IS_ENABLED when possible --- xen/arch/arm/tee/ffa_notif.c | 36 ++++++++++++++++++++++++++++------ xen/arch/arm/tee/ffa_private.h | 23 +++++++++++++++++++++- 2 files changed, 52 insertions(+), 7 deletions(-) diff --git a/xen/arch/arm/tee/ffa_notif.c b/xen/arch/arm/tee/ffa_notif.c index 00efaf8f7353..f6df2f15bb00 100644 --- a/xen/arch/arm/tee/ffa_notif.c +++ b/xen/arch/arm/tee/ffa_notif.c @@ -69,6 +69,7 @@ void ffa_handle_notification_info_get(struct cpu_user_regs *regs) { struct domain *d = current->domain; struct ffa_ctx *ctx = d->arch.tee; + bool notif_pending; if ( !notif_enabled ) { @@ -76,7 +77,11 @@ void ffa_handle_notification_info_get(struct cpu_user_regs *regs) return; } - if ( test_and_clear_bool(ctx->notif.secure_pending) ) + notif_pending = test_and_clear_bool(ctx->notif.secure_pending); + if ( IS_ENABLED(CONFIG_FFA_VM_TO_VM) ) + notif_pending |= test_and_clear_bool(ctx->notif.vm_pending); + + if ( notif_pending ) { /* A pending global notification for the guest */ ffa_set_regs(regs, FFA_SUCCESS_64, 0, @@ -93,6 +98,7 @@ void ffa_handle_notification_info_get(struct cpu_user_regs *regs) void ffa_handle_notification_get(struct cpu_user_regs *regs) { struct domain *d = current->domain; + struct ffa_ctx *ctx = d->arch.tee; uint32_t recv = get_user_reg(regs, 1); uint32_t flags = get_user_reg(regs, 2); uint32_t w2 = 0; @@ -132,11 +138,7 @@ void ffa_handle_notification_get(struct cpu_user_regs *regs) */ if ( ( flags & FFA_NOTIF_FLAG_BITMAP_SP ) && ( flags & FFA_NOTIF_FLAG_BITMAP_SPM ) ) - { - struct ffa_ctx *ctx = d->arch.tee; - - ACCESS_ONCE(ctx->notif.secure_pending) = false; - } + ACCESS_ONCE(ctx->notif.secure_pending) = false; arm_smccc_1_2_smc(&arg, &resp); e = ffa_get_ret_code(&resp); @@ -156,6 +158,14 @@ void ffa_handle_notification_get(struct cpu_user_regs *regs) w6 = resp.a6; } + if ( IS_ENABLED(CONFIG_FFA_VM_TO_VM) && + flags & FFA_NOTIF_FLAG_BITMAP_HYP && + test_and_clear_bool(ctx->notif.buff_full_pending) ) + { + ACCESS_ONCE(ctx->notif.vm_pending) = false; + w7 = FFA_NOTIF_RX_BUFFER_FULL; + } + ffa_set_regs(regs, FFA_SUCCESS_32, 0, w2, w3, w4, w5, w6, w7); } @@ -178,6 +188,20 @@ int ffa_handle_notification_set(struct cpu_user_regs *regs) bitmap_hi); } +#ifdef CONFIG_FFA_VM_TO_VM +void ffa_raise_rx_buffer_full(struct domain *d) +{ + struct ffa_ctx *ctx = d->arch.tee; + + if ( !ctx ) + return; + + ACCESS_ONCE(ctx->notif.buff_full_pending) = true; + if ( !test_and_set_bool(ctx->notif.vm_pending) ) + vgic_inject_irq(d, d->vcpu[0], GUEST_FFA_NOTIF_PEND_INTR_ID, true); +} +#endif + /* * Extract a 16-bit ID (index n) from the successful return value from * FFA_NOTIFICATION_INFO_GET_64 or FFA_NOTIFICATION_INFO_GET_32. IDs are diff --git a/xen/arch/arm/tee/ffa_private.h b/xen/arch/arm/tee/ffa_private.h index bd6877d8c632..878af2d76e0e 100644 --- a/xen/arch/arm/tee/ffa_private.h +++ b/xen/arch/arm/tee/ffa_private.h @@ -210,6 +210,8 @@ #define FFA_NOTIF_INFO_GET_ID_COUNT_SHIFT 7 #define FFA_NOTIF_INFO_GET_ID_COUNT_MASK 0x1F +#define FFA_NOTIF_RX_BUFFER_FULL BIT(0, U) + /* Feature IDs used with FFA_FEATURES */ #define FFA_FEATURE_NOTIF_PEND_INTR 0x1U #define FFA_FEATURE_SCHEDULE_RECV_INTR 0x2U @@ -295,9 +297,20 @@ struct ffa_mem_region { struct ffa_ctx_notif { /* * True if domain is reported by FFA_NOTIFICATION_INFO_GET to have - * pending global notifications. + * pending notifications from the secure world. */ bool secure_pending; + + /* + * True if domain is reported by FFA_NOTIFICATION_INFO_GET to have + * pending notifications from VMs (including framework ones). + */ + bool vm_pending; + + /* + * True if domain has buffer full notification pending + */ + bool buff_full_pending; }; struct ffa_ctx { @@ -369,6 +382,14 @@ void ffa_handle_notification_info_get(struct cpu_user_regs *regs); void ffa_handle_notification_get(struct cpu_user_regs *regs); int ffa_handle_notification_set(struct cpu_user_regs *regs); +#ifdef CONFIG_FFA_VM_TO_VM +void ffa_raise_rx_buffer_full(struct domain *d); +#else +static inline void ffa_raise_rx_buffer_full(struct domain *d) +{ +} +#endif + void ffa_handle_msg_send_direct_req(struct cpu_user_regs *regs, uint32_t fid); int32_t ffa_handle_msg_send2(struct cpu_user_regs *regs); From patchwork Mon Mar 24 13:53:02 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bertrand Marquis X-Patchwork-Id: 14027397 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 0382FC36002 for ; Mon, 24 Mar 2025 13:53:37 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.925585.1328489 (Exim 4.92) (envelope-from ) id 1twiF8-0000sy-5w; Mon, 24 Mar 2025 13:53:30 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 925585.1328489; Mon, 24 Mar 2025 13:53:30 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1twiF8-0000sk-2s; Mon, 24 Mar 2025 13:53:30 +0000 Received: by outflank-mailman (input) for mailman id 925585; Mon, 24 Mar 2025 13:53:28 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1twiF6-0008HJ-MR for xen-devel@lists.xenproject.org; Mon, 24 Mar 2025 13:53:28 +0000 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by se1-gles-sth1.inumbo.com (Halon) with ESMTP id 5cdf23f1-08b7-11f0-9ea2-5ba50f476ded; Mon, 24 Mar 2025 14:53:28 +0100 (CET) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id B9A501C14; Mon, 24 Mar 2025 06:53:33 -0700 (PDT) Received: from C3HXLD123V.arm.com (unknown [10.57.86.79]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 0B2FC3F58B; Mon, 24 Mar 2025 06:53:25 -0700 (PDT) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 5cdf23f1-08b7-11f0-9ea2-5ba50f476ded From: Bertrand Marquis To: xen-devel@lists.xenproject.org Cc: jens.wiklander@linaro.org, Volodymyr Babchuk , Stefano Stabellini , Julien Grall , Michal Orzel Subject: [PATCH v4 4/5] xen/arm: ffa: Add indirect message between VM Date: Mon, 24 Mar 2025 14:53:02 +0100 Message-ID: <719dad25719a0834dc0e52da715aca989a3c20fb.1742824138.git.bertrand.marquis@arm.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: References: MIME-Version: 1.0 Add support for indirect messages between VMs. This is only enabled if CONFIG_FFA_VM_TO_VM is selected. Signed-off-by: Bertrand Marquis Reviewed-by: Jens Wiklander --- Changes in v4: - Use a local copy of the message header to prevent a TOC/TOU possible issue when using the payload size Changes in v3: - Move vm to vm indirect message handling in a sub function to simplify lock handling and make implementation easier to read Changes in v2: - Switch ifdef to IS_ENABLED --- xen/arch/arm/tee/ffa_msg.c | 110 ++++++++++++++++++++++++++++++++----- 1 file changed, 96 insertions(+), 14 deletions(-) diff --git a/xen/arch/arm/tee/ffa_msg.c b/xen/arch/arm/tee/ffa_msg.c index ee594e737fc7..7c36e3aac47c 100644 --- a/xen/arch/arm/tee/ffa_msg.c +++ b/xen/arch/arm/tee/ffa_msg.c @@ -88,43 +88,125 @@ out: resp.a7 & mask); } +static int32_t ffa_msg_send2_vm(uint16_t dst_id, + struct ffa_part_msg_rxtx *src_msg) +{ + struct domain *dst_d; + struct ffa_ctx *dst_ctx; + struct ffa_part_msg_rxtx *dst_msg; + int err; + int32_t ret; + + if ( dst_id == 0 ) + /* FF-A ID 0 is the hypervisor, this is not valid */ + return FFA_RET_INVALID_PARAMETERS; + + /* This is also checking that dest is not src */ + err = rcu_lock_live_remote_domain_by_id(dst_id - 1, &dst_d); + if ( err ) + return FFA_RET_INVALID_PARAMETERS; + + if ( dst_d->arch.tee == NULL ) + { + ret = FFA_RET_INVALID_PARAMETERS; + goto out_unlock; + } + + dst_ctx = dst_d->arch.tee; + if ( !dst_ctx->guest_vers ) + { + ret = FFA_RET_INVALID_PARAMETERS; + goto out_unlock; + } + + /* we need to have enough space in the destination buffer */ + if ( dst_ctx->page_count * FFA_PAGE_SIZE < + (sizeof(struct ffa_part_msg_rxtx) + src_msg->msg_size) ) + { + ret = FFA_RET_NO_MEMORY; + goto out_unlock; + } + + /* This also checks that destination has set a Rx buffer */ + ret = ffa_rx_acquire(dst_d); + if ( ret ) + goto out_unlock; + + dst_msg = dst_ctx->rx; + + /* prepare destination header */ + dst_msg->flags = 0; + dst_msg->reserved = 0; + dst_msg->msg_offset = sizeof(struct ffa_part_msg_rxtx); + dst_msg->send_recv_id = src_msg->send_recv_id; + dst_msg->msg_size = src_msg->msg_size; + + memcpy(dst_ctx->rx + sizeof(struct ffa_part_msg_rxtx), + ((void *)src_msg) + src_msg->msg_offset, src_msg->msg_size); + + /* receiver rx buffer will be released by the receiver*/ + +out_unlock: + rcu_unlock_domain(dst_d); + if ( !ret ) + ffa_raise_rx_buffer_full(dst_d); + + return ret; +} + int32_t ffa_handle_msg_send2(struct cpu_user_regs *regs) { struct domain *src_d = current->domain; struct ffa_ctx *src_ctx = src_d->arch.tee; - const struct ffa_part_msg_rxtx *src_msg; + struct ffa_part_msg_rxtx src_msg; uint16_t dst_id, src_id; int32_t ret; - if ( !ffa_fw_supports_fid(FFA_MSG_SEND2) ) - return FFA_RET_NOT_SUPPORTED; - if ( !spin_trylock(&src_ctx->tx_lock) ) return FFA_RET_BUSY; - src_msg = src_ctx->tx; - src_id = src_msg->send_recv_id >> 16; - dst_id = src_msg->send_recv_id & GENMASK(15,0); + /* create a copy of the message header */ + memcpy(&src_msg, src_ctx->tx, sizeof(src_msg)); + + src_id = src_msg.send_recv_id >> 16; + dst_id = src_msg.send_recv_id & GENMASK(15,0); - if ( src_id != ffa_get_vm_id(src_d) || !FFA_ID_IS_SECURE(dst_id) ) + if ( src_id != ffa_get_vm_id(src_d) ) { ret = FFA_RET_INVALID_PARAMETERS; - goto out_unlock_tx; + goto out; } /* check source message fits in buffer */ if ( src_ctx->page_count * FFA_PAGE_SIZE < - src_msg->msg_offset + src_msg->msg_size || - src_msg->msg_offset < sizeof(struct ffa_part_msg_rxtx) ) + src_msg.msg_offset + src_msg.msg_size || + src_msg.msg_offset < sizeof(struct ffa_part_msg_rxtx) ) { ret = FFA_RET_INVALID_PARAMETERS; - goto out_unlock_tx; + goto out; } - ret = ffa_simple_call(FFA_MSG_SEND2, + if ( FFA_ID_IS_SECURE(dst_id) ) + { + /* Message for a secure partition */ + if ( !ffa_fw_supports_fid(FFA_MSG_SEND2) ) + { + ret = FFA_RET_NOT_SUPPORTED; + goto out; + } + + ret = ffa_simple_call(FFA_MSG_SEND2, ((uint32_t)ffa_get_vm_id(src_d)) << 16, 0, 0, 0); + } + else if ( IS_ENABLED(CONFIG_FFA_VM_TO_VM) ) + { + /* Message for a VM */ + ret = ffa_msg_send2_vm(dst_id, &src_msg); + } + else + ret = FFA_RET_INVALID_PARAMETERS; -out_unlock_tx: +out: spin_unlock(&src_ctx->tx_lock); return ret; } From patchwork Mon Mar 24 13:53:03 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bertrand Marquis X-Patchwork-Id: 14027398 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 9BE89C3600B for ; Mon, 24 Mar 2025 13:53:39 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.925587.1328499 (Exim 4.92) (envelope-from ) id 1twiFA-0001CD-EC; Mon, 24 Mar 2025 13:53:32 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 925587.1328499; Mon, 24 Mar 2025 13:53:32 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1twiFA-0001C2-AO; Mon, 24 Mar 2025 13:53:32 +0000 Received: by outflank-mailman (input) for mailman id 925587; Mon, 24 Mar 2025 13:53:30 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1twiF8-0008HJ-CU for xen-devel@lists.xenproject.org; Mon, 24 Mar 2025 13:53:30 +0000 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by se1-gles-sth1.inumbo.com (Halon) with ESMTP id 5dd96d1e-08b7-11f0-9ea2-5ba50f476ded; Mon, 24 Mar 2025 14:53:29 +0100 (CET) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 7D53E16F3; Mon, 24 Mar 2025 06:53:35 -0700 (PDT) Received: from C3HXLD123V.arm.com (unknown [10.57.86.79]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id C6BA13F58B; Mon, 24 Mar 2025 06:53:27 -0700 (PDT) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 5dd96d1e-08b7-11f0-9ea2-5ba50f476ded From: Bertrand Marquis To: xen-devel@lists.xenproject.org Cc: jens.wiklander@linaro.org, Volodymyr Babchuk , Stefano Stabellini , Julien Grall , Michal Orzel Subject: [PATCH v4 5/5] xen/arm: ffa: Enable VM to VM without firmware Date: Mon, 24 Mar 2025 14:53:03 +0100 Message-ID: <0f5cf498c3c511ed192e8b7b7d0f4987e00e5c0d.1742824138.git.bertrand.marquis@arm.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: References: MIME-Version: 1.0 When VM to VM support is activated and there is no suitable FF-A support in the firmware, enable FF-A support for VMs to allow using it for VM to VM communications. If there is OP-TEE running in the secure world and using the non FF-A communication system, having CONFIG_FFA_VM_TO_VM could be non functional (if optee is probed first) or OP-TEE could be non functional (if FF-A is probed first) so it is not recommended to activate the configuration option for such systems. To make buffer full notification work between VMs when there is no firmware, rework the notification handling and modify the global flag to only be used as check for firmware notification support instead. Signed-off-by: Bertrand Marquis Reviewed-by: Jens Wiklander --- Changes in v4: - Fix Optee to OP-TEE in commit message - Add Jens R-b Changes in v3: - fix typos in commit message - add spaces around << - move notification id fix back into buffer full patch - fix | position in if Changes in v2: - replace ifdef with IS_ENABLED when possible --- xen/arch/arm/tee/ffa.c | 12 +++- xen/arch/arm/tee/ffa_notif.c | 104 ++++++++++++++++------------------- 2 files changed, 59 insertions(+), 57 deletions(-) diff --git a/xen/arch/arm/tee/ffa.c b/xen/arch/arm/tee/ffa.c index e41ab5f8ada6..0627625efe60 100644 --- a/xen/arch/arm/tee/ffa.c +++ b/xen/arch/arm/tee/ffa.c @@ -324,8 +324,9 @@ static int ffa_domain_init(struct domain *d) struct ffa_ctx *ctx; int ret; - if ( !ffa_fw_version ) + if ( !IS_ENABLED(CONFIG_FFA_VM_TO_VM) && !ffa_fw_version ) return -ENODEV; + /* * We are using the domain_id + 1 as the FF-A ID for VMs as FF-A ID 0 is * reserved for the hypervisor and we only support secure endpoints using @@ -561,6 +562,15 @@ err_no_fw: bitmap_zero(ffa_fw_abi_supported, FFA_ABI_BITMAP_SIZE); printk(XENLOG_WARNING "ARM FF-A No firmware support\n"); + if ( IS_ENABLED(CONFIG_FFA_VM_TO_VM) ) + { + INIT_LIST_HEAD(&ffa_teardown_head); + init_timer(&ffa_teardown_timer, ffa_teardown_timer_callback, NULL, 0); + + printk(XENLOG_INFO "ARM FF-A only available between VMs\n"); + return true; + } + return false; } diff --git a/xen/arch/arm/tee/ffa_notif.c b/xen/arch/arm/tee/ffa_notif.c index f6df2f15bb00..86bef6b3b2ab 100644 --- a/xen/arch/arm/tee/ffa_notif.c +++ b/xen/arch/arm/tee/ffa_notif.c @@ -16,7 +16,7 @@ #include "ffa_private.h" -static bool __ro_after_init notif_enabled; +static bool __ro_after_init fw_notif_enabled; static unsigned int __ro_after_init notif_sri_irq; int ffa_handle_notification_bind(struct cpu_user_regs *regs) @@ -27,21 +27,17 @@ int ffa_handle_notification_bind(struct cpu_user_regs *regs) uint32_t bitmap_lo = get_user_reg(regs, 3); uint32_t bitmap_hi = get_user_reg(regs, 4); - if ( !notif_enabled ) - return FFA_RET_NOT_SUPPORTED; - if ( (src_dst & 0xFFFFU) != ffa_get_vm_id(d) ) return FFA_RET_INVALID_PARAMETERS; if ( flags ) /* Only global notifications are supported */ return FFA_RET_DENIED; - /* - * We only support notifications from SP so no need to check the sender - * endpoint ID, the SPMC will take care of that for us. - */ - return ffa_simple_call(FFA_NOTIFICATION_BIND, src_dst, flags, bitmap_lo, - bitmap_hi); + if ( FFA_ID_IS_SECURE(src_dst >> 16) && fw_notif_enabled ) + return ffa_simple_call(FFA_NOTIFICATION_BIND, src_dst, flags, + bitmap_lo, bitmap_hi); + + return FFA_RET_NOT_SUPPORTED; } int ffa_handle_notification_unbind(struct cpu_user_regs *regs) @@ -51,18 +47,14 @@ int ffa_handle_notification_unbind(struct cpu_user_regs *regs) uint32_t bitmap_lo = get_user_reg(regs, 3); uint32_t bitmap_hi = get_user_reg(regs, 4); - if ( !notif_enabled ) - return FFA_RET_NOT_SUPPORTED; - if ( (src_dst & 0xFFFFU) != ffa_get_vm_id(d) ) return FFA_RET_INVALID_PARAMETERS; - /* - * We only support notifications from SP so no need to check the - * destination endpoint ID, the SPMC will take care of that for us. - */ - return ffa_simple_call(FFA_NOTIFICATION_UNBIND, src_dst, 0, bitmap_lo, - bitmap_hi); + if ( FFA_ID_IS_SECURE(src_dst >> 16) && fw_notif_enabled ) + return ffa_simple_call(FFA_NOTIFICATION_UNBIND, src_dst, 0, bitmap_lo, + bitmap_hi); + + return FFA_RET_NOT_SUPPORTED; } void ffa_handle_notification_info_get(struct cpu_user_regs *regs) @@ -71,7 +63,7 @@ void ffa_handle_notification_info_get(struct cpu_user_regs *regs) struct ffa_ctx *ctx = d->arch.tee; bool notif_pending; - if ( !notif_enabled ) + if ( !IS_ENABLED(CONFIG_FFA_VM_TO_VM) && !fw_notif_enabled ) { ffa_set_regs_error(regs, FFA_RET_NOT_SUPPORTED); return; @@ -108,7 +100,7 @@ void ffa_handle_notification_get(struct cpu_user_regs *regs) uint32_t w6 = 0; uint32_t w7 = 0; - if ( !notif_enabled ) + if ( !IS_ENABLED(CONFIG_FFA_VM_TO_VM) && !fw_notif_enabled ) { ffa_set_regs_error(regs, FFA_RET_NOT_SUPPORTED); return; @@ -120,7 +112,8 @@ void ffa_handle_notification_get(struct cpu_user_regs *regs) return; } - if ( flags & ( FFA_NOTIF_FLAG_BITMAP_SP | FFA_NOTIF_FLAG_BITMAP_SPM ) ) + if ( fw_notif_enabled && (flags & ( FFA_NOTIF_FLAG_BITMAP_SP | + FFA_NOTIF_FLAG_BITMAP_SPM )) ) { struct arm_smccc_1_2_regs arg = { .a0 = FFA_NOTIFICATION_GET, @@ -177,15 +170,14 @@ int ffa_handle_notification_set(struct cpu_user_regs *regs) uint32_t bitmap_lo = get_user_reg(regs, 3); uint32_t bitmap_hi = get_user_reg(regs, 4); - if ( !notif_enabled ) - return FFA_RET_NOT_SUPPORTED; - if ( (src_dst >> 16) != ffa_get_vm_id(d) ) return FFA_RET_INVALID_PARAMETERS; - /* Let the SPMC check the destination of the notification */ - return ffa_simple_call(FFA_NOTIFICATION_SET, src_dst, flags, bitmap_lo, - bitmap_hi); + if ( FFA_ID_IS_SECURE(src_dst >> 16) && fw_notif_enabled ) + return ffa_simple_call(FFA_NOTIFICATION_SET, src_dst, flags, bitmap_lo, + bitmap_hi); + + return FFA_RET_NOT_SUPPORTED; } #ifdef CONFIG_FFA_VM_TO_VM @@ -371,7 +363,7 @@ void ffa_notif_init_interrupt(void) { int ret; - if ( notif_enabled && notif_sri_irq < NR_GIC_SGI ) + if ( fw_notif_enabled && notif_sri_irq < NR_GIC_SGI ) { /* * An error here is unlikely since the primary CPU has already @@ -402,41 +394,41 @@ void ffa_notif_init(void) int ret; /* Only enable fw notification if all ABIs we need are supported */ - if ( !(ffa_fw_supports_fid(FFA_NOTIFICATION_BITMAP_CREATE) && - ffa_fw_supports_fid(FFA_NOTIFICATION_BITMAP_DESTROY) && - ffa_fw_supports_fid(FFA_NOTIFICATION_GET) && - ffa_fw_supports_fid(FFA_NOTIFICATION_INFO_GET_64)) ) - return; - - arm_smccc_1_2_smc(&arg, &resp); - if ( resp.a0 != FFA_SUCCESS_32 ) - return; - - irq = resp.a2; - notif_sri_irq = irq; - if ( irq >= NR_GIC_SGI ) - irq_set_type(irq, IRQ_TYPE_EDGE_RISING); - ret = request_irq(irq, 0, notif_irq_handler, "FF-A notif", NULL); - if ( ret ) + if ( ffa_fw_supports_fid(FFA_NOTIFICATION_BITMAP_CREATE) && + ffa_fw_supports_fid(FFA_NOTIFICATION_BITMAP_DESTROY) && + ffa_fw_supports_fid(FFA_NOTIFICATION_GET) && + ffa_fw_supports_fid(FFA_NOTIFICATION_INFO_GET_64) ) { - printk(XENLOG_ERR "ffa: request_irq irq %u failed: error %d\n", - irq, ret); - return; - } + arm_smccc_1_2_smc(&arg, &resp); + if ( resp.a0 != FFA_SUCCESS_32 ) + return; - notif_enabled = true; + irq = resp.a2; + notif_sri_irq = irq; + if ( irq >= NR_GIC_SGI ) + irq_set_type(irq, IRQ_TYPE_EDGE_RISING); + ret = request_irq(irq, 0, notif_irq_handler, "FF-A notif", NULL); + if ( ret ) + { + printk(XENLOG_ERR "ffa: request_irq irq %u failed: error %d\n", + irq, ret); + return; + } + fw_notif_enabled = true; + } } int ffa_notif_domain_init(struct domain *d) { int32_t res; - if ( !notif_enabled ) - return 0; + if ( fw_notif_enabled ) + { - res = ffa_notification_bitmap_create(ffa_get_vm_id(d), d->max_vcpus); - if ( res ) - return -ENOMEM; + res = ffa_notification_bitmap_create(ffa_get_vm_id(d), d->max_vcpus); + if ( res ) + return -ENOMEM; + } return 0; } @@ -447,6 +439,6 @@ void ffa_notif_domain_destroy(struct domain *d) * Call bitmap_destroy even if bitmap create failed as the SPMC will * return a DENIED error that we will ignore. */ - if ( notif_enabled ) + if ( fw_notif_enabled ) ffa_notification_bitmap_destroy(ffa_get_vm_id(d)); }