2 * Copyright (c) 2015-2018, ARM Limited and Contributors. All rights reserved.
4 * SPDX-License-Identifier: BSD-3-Clause
11 #include <platform_def.h>
13 #include <arch_helpers.h>
15 #include <common/bl_common.h>
16 #include <common/debug.h>
18 #include <drivers/auth/auth_mod.h>
19 #include <lib/el3_runtime/context_mgmt.h>
20 #include <lib/utils.h>
21 #include <plat/common/platform.h>
22 #include <smccc_helpers.h>
24 #include "bl1_private.h"
27 * Function declarations.
29 static int bl1_fwu_image_copy(unsigned int image_id
,
31 unsigned int block_size
,
32 unsigned int image_size
,
34 static int bl1_fwu_image_auth(unsigned int image_id
,
36 unsigned int image_size
,
38 static int bl1_fwu_image_execute(unsigned int image_id
,
41 static register_t
bl1_fwu_image_resume(register_t image_param
,
44 static int bl1_fwu_sec_image_done(void **handle
,
46 static int bl1_fwu_image_reset(unsigned int image_id
,
48 __dead2
static void bl1_fwu_done(void *client_cookie
, void *reserved
);
51 * This keeps track of last executed secure image id.
53 static unsigned int sec_exec_image_id
= INVALID_IMAGE_ID
;
55 /*******************************************************************************
56 * Top level handler for servicing FWU SMCs.
57 ******************************************************************************/
58 register_t
bl1_fwu_smc_handler(unsigned int smc_fid
,
69 case FWU_SMC_IMAGE_COPY
:
70 SMC_RET1(handle
, bl1_fwu_image_copy(x1
, x2
, x3
, x4
, flags
));
72 case FWU_SMC_IMAGE_AUTH
:
73 SMC_RET1(handle
, bl1_fwu_image_auth(x1
, x2
, x3
, flags
));
75 case FWU_SMC_IMAGE_EXECUTE
:
76 SMC_RET1(handle
, bl1_fwu_image_execute(x1
, &handle
, flags
));
78 case FWU_SMC_IMAGE_RESUME
:
79 SMC_RET1(handle
, bl1_fwu_image_resume(x1
, &handle
, flags
));
81 case FWU_SMC_SEC_IMAGE_DONE
:
82 SMC_RET1(handle
, bl1_fwu_sec_image_done(&handle
, flags
));
84 case FWU_SMC_IMAGE_RESET
:
85 SMC_RET1(handle
, bl1_fwu_image_reset(x1
, flags
));
87 case FWU_SMC_UPDATE_DONE
:
88 bl1_fwu_done((void *)x1
, NULL
);
91 assert(0); /* Unreachable */
95 SMC_RET1(handle
, SMC_UNK
);
98 /*******************************************************************************
99 * Utility functions to keep track of the images that are loaded at any time.
100 ******************************************************************************/
102 #ifdef PLAT_FWU_MAX_SIMULTANEOUS_IMAGES
103 #define FWU_MAX_SIMULTANEOUS_IMAGES PLAT_FWU_MAX_SIMULTANEOUS_IMAGES
105 #define FWU_MAX_SIMULTANEOUS_IMAGES 10
108 static int bl1_fwu_loaded_ids
[FWU_MAX_SIMULTANEOUS_IMAGES
] = {
109 [0 ... FWU_MAX_SIMULTANEOUS_IMAGES
-1] = INVALID_IMAGE_ID
113 * Adds an image_id to the bl1_fwu_loaded_ids array.
114 * Returns 0 on success, 1 on error.
116 static int bl1_fwu_add_loaded_id(int image_id
)
120 /* Check if the ID is already in the list */
121 for (i
= 0; i
< FWU_MAX_SIMULTANEOUS_IMAGES
; i
++) {
122 if (bl1_fwu_loaded_ids
[i
] == image_id
)
126 /* Find an empty slot */
127 for (i
= 0; i
< FWU_MAX_SIMULTANEOUS_IMAGES
; i
++) {
128 if (bl1_fwu_loaded_ids
[i
] == INVALID_IMAGE_ID
) {
129 bl1_fwu_loaded_ids
[i
] = image_id
;
138 * Removes an image_id from the bl1_fwu_loaded_ids array.
139 * Returns 0 on success, 1 on error.
141 static int bl1_fwu_remove_loaded_id(int image_id
)
146 for (i
= 0; i
< FWU_MAX_SIMULTANEOUS_IMAGES
; i
++) {
147 if (bl1_fwu_loaded_ids
[i
] == image_id
) {
148 bl1_fwu_loaded_ids
[i
] = INVALID_IMAGE_ID
;
156 /*******************************************************************************
157 * This function checks if the specified image overlaps another image already
158 * loaded. It returns 0 if there is no overlap, a negative error code otherwise.
159 ******************************************************************************/
160 static int bl1_fwu_image_check_overlaps(int image_id
)
162 const image_desc_t
*image_desc
, *checked_image_desc
;
163 const image_info_t
*info
, *checked_info
;
165 uintptr_t image_base
, image_end
;
166 uintptr_t checked_image_base
, checked_image_end
;
168 checked_image_desc
= bl1_plat_get_image_desc(image_id
);
169 checked_info
= &checked_image_desc
->image_info
;
171 /* Image being checked mustn't be empty. */
172 assert(checked_info
->image_size
!= 0);
174 checked_image_base
= checked_info
->image_base
;
175 checked_image_end
= checked_image_base
+ checked_info
->image_size
- 1;
176 /* No need to check for overflows, it's done in bl1_fwu_image_copy(). */
178 for (int i
= 0; i
< FWU_MAX_SIMULTANEOUS_IMAGES
; i
++) {
180 /* Skip INVALID_IMAGE_IDs and don't check image against itself */
181 if ((bl1_fwu_loaded_ids
[i
] == INVALID_IMAGE_ID
) ||
182 (bl1_fwu_loaded_ids
[i
] == image_id
))
185 image_desc
= bl1_plat_get_image_desc(bl1_fwu_loaded_ids
[i
]);
187 /* Only check images that are loaded or being loaded. */
188 assert (image_desc
&& image_desc
->state
!= IMAGE_STATE_RESET
);
190 info
= &image_desc
->image_info
;
192 /* There cannot be overlaps with an empty image. */
193 if (info
->image_size
== 0)
196 image_base
= info
->image_base
;
197 image_end
= image_base
+ info
->image_size
- 1;
199 * Overflows cannot happen. It is checked in
200 * bl1_fwu_image_copy() when the image goes from RESET to
203 assert (image_end
> image_base
);
205 /* Check if there are overlaps. */
206 if (!(image_end
< checked_image_base
||
207 checked_image_end
< image_base
)) {
208 VERBOSE("Image with ID %d overlaps existing image with ID %d",
209 checked_image_desc
->image_id
, image_desc
->image_id
);
217 /*******************************************************************************
218 * This function is responsible for copying secure images in AP Secure RAM.
219 ******************************************************************************/
220 static int bl1_fwu_image_copy(unsigned int image_id
,
222 unsigned int block_size
,
223 unsigned int image_size
,
227 unsigned int remaining
;
229 /* Get the image descriptor. */
230 image_desc_t
*image_desc
= bl1_plat_get_image_desc(image_id
);
232 WARN("BL1-FWU: Invalid image ID %u\n", image_id
);
237 * The request must originate from a non-secure caller and target a
238 * secure image. Any other scenario is invalid.
240 if (GET_SECURITY_STATE(flags
) == SECURE
) {
241 WARN("BL1-FWU: Copy not allowed from secure world.\n");
244 if (GET_SECURITY_STATE(image_desc
->ep_info
.h
.attr
) == NON_SECURE
) {
245 WARN("BL1-FWU: Copy not allowed for non-secure images.\n");
249 /* Check whether the FWU state machine is in the correct state. */
250 if ((image_desc
->state
!= IMAGE_STATE_RESET
) &&
251 (image_desc
->state
!= IMAGE_STATE_COPYING
)) {
252 WARN("BL1-FWU: Copy not allowed at this point of the FWU"
257 if ((!image_src
) || (!block_size
) ||
258 check_uptr_overflow(image_src
, block_size
- 1)) {
259 WARN("BL1-FWU: Copy not allowed due to invalid image source"
264 if (image_desc
->state
== IMAGE_STATE_COPYING
) {
266 * There must have been at least 1 copy operation for this image
269 assert(image_desc
->copied_size
!= 0);
271 * The image size must have been recorded in the 1st copy
274 image_size
= image_desc
->image_info
.image_size
;
275 assert(image_size
!= 0);
276 assert(image_desc
->copied_size
< image_size
);
278 INFO("BL1-FWU: Continuing image copy in blocks\n");
279 } else { /* image_desc->state == IMAGE_STATE_RESET */
280 INFO("BL1-FWU: Initial call to copy an image\n");
283 * image_size is relevant only for the 1st copy request, it is
284 * then ignored for subsequent calls for this image.
287 WARN("BL1-FWU: Copy not allowed due to invalid image"
292 /* Check that the image size to load is within limit */
293 if (image_size
> image_desc
->image_info
.image_max_size
) {
294 WARN("BL1-FWU: Image size out of bounds\n");
298 /* Save the given image size. */
299 image_desc
->image_info
.image_size
= image_size
;
301 /* Make sure the image doesn't overlap other images. */
302 if (bl1_fwu_image_check_overlaps(image_id
)) {
303 image_desc
->image_info
.image_size
= 0;
304 WARN("BL1-FWU: This image overlaps another one\n");
309 * copied_size must be explicitly initialized here because the
310 * FWU code doesn't necessarily do it when it resets the state
313 image_desc
->copied_size
= 0;
317 * If the given block size is more than the total image size
318 * then clip the former to the latter.
320 remaining
= image_size
- image_desc
->copied_size
;
321 if (block_size
> remaining
) {
322 WARN("BL1-FWU: Block size is too big, clipping it.\n");
323 block_size
= remaining
;
326 /* Make sure the source image is mapped in memory. */
327 if (bl1_plat_mem_check(image_src
, block_size
, flags
)) {
328 WARN("BL1-FWU: Source image is not mapped.\n");
332 if (bl1_fwu_add_loaded_id(image_id
)) {
333 WARN("BL1-FWU: Too many images loaded at the same time.\n");
337 /* Allow the platform to handle pre-image load before copying */
338 if (image_desc
->state
== IMAGE_STATE_RESET
) {
339 if (bl1_plat_handle_pre_image_load(image_id
) != 0) {
340 ERROR("BL1-FWU: Failure in pre-image load of image id %d\n",
346 /* Everything looks sane. Go ahead and copy the block of data. */
347 dest_addr
= image_desc
->image_info
.image_base
+ image_desc
->copied_size
;
348 memcpy((void *) dest_addr
, (const void *) image_src
, block_size
);
349 flush_dcache_range(dest_addr
, block_size
);
351 image_desc
->copied_size
+= block_size
;
352 image_desc
->state
= (block_size
== remaining
) ?
353 IMAGE_STATE_COPIED
: IMAGE_STATE_COPYING
;
355 INFO("BL1-FWU: Copy operation successful.\n");
359 /*******************************************************************************
360 * This function is responsible for authenticating Normal/Secure images.
361 ******************************************************************************/
362 static int bl1_fwu_image_auth(unsigned int image_id
,
364 unsigned int image_size
,
369 unsigned int total_size
;
371 /* Get the image descriptor. */
372 image_desc_t
*image_desc
= bl1_plat_get_image_desc(image_id
);
376 if (GET_SECURITY_STATE(flags
) == SECURE
) {
377 if (image_desc
->state
!= IMAGE_STATE_RESET
) {
378 WARN("BL1-FWU: Authentication from secure world "
379 "while in invalid state\n");
383 if (GET_SECURITY_STATE(image_desc
->ep_info
.h
.attr
) == SECURE
) {
384 if (image_desc
->state
!= IMAGE_STATE_COPIED
) {
385 WARN("BL1-FWU: Authentication of secure image "
386 "from non-secure world while not in copied state\n");
390 if (image_desc
->state
!= IMAGE_STATE_RESET
) {
391 WARN("BL1-FWU: Authentication of non-secure image "
392 "from non-secure world while in invalid state\n");
398 if (image_desc
->state
== IMAGE_STATE_COPIED
) {
400 * Image is in COPIED state.
401 * Use the stored address and size.
403 base_addr
= image_desc
->image_info
.image_base
;
404 total_size
= image_desc
->image_info
.image_size
;
406 if ((!image_src
) || (!image_size
) ||
407 check_uptr_overflow(image_src
, image_size
- 1)) {
408 WARN("BL1-FWU: Auth not allowed due to invalid"
409 " image source/size\n");
414 * Image is in RESET state.
415 * Check the parameters and authenticate the source image in place.
417 if (bl1_plat_mem_check(image_src
, image_size
, \
418 image_desc
->ep_info
.h
.attr
)) {
419 WARN("BL1-FWU: Authentication arguments source/size not mapped\n");
423 if (bl1_fwu_add_loaded_id(image_id
)) {
424 WARN("BL1-FWU: Too many images loaded at the same time.\n");
428 base_addr
= image_src
;
429 total_size
= image_size
;
431 /* Update the image size in the descriptor. */
432 image_desc
->image_info
.image_size
= total_size
;
436 * Authenticate the image.
438 INFO("BL1-FWU: Authenticating image_id:%d\n", image_id
);
439 result
= auth_mod_verify_img(image_id
, (void *)base_addr
, total_size
);
441 WARN("BL1-FWU: Authentication Failed err=%d\n", result
);
444 * Authentication has failed.
445 * Clear the memory if the image was copied.
446 * This is to prevent an attack where this contains
447 * some malicious code that can somehow be executed later.
449 if (image_desc
->state
== IMAGE_STATE_COPIED
) {
450 /* Clear the memory.*/
451 zero_normalmem((void *)base_addr
, total_size
);
452 flush_dcache_range(base_addr
, total_size
);
454 /* Indicate that image can be copied again*/
455 image_desc
->state
= IMAGE_STATE_RESET
;
459 * Even if this fails it's ok because the ID isn't in the array.
460 * The image cannot be in RESET state here, it is checked at the
461 * beginning of the function.
463 bl1_fwu_remove_loaded_id(image_id
);
467 /* Indicate that image is in authenticated state. */
468 image_desc
->state
= IMAGE_STATE_AUTHENTICATED
;
470 /* Allow the platform to handle post-image load */
471 result
= bl1_plat_handle_post_image_load(image_id
);
473 ERROR("BL1-FWU: Failure %d in post-image load of image id %d\n",
476 * Panic here as the platform handling of post-image load is
479 plat_error_handler(result
);
483 * Flush image_info to memory so that other
484 * secure world images can see changes.
486 flush_dcache_range((unsigned long)&image_desc
->image_info
,
487 sizeof(image_info_t
));
489 INFO("BL1-FWU: Authentication was successful\n");
494 /*******************************************************************************
495 * This function is responsible for executing Secure images.
496 ******************************************************************************/
497 static int bl1_fwu_image_execute(unsigned int image_id
,
501 /* Get the image descriptor. */
502 image_desc_t
*image_desc
= bl1_plat_get_image_desc(image_id
);
505 * Execution is NOT allowed if:
506 * image_id is invalid OR
507 * Caller is from Secure world OR
508 * Image is Non-Secure OR
509 * Image is Non-Executable OR
510 * Image is NOT in AUTHENTICATED state.
513 (GET_SECURITY_STATE(flags
) == SECURE
) ||
514 (GET_SECURITY_STATE(image_desc
->ep_info
.h
.attr
) == NON_SECURE
) ||
515 (EP_GET_EXE(image_desc
->ep_info
.h
.attr
) == NON_EXECUTABLE
) ||
516 (image_desc
->state
!= IMAGE_STATE_AUTHENTICATED
)) {
517 WARN("BL1-FWU: Execution not allowed due to invalid state/args\n");
521 INFO("BL1-FWU: Executing Secure image\n");
524 /* Save NS-EL1 system registers. */
525 cm_el1_sysregs_context_save(NON_SECURE
);
528 /* Prepare the image for execution. */
529 bl1_prepare_next_image(image_id
);
531 /* Update the secure image id. */
532 sec_exec_image_id
= image_id
;
535 *handle
= cm_get_context(SECURE
);
537 *handle
= smc_get_ctx(SECURE
);
542 /*******************************************************************************
543 * This function is responsible for resuming execution in the other security
545 ******************************************************************************/
546 static register_t
bl1_fwu_image_resume(register_t image_param
,
550 image_desc_t
*image_desc
;
551 unsigned int resume_sec_state
;
552 unsigned int caller_sec_state
= GET_SECURITY_STATE(flags
);
554 /* Get the image descriptor for last executed secure image id. */
555 image_desc
= bl1_plat_get_image_desc(sec_exec_image_id
);
556 if (caller_sec_state
== NON_SECURE
) {
558 WARN("BL1-FWU: Resume not allowed due to no available"
563 /* image_desc must be valid for secure world callers */
567 assert(GET_SECURITY_STATE(image_desc
->ep_info
.h
.attr
) == SECURE
);
568 assert(EP_GET_EXE(image_desc
->ep_info
.h
.attr
) == EXECUTABLE
);
570 if (caller_sec_state
== SECURE
) {
571 assert(image_desc
->state
== IMAGE_STATE_EXECUTED
);
573 /* Update the flags. */
574 image_desc
->state
= IMAGE_STATE_INTERRUPTED
;
575 resume_sec_state
= NON_SECURE
;
577 assert(image_desc
->state
== IMAGE_STATE_INTERRUPTED
);
579 /* Update the flags. */
580 image_desc
->state
= IMAGE_STATE_EXECUTED
;
581 resume_sec_state
= SECURE
;
584 INFO("BL1-FWU: Resuming %s world context\n",
585 (resume_sec_state
== SECURE
) ? "secure" : "normal");
588 /* Save the EL1 system registers of calling world. */
589 cm_el1_sysregs_context_save(caller_sec_state
);
591 /* Restore the EL1 system registers of resuming world. */
592 cm_el1_sysregs_context_restore(resume_sec_state
);
594 /* Update the next context. */
595 cm_set_next_eret_context(resume_sec_state
);
597 *handle
= cm_get_context(resume_sec_state
);
599 /* Update the next context. */
600 cm_set_next_context(cm_get_context(resume_sec_state
));
602 /* Prepare the smc context for the next BL image. */
603 smc_set_next_ctx(resume_sec_state
);
605 *handle
= smc_get_ctx(resume_sec_state
);
610 /*******************************************************************************
611 * This function is responsible for resuming normal world context.
612 ******************************************************************************/
613 static int bl1_fwu_sec_image_done(void **handle
, unsigned int flags
)
615 image_desc_t
*image_desc
;
617 /* Make sure caller is from the secure world */
618 if (GET_SECURITY_STATE(flags
) == NON_SECURE
) {
619 WARN("BL1-FWU: Image done not allowed from normal world\n");
623 /* Get the image descriptor for last executed secure image id */
624 image_desc
= bl1_plat_get_image_desc(sec_exec_image_id
);
626 /* image_desc must correspond to a valid secure executing image */
628 assert(GET_SECURITY_STATE(image_desc
->ep_info
.h
.attr
) == SECURE
);
629 assert(EP_GET_EXE(image_desc
->ep_info
.h
.attr
) == EXECUTABLE
);
630 assert(image_desc
->state
== IMAGE_STATE_EXECUTED
);
632 #if ENABLE_ASSERTIONS
633 int rc
= bl1_fwu_remove_loaded_id(sec_exec_image_id
);
636 bl1_fwu_remove_loaded_id(sec_exec_image_id
);
639 /* Update the flags. */
640 image_desc
->state
= IMAGE_STATE_RESET
;
641 sec_exec_image_id
= INVALID_IMAGE_ID
;
643 INFO("BL1-FWU: Resuming Normal world context\n");
646 * Secure world is done so no need to save the context.
647 * Just restore the Non-Secure context.
649 cm_el1_sysregs_context_restore(NON_SECURE
);
651 /* Update the next context. */
652 cm_set_next_eret_context(NON_SECURE
);
654 *handle
= cm_get_context(NON_SECURE
);
656 /* Update the next context. */
657 cm_set_next_context(cm_get_context(NON_SECURE
));
659 /* Prepare the smc context for the next BL image. */
660 smc_set_next_ctx(NON_SECURE
);
662 *handle
= smc_get_ctx(NON_SECURE
);
667 /*******************************************************************************
668 * This function provides the opportunity for users to perform any
669 * platform specific handling after the Firmware update is done.
670 ******************************************************************************/
671 __dead2
static void bl1_fwu_done(void *client_cookie
, void *reserved
)
673 NOTICE("BL1-FWU: *******FWU Process Completed*******\n");
676 * Call platform done function.
678 bl1_plat_fwu_done(client_cookie
, reserved
);
682 /*******************************************************************************
683 * This function resets an image to IMAGE_STATE_RESET. It fails if the image is
685 ******************************************************************************/
686 static int bl1_fwu_image_reset(unsigned int image_id
, unsigned int flags
)
688 image_desc_t
*image_desc
= bl1_plat_get_image_desc(image_id
);
690 if ((!image_desc
) || (GET_SECURITY_STATE(flags
) == SECURE
)) {
691 WARN("BL1-FWU: Reset not allowed due to invalid args\n");
695 switch (image_desc
->state
) {
697 case IMAGE_STATE_RESET
:
701 case IMAGE_STATE_INTERRUPTED
:
702 case IMAGE_STATE_AUTHENTICATED
:
703 case IMAGE_STATE_COPIED
:
704 case IMAGE_STATE_COPYING
:
706 if (bl1_fwu_remove_loaded_id(image_id
)) {
707 WARN("BL1-FWU: Image reset couldn't find the image ID\n");
711 if (image_desc
->copied_size
) {
712 /* Clear the memory if the image is copied */
713 assert(GET_SECURITY_STATE(image_desc
->ep_info
.h
.attr
) == SECURE
);
715 zero_normalmem((void *)image_desc
->image_info
.image_base
,
716 image_desc
->copied_size
);
717 flush_dcache_range(image_desc
->image_info
.image_base
,
718 image_desc
->copied_size
);
721 /* Reset status variables */
722 image_desc
->copied_size
= 0;
723 image_desc
->image_info
.image_size
= 0;
724 image_desc
->state
= IMAGE_STATE_RESET
;
726 /* Clear authentication state */
727 auth_img_flags
[image_id
] = 0;
731 case IMAGE_STATE_EXECUTED
:
733 assert(0); /* Unreachable */