tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
audk/ArmPkg/Library/StandaloneMmMmuLib/ArmMmuStandaloneMmLib.c

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

461 lines
13 KiB
C
Raw Normal View History

ArmPkg/ArmMmuLib: Add MMU Library suitable for use in S-EL0. The Standalone MM environment runs in S-EL0 in AArch64 on ARM Standard Platforms. Privileged firmware e.g. ARM Trusted Firmware sets up its architectural context including the initial translation tables for the S-EL1/EL0 translation regime. The MM environment will still request ARM TF to change the memory attributes of memory regions during initialization. The Standalone MM image is a FV that encapsulates the MM foundation and drivers. These are PE-COFF images with data and text segments. To initialise the MM environment, Arm Trusted Firmware has to create translation tables with sane default attributes for the memory occupied by the FV. This library sends SVCs to ARM Trusted Firmware to request memory permissions change for data and text segments. This patch adds a simple MMU library suitable for execution in S-EL0 and requesting memory permissions change operations from Arm Trusted Firmware. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2018-11-27 11:43:57 +01:00
/** @file
ArmPkg: Fix uninitialised variable in ArmMmuStandaloneMmLib The following patches added support for StandaloneMM using FF-A: 9da5ee116a28 ArmPkg: Allow FF-A calls to set memory region's attributes 0e43e02b9bd8 ArmPkg: Allow FF-A calls to get memory region's attributes However, in the error handling logic for the Get/Set Memory attributes, the CLANG compiler reports that a status variable could be used without initialisation. This issue is a false positive and is not seen with GCC. The Get/Set Memory attributes operation is atomic and therefore an FFA_INTERRUPT or FFA_SUCCESS response is not expected in response to FFA_MSG_SEND_DIRECT_REQ. So the remaining cases that could occur are: - the target sends FFA_MSG_SEND_DIRECT_RESP with a success or failure code. or - FFA_MSG_SEND_DIRECT_REQ transmission failure. Therefore, - reorder the error handling conditions such that it prevents the uninitialised variable issue being flagged by CLANG. - move the repetitive code to a static helper function and add documentation at the appropriate places. - fix error handling in functions that invoke GetMemoryPermissions(). Signed-off-by: Sami Mujawar <sami.mujawar@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2021-02-25 18:11:10 +01:00
File managing the MMU for ARMv8 architecture in S-EL0
ArmPkg/IndustryStandard: Change naming convention in ArmMmSvc.h Change naming convention in ArmMmSvc.h with MM to SPM_MM This would make it clear to discern ABI protocol used to communicate with secure partition. Continuous-integration-options: PatchCheck.ignore-multi-package Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
2024-07-30 12:56:46 +02:00
Copyright (c) 2017 - 2024, Arm Limited. All rights reserved.<BR>
ArmPkg: prepare 32bit ARM build of StandaloneMmPkg Changes in ArmPkg to prepare building StandaloneMm firmware for 32bit Arm architectures. Adds ArmmmuStandaloneMmLib library to the list of the standard components build for ArmPkg on when ARM architectures. Changes path of source file AArch64/ArmMmuStandaloneMmLib.c and compile it for both 32bit and 64bit architectures. Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org> Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
2021-08-09 17:19:43 +02:00
Copyright (c) 2021, Linaro Limited
ArmPkg: Fix uninitialised variable in ArmMmuStandaloneMmLib The following patches added support for StandaloneMM using FF-A: 9da5ee116a28 ArmPkg: Allow FF-A calls to set memory region's attributes 0e43e02b9bd8 ArmPkg: Allow FF-A calls to get memory region's attributes However, in the error handling logic for the Get/Set Memory attributes, the CLANG compiler reports that a status variable could be used without initialisation. This issue is a false positive and is not seen with GCC. The Get/Set Memory attributes operation is atomic and therefore an FFA_INTERRUPT or FFA_SUCCESS response is not expected in response to FFA_MSG_SEND_DIRECT_REQ. So the remaining cases that could occur are: - the target sends FFA_MSG_SEND_DIRECT_RESP with a success or failure code. or - FFA_MSG_SEND_DIRECT_REQ transmission failure. Therefore, - reorder the error handling conditions such that it prevents the uninitialised variable issue being flagged by CLANG. - move the repetitive code to a static helper function and add documentation at the appropriate places. - fix error handling in functions that invoke GetMemoryPermissions(). Signed-off-by: Sami Mujawar <sami.mujawar@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2021-02-25 18:11:10 +01:00
SPDX-License-Identifier: BSD-2-Clause-Patent
@par Reference(s):
- [1] SPM based on the MM interface.
(https://trustedfirmware-a.readthedocs.io/en/latest/components/
secure-partition-manager-mm.html)
ArmPkg/Library: Update StandaloneMmuLib with FF-A v1.2 with page granulirty The StandaloneMm implementation for Arm sets up the stack in the early startup code using the data section reserved in the assembly code. When TF-A loads the StandaloneMM binary in the DRAM it maps the entire StandaloneMM memory region as Read Only. Therefore, the initial startup assembly code updates the mem permissions of the stack region to Read Write. However, when the StandaloneMmCore is loaded the function UpdateMmFoundationPeCoffPermissions() starts applying the memory permissions based on the PE COFF sections as below: A. If the section is not executable, it first removes the executable permission of the section by calling TextUpdate(). TextUpdate() is the StandaloneMM MMU library function ArmSetMemoryRegionNoExec(). B. It then checks if the section is writable, and if it is it calls ReadWriteUpdater(), which invokes the StandaloneMM MMU library function ArmClearMemoryRegionReadOnly() to make the section writable. However, this results in the stack being made read-only between A and B. To understand this please see the following flow. 1. TF-A sets the entire StandaloneMM region as Read Only. 2. The stack is reserved in the data section by the early assembly entry point code. +--------------------+ <--- Start of Data Section | | | Data Section | | | | +----------------+ | <--- Stack region | | Stack | | | +----------------+ | | | +--------------------+ 3. The StanaloneMM early entry point code updates the attributes of the stack to Read Write. 4. When UpdateMmFoundationPeCoffPermissions() sets the permission of the data section to remove the Execute attribute, it calls ArmSetMemoryRegionNoExec(). 5. The ArmSetMemoryRegionNoExec() implementation gets the attributes of the first granule which is at the start of the data section, then clears the execute permission and applies the attribute for the entire data section. 6. Since TF-A has mapped the entire section as read only the first granule of the data section is read only and therefore the stack region attributes are changed to Read Only no execute. 7. Since the stack is read only after point A any updates to the stack result in an exception. To resolve this issue with update the library with FF-A v1.2, get/set memory permission per page unit. Links: https://developer.arm.com/documentation/den0140/latest/ [0] Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
2024-08-20 17:54:40 +02:00
- [2] Arm Firmware Framework for Armv8-A, DEN0077, version 1.2
(https://developer.arm.com/documentation/den0077/latest/)
- [3] FF-A Memory Management Protocol, DEN0140, version 1.2
(https://developer.arm.com/documentation/den0140/latest/)
ArmPkg/ArmMmuLib: Add MMU Library suitable for use in S-EL0. The Standalone MM environment runs in S-EL0 in AArch64 on ARM Standard Platforms. Privileged firmware e.g. ARM Trusted Firmware sets up its architectural context including the initial translation tables for the S-EL1/EL0 translation regime. The MM environment will still request ARM TF to change the memory attributes of memory regions during initialization. The Standalone MM image is a FV that encapsulates the MM foundation and drivers. These are PE-COFF images with data and text segments. To initialise the MM environment, Arm Trusted Firmware has to create translation tables with sane default attributes for the memory occupied by the FV. This library sends SVCs to ARM Trusted Firmware to request memory permissions change for data and text segments. This patch adds a simple MMU library suitable for execution in S-EL0 and requesting memory permissions change operations from Arm Trusted Firmware. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2018-11-27 11:43:57 +01:00
**/
#include <Uefi.h>
#include <IndustryStandard/ArmMmSvc.h>
ArmPkg: Use FF-A header file in Standalone MM Arm MMU library Add the FF-A header for invoking the mmu functions using FF-A calls as the transport mechanism. Support for invoking the functions through FF-A will be added in a subsequent patch. Signed-off-by: Achin Gupta <achin.gupta@arm.com> Reviewed-by: Sami Mujawar <sami.mujawar@arm.com> Acked-by: Ard Biesheuvel <ardb@kernel.org>
2021-02-19 07:36:03 +01:00
#include <IndustryStandard/ArmFfaSvc.h>
ArmPkg/ArmMmuLib: Add MMU Library suitable for use in S-EL0. The Standalone MM environment runs in S-EL0 in AArch64 on ARM Standard Platforms. Privileged firmware e.g. ARM Trusted Firmware sets up its architectural context including the initial translation tables for the S-EL1/EL0 translation regime. The MM environment will still request ARM TF to change the memory attributes of memory regions during initialization. The Standalone MM image is a FV that encapsulates the MM foundation and drivers. These are PE-COFF images with data and text segments. To initialise the MM environment, Arm Trusted Firmware has to create translation tables with sane default attributes for the memory occupied by the FV. This library sends SVCs to ARM Trusted Firmware to request memory permissions change for data and text segments. This patch adds a simple MMU library suitable for execution in S-EL0 and requesting memory permissions change operations from Arm Trusted Firmware. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2018-11-27 11:43:57 +01:00
#include <Library/ArmLib.h>
#include <Library/ArmMmuLib.h>
ArmPkg/Library: Update StandaloneMmuLib with FF-A v1.2 with page granulirty The StandaloneMm implementation for Arm sets up the stack in the early startup code using the data section reserved in the assembly code. When TF-A loads the StandaloneMM binary in the DRAM it maps the entire StandaloneMM memory region as Read Only. Therefore, the initial startup assembly code updates the mem permissions of the stack region to Read Write. However, when the StandaloneMmCore is loaded the function UpdateMmFoundationPeCoffPermissions() starts applying the memory permissions based on the PE COFF sections as below: A. If the section is not executable, it first removes the executable permission of the section by calling TextUpdate(). TextUpdate() is the StandaloneMM MMU library function ArmSetMemoryRegionNoExec(). B. It then checks if the section is writable, and if it is it calls ReadWriteUpdater(), which invokes the StandaloneMM MMU library function ArmClearMemoryRegionReadOnly() to make the section writable. However, this results in the stack being made read-only between A and B. To understand this please see the following flow. 1. TF-A sets the entire StandaloneMM region as Read Only. 2. The stack is reserved in the data section by the early assembly entry point code. +--------------------+ <--- Start of Data Section | | | Data Section | | | | +----------------+ | <--- Stack region | | Stack | | | +----------------+ | | | +--------------------+ 3. The StanaloneMM early entry point code updates the attributes of the stack to Read Write. 4. When UpdateMmFoundationPeCoffPermissions() sets the permission of the data section to remove the Execute attribute, it calls ArmSetMemoryRegionNoExec(). 5. The ArmSetMemoryRegionNoExec() implementation gets the attributes of the first granule which is at the start of the data section, then clears the execute permission and applies the attribute for the entire data section. 6. Since TF-A has mapped the entire section as read only the first granule of the data section is read only and therefore the stack region attributes are changed to Read Only no execute. 7. Since the stack is read only after point A any updates to the stack result in an exception. To resolve this issue with update the library with FF-A v1.2, get/set memory permission per page unit. Links: https://developer.arm.com/documentation/den0140/latest/ [0] Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
2024-08-20 17:54:40 +02:00
#include <Library/ArmFfaLib.h>
ArmPkg/ArmMmuLib: Add MMU Library suitable for use in S-EL0. The Standalone MM environment runs in S-EL0 in AArch64 on ARM Standard Platforms. Privileged firmware e.g. ARM Trusted Firmware sets up its architectural context including the initial translation tables for the S-EL1/EL0 translation regime. The MM environment will still request ARM TF to change the memory attributes of memory regions during initialization. The Standalone MM image is a FV that encapsulates the MM foundation and drivers. These are PE-COFF images with data and text segments. To initialise the MM environment, Arm Trusted Firmware has to create translation tables with sane default attributes for the memory occupied by the FV. This library sends SVCs to ARM Trusted Firmware to request memory permissions change for data and text segments. This patch adds a simple MMU library suitable for execution in S-EL0 and requesting memory permissions change operations from Arm Trusted Firmware. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2018-11-27 11:43:57 +01:00
#include <Library/ArmSvcLib.h>
#include <Library/BaseLib.h>
ArmPkg: Fix Ecc error 5007 in StandaloneMmMmuLib This patch fixes the following Ecc reported error: There should be no initialization of a variable as part of its declaration Signed-off-by: Pierre Gondois <Pierre.Gondois@arm.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
2020-12-10 14:14:49 +01:00
#include <Library/BaseMemoryLib.h>
ArmPkg/ArmMmuLib: Add MMU Library suitable for use in S-EL0. The Standalone MM environment runs in S-EL0 in AArch64 on ARM Standard Platforms. Privileged firmware e.g. ARM Trusted Firmware sets up its architectural context including the initial translation tables for the S-EL1/EL0 translation regime. The MM environment will still request ARM TF to change the memory attributes of memory regions during initialization. The Standalone MM image is a FV that encapsulates the MM foundation and drivers. These are PE-COFF images with data and text segments. To initialise the MM environment, Arm Trusted Firmware has to create translation tables with sane default attributes for the memory occupied by the FV. This library sends SVCs to ARM Trusted Firmware to request memory permissions change for data and text segments. This patch adds a simple MMU library suitable for execution in S-EL0 and requesting memory permissions change operations from Arm Trusted Firmware. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2018-11-27 11:43:57 +01:00
#include <Library/DebugLib.h>
ArmPkg: Allow FF-A calls to get memory region's attributes Allow getting memory region's permissions using either of the Firmware Framework(FF-A) ABI transport or through the earlier used SVC calls. Signed-off-by: Achin Gupta <achin.gupta@arm.com> Co-developed-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sami Mujawar <sami.mujawar@arm.com> Acked-by: Ard Biesheuvel <ardb@kernel.org>
2021-02-19 07:36:04 +01:00
#include <Library/PcdLib.h>
ArmPkg/ArmMmuLib: Add MMU Library suitable for use in S-EL0. The Standalone MM environment runs in S-EL0 in AArch64 on ARM Standard Platforms. Privileged firmware e.g. ARM Trusted Firmware sets up its architectural context including the initial translation tables for the S-EL1/EL0 translation regime. The MM environment will still request ARM TF to change the memory attributes of memory regions during initialization. The Standalone MM image is a FV that encapsulates the MM foundation and drivers. These are PE-COFF images with data and text segments. To initialise the MM environment, Arm Trusted Firmware has to create translation tables with sane default attributes for the memory occupied by the FV. This library sends SVCs to ARM Trusted Firmware to request memory permissions change for data and text segments. This patch adds a simple MMU library suitable for execution in S-EL0 and requesting memory permissions change operations from Arm Trusted Firmware. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2018-11-27 11:43:57 +01:00
ArmPkg/Library: Update StandaloneMmuLib with FF-A v1.2 with page granulirty The StandaloneMm implementation for Arm sets up the stack in the early startup code using the data section reserved in the assembly code. When TF-A loads the StandaloneMM binary in the DRAM it maps the entire StandaloneMM memory region as Read Only. Therefore, the initial startup assembly code updates the mem permissions of the stack region to Read Write. However, when the StandaloneMmCore is loaded the function UpdateMmFoundationPeCoffPermissions() starts applying the memory permissions based on the PE COFF sections as below: A. If the section is not executable, it first removes the executable permission of the section by calling TextUpdate(). TextUpdate() is the StandaloneMM MMU library function ArmSetMemoryRegionNoExec(). B. It then checks if the section is writable, and if it is it calls ReadWriteUpdater(), which invokes the StandaloneMM MMU library function ArmClearMemoryRegionReadOnly() to make the section writable. However, this results in the stack being made read-only between A and B. To understand this please see the following flow. 1. TF-A sets the entire StandaloneMM region as Read Only. 2. The stack is reserved in the data section by the early assembly entry point code. +--------------------+ <--- Start of Data Section | | | Data Section | | | | +----------------+ | <--- Stack region | | Stack | | | +----------------+ | | | +--------------------+ 3. The StanaloneMM early entry point code updates the attributes of the stack to Read Write. 4. When UpdateMmFoundationPeCoffPermissions() sets the permission of the data section to remove the Execute attribute, it calls ArmSetMemoryRegionNoExec(). 5. The ArmSetMemoryRegionNoExec() implementation gets the attributes of the first granule which is at the start of the data section, then clears the execute permission and applies the attribute for the entire data section. 6. Since TF-A has mapped the entire section as read only the first granule of the data section is read only and therefore the stack region attributes are changed to Read Only no execute. 7. Since the stack is read only after point A any updates to the stack result in an exception. To resolve this issue with update the library with FF-A v1.2, get/set memory permission per page unit. Links: https://developer.arm.com/documentation/den0140/latest/ [0] Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
2024-08-20 17:54:40 +02:00
/**
Utility function to determine whether ABIs in FF-A to set and get
memory permissions can be used. Ideally, this should be invoked once in the
library constructor and set a flag that can be used at runtime. However, the
StMM Core invokes this library before constructors are called and before the
StMM image itself is relocated.
@retval TRUE Use FF-A MemPerm ABIs.
@retval FALSE Use MM MemPerm ABIs.
**/
STATIC
BOOLEAN
EFIAPI
IsFfaMemoryAbiSupported (
IN VOID
)
{
EFI_STATUS Status;
UINT16 CurrentMajorVersion;
UINT16 CurrentMinorVersion;
Status = ArmFfaLibGetVersion (
ARM_FFA_MAJOR_VERSION,
ARM_FFA_MINOR_VERSION,
&CurrentMajorVersion,
&CurrentMinorVersion
);
if (EFI_ERROR (Status)) {
return FALSE;
}
return TRUE;
}
ArmPkg/StandaloneMmMmuLib: Introduce a SPM_MM status helper fucntion Introduce a new helper function SpmMmStatusToEfiStatus() to convert the SPM_MM status values to EFI_STATUS values. Signed-off-by: Levi yun <yeoreum.yun@arm.com>
2024-12-23 19:36:00 +01:00
/**
Convert FFA return code to EFI_STATUS.
@param [in] SpmMmStatus SPM_MM return code
@retval EFI_STATUS correspond EFI_STATUS to SpmMmStatus
**/
STATIC
EFI_STATUS
SpmMmStatusToEfiStatus (
IN UINTN SpmMmStatus
)
{
switch (SpmMmStatus) {
case ARM_SPM_MM_RET_SUCCESS:
return EFI_SUCCESS;
case ARM_SPM_MM_RET_INVALID_PARAMS:
return EFI_INVALID_PARAMETER;
case ARM_SPM_MM_RET_DENIED:
return EFI_ACCESS_DENIED;
case ARM_SPM_MM_RET_NO_MEMORY:
return EFI_OUT_OF_RESOURCES;
default:
return EFI_UNSUPPORTED;
}
}
ArmPkg/Library: Update StandaloneMmuLib with FF-A v1.2 with page granulirty The StandaloneMm implementation for Arm sets up the stack in the early startup code using the data section reserved in the assembly code. When TF-A loads the StandaloneMM binary in the DRAM it maps the entire StandaloneMM memory region as Read Only. Therefore, the initial startup assembly code updates the mem permissions of the stack region to Read Write. However, when the StandaloneMmCore is loaded the function UpdateMmFoundationPeCoffPermissions() starts applying the memory permissions based on the PE COFF sections as below: A. If the section is not executable, it first removes the executable permission of the section by calling TextUpdate(). TextUpdate() is the StandaloneMM MMU library function ArmSetMemoryRegionNoExec(). B. It then checks if the section is writable, and if it is it calls ReadWriteUpdater(), which invokes the StandaloneMM MMU library function ArmClearMemoryRegionReadOnly() to make the section writable. However, this results in the stack being made read-only between A and B. To understand this please see the following flow. 1. TF-A sets the entire StandaloneMM region as Read Only. 2. The stack is reserved in the data section by the early assembly entry point code. +--------------------+ <--- Start of Data Section | | | Data Section | | | | +----------------+ | <--- Stack region | | Stack | | | +----------------+ | | | +--------------------+ 3. The StanaloneMM early entry point code updates the attributes of the stack to Read Write. 4. When UpdateMmFoundationPeCoffPermissions() sets the permission of the data section to remove the Execute attribute, it calls ArmSetMemoryRegionNoExec(). 5. The ArmSetMemoryRegionNoExec() implementation gets the attributes of the first granule which is at the start of the data section, then clears the execute permission and applies the attribute for the entire data section. 6. Since TF-A has mapped the entire section as read only the first granule of the data section is read only and therefore the stack region attributes are changed to Read Only no execute. 7. Since the stack is read only after point A any updates to the stack result in an exception. To resolve this issue with update the library with FF-A v1.2, get/set memory permission per page unit. Links: https://developer.arm.com/documentation/den0140/latest/ [0] Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
2024-08-20 17:54:40 +02:00
/** Send a request the target to get/set the memory permission.
ArmPkg: Fix uninitialised variable in ArmMmuStandaloneMmLib The following patches added support for StandaloneMM using FF-A: 9da5ee116a28 ArmPkg: Allow FF-A calls to set memory region's attributes 0e43e02b9bd8 ArmPkg: Allow FF-A calls to get memory region's attributes However, in the error handling logic for the Get/Set Memory attributes, the CLANG compiler reports that a status variable could be used without initialisation. This issue is a false positive and is not seen with GCC. The Get/Set Memory attributes operation is atomic and therefore an FFA_INTERRUPT or FFA_SUCCESS response is not expected in response to FFA_MSG_SEND_DIRECT_REQ. So the remaining cases that could occur are: - the target sends FFA_MSG_SEND_DIRECT_RESP with a success or failure code. or - FFA_MSG_SEND_DIRECT_REQ transmission failure. Therefore, - reorder the error handling conditions such that it prevents the uninitialised variable issue being flagged by CLANG. - move the repetitive code to a static helper function and add documentation at the appropriate places. - fix error handling in functions that invoke GetMemoryPermissions(). Signed-off-by: Sami Mujawar <sami.mujawar@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2021-02-25 18:11:10 +01:00
ArmPkg/Library: Update StandaloneMmuLib with FF-A v1.2 with page granulirty The StandaloneMm implementation for Arm sets up the stack in the early startup code using the data section reserved in the assembly code. When TF-A loads the StandaloneMM binary in the DRAM it maps the entire StandaloneMM memory region as Read Only. Therefore, the initial startup assembly code updates the mem permissions of the stack region to Read Write. However, when the StandaloneMmCore is loaded the function UpdateMmFoundationPeCoffPermissions() starts applying the memory permissions based on the PE COFF sections as below: A. If the section is not executable, it first removes the executable permission of the section by calling TextUpdate(). TextUpdate() is the StandaloneMM MMU library function ArmSetMemoryRegionNoExec(). B. It then checks if the section is writable, and if it is it calls ReadWriteUpdater(), which invokes the StandaloneMM MMU library function ArmClearMemoryRegionReadOnly() to make the section writable. However, this results in the stack being made read-only between A and B. To understand this please see the following flow. 1. TF-A sets the entire StandaloneMM region as Read Only. 2. The stack is reserved in the data section by the early assembly entry point code. +--------------------+ <--- Start of Data Section | | | Data Section | | | | +----------------+ | <--- Stack region | | Stack | | | +----------------+ | | | +--------------------+ 3. The StanaloneMM early entry point code updates the attributes of the stack to Read Write. 4. When UpdateMmFoundationPeCoffPermissions() sets the permission of the data section to remove the Execute attribute, it calls ArmSetMemoryRegionNoExec(). 5. The ArmSetMemoryRegionNoExec() implementation gets the attributes of the first granule which is at the start of the data section, then clears the execute permission and applies the attribute for the entire data section. 6. Since TF-A has mapped the entire section as read only the first granule of the data section is read only and therefore the stack region attributes are changed to Read Only no execute. 7. Since the stack is read only after point A any updates to the stack result in an exception. To resolve this issue with update the library with FF-A v1.2, get/set memory permission per page unit. Links: https://developer.arm.com/documentation/den0140/latest/ [0] Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
2024-08-20 17:54:40 +02:00
@param [in] UseFfaAbis Use FF-A abis or not.
ArmPkg: Fix uninitialised variable in ArmMmuStandaloneMmLib The following patches added support for StandaloneMM using FF-A: 9da5ee116a28 ArmPkg: Allow FF-A calls to set memory region's attributes 0e43e02b9bd8 ArmPkg: Allow FF-A calls to get memory region's attributes However, in the error handling logic for the Get/Set Memory attributes, the CLANG compiler reports that a status variable could be used without initialisation. This issue is a false positive and is not seen with GCC. The Get/Set Memory attributes operation is atomic and therefore an FFA_INTERRUPT or FFA_SUCCESS response is not expected in response to FFA_MSG_SEND_DIRECT_REQ. So the remaining cases that could occur are: - the target sends FFA_MSG_SEND_DIRECT_RESP with a success or failure code. or - FFA_MSG_SEND_DIRECT_REQ transmission failure. Therefore, - reorder the error handling conditions such that it prevents the uninitialised variable issue being flagged by CLANG. - move the repetitive code to a static helper function and add documentation at the appropriate places. - fix error handling in functions that invoke GetMemoryPermissions(). Signed-off-by: Sami Mujawar <sami.mujawar@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2021-02-25 18:11:10 +01:00
@param [in, out] SvcArgs Pointer to SVC arguments to send. On
return it contains the response parameters.
@param [out] RetVal Pointer to return the response value.
@retval EFI_SUCCESS Request successfull.
@retval EFI_INVALID_PARAMETER A parameter is invalid.
@retval EFI_NOT_READY Callee is busy or not in a state to handle
this request.
@retval EFI_UNSUPPORTED This function is not implemented by the
callee.
@retval EFI_ABORTED Message target ran into an unexpected error
and has aborted.
@retval EFI_ACCESS_DENIED Access denied.
@retval EFI_OUT_OF_RESOURCES Out of memory to perform operation.
**/
ArmPkg/ArmMmuLib: Add MMU Library suitable for use in S-EL0. The Standalone MM environment runs in S-EL0 in AArch64 on ARM Standard Platforms. Privileged firmware e.g. ARM Trusted Firmware sets up its architectural context including the initial translation tables for the S-EL1/EL0 translation regime. The MM environment will still request ARM TF to change the memory attributes of memory regions during initialization. The Standalone MM image is a FV that encapsulates the MM foundation and drivers. These are PE-COFF images with data and text segments. To initialise the MM environment, Arm Trusted Firmware has to create translation tables with sane default attributes for the memory occupied by the FV. This library sends SVCs to ARM Trusted Firmware to request memory permissions change for data and text segments. This patch adds a simple MMU library suitable for execution in S-EL0 and requesting memory permissions change operations from Arm Trusted Firmware. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2018-11-27 11:43:57 +01:00
STATIC
EFI_STATUS
ArmPkg: Fix uninitialised variable in ArmMmuStandaloneMmLib The following patches added support for StandaloneMM using FF-A: 9da5ee116a28 ArmPkg: Allow FF-A calls to set memory region's attributes 0e43e02b9bd8 ArmPkg: Allow FF-A calls to get memory region's attributes However, in the error handling logic for the Get/Set Memory attributes, the CLANG compiler reports that a status variable could be used without initialisation. This issue is a false positive and is not seen with GCC. The Get/Set Memory attributes operation is atomic and therefore an FFA_INTERRUPT or FFA_SUCCESS response is not expected in response to FFA_MSG_SEND_DIRECT_REQ. So the remaining cases that could occur are: - the target sends FFA_MSG_SEND_DIRECT_RESP with a success or failure code. or - FFA_MSG_SEND_DIRECT_REQ transmission failure. Therefore, - reorder the error handling conditions such that it prevents the uninitialised variable issue being flagged by CLANG. - move the repetitive code to a static helper function and add documentation at the appropriate places. - fix error handling in functions that invoke GetMemoryPermissions(). Signed-off-by: Sami Mujawar <sami.mujawar@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2021-02-25 18:11:10 +01:00
SendMemoryPermissionRequest (
ArmPkg/Library: Update StandaloneMmuLib with FF-A v1.2 with page granulirty The StandaloneMm implementation for Arm sets up the stack in the early startup code using the data section reserved in the assembly code. When TF-A loads the StandaloneMM binary in the DRAM it maps the entire StandaloneMM memory region as Read Only. Therefore, the initial startup assembly code updates the mem permissions of the stack region to Read Write. However, when the StandaloneMmCore is loaded the function UpdateMmFoundationPeCoffPermissions() starts applying the memory permissions based on the PE COFF sections as below: A. If the section is not executable, it first removes the executable permission of the section by calling TextUpdate(). TextUpdate() is the StandaloneMM MMU library function ArmSetMemoryRegionNoExec(). B. It then checks if the section is writable, and if it is it calls ReadWriteUpdater(), which invokes the StandaloneMM MMU library function ArmClearMemoryRegionReadOnly() to make the section writable. However, this results in the stack being made read-only between A and B. To understand this please see the following flow. 1. TF-A sets the entire StandaloneMM region as Read Only. 2. The stack is reserved in the data section by the early assembly entry point code. +--------------------+ <--- Start of Data Section | | | Data Section | | | | +----------------+ | <--- Stack region | | Stack | | | +----------------+ | | | +--------------------+ 3. The StanaloneMM early entry point code updates the attributes of the stack to Read Write. 4. When UpdateMmFoundationPeCoffPermissions() sets the permission of the data section to remove the Execute attribute, it calls ArmSetMemoryRegionNoExec(). 5. The ArmSetMemoryRegionNoExec() implementation gets the attributes of the first granule which is at the start of the data section, then clears the execute permission and applies the attribute for the entire data section. 6. Since TF-A has mapped the entire section as read only the first granule of the data section is read only and therefore the stack region attributes are changed to Read Only no execute. 7. Since the stack is read only after point A any updates to the stack result in an exception. To resolve this issue with update the library with FF-A v1.2, get/set memory permission per page unit. Links: https://developer.arm.com/documentation/den0140/latest/ [0] Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
2024-08-20 17:54:40 +02:00
IN BOOLEAN UseFfaAbis,
ArmPkg: Fix uninitialised variable in ArmMmuStandaloneMmLib The following patches added support for StandaloneMM using FF-A: 9da5ee116a28 ArmPkg: Allow FF-A calls to set memory region's attributes 0e43e02b9bd8 ArmPkg: Allow FF-A calls to get memory region's attributes However, in the error handling logic for the Get/Set Memory attributes, the CLANG compiler reports that a status variable could be used without initialisation. This issue is a false positive and is not seen with GCC. The Get/Set Memory attributes operation is atomic and therefore an FFA_INTERRUPT or FFA_SUCCESS response is not expected in response to FFA_MSG_SEND_DIRECT_REQ. So the remaining cases that could occur are: - the target sends FFA_MSG_SEND_DIRECT_RESP with a success or failure code. or - FFA_MSG_SEND_DIRECT_REQ transmission failure. Therefore, - reorder the error handling conditions such that it prevents the uninitialised variable issue being flagged by CLANG. - move the repetitive code to a static helper function and add documentation at the appropriate places. - fix error handling in functions that invoke GetMemoryPermissions(). Signed-off-by: Sami Mujawar <sami.mujawar@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2021-02-25 18:11:10 +01:00
IN OUT ARM_SVC_ARGS *SvcArgs,
ArmPkg/Library: Update StandaloneMmuLib with FF-A v1.2 with page granulirty The StandaloneMm implementation for Arm sets up the stack in the early startup code using the data section reserved in the assembly code. When TF-A loads the StandaloneMM binary in the DRAM it maps the entire StandaloneMM memory region as Read Only. Therefore, the initial startup assembly code updates the mem permissions of the stack region to Read Write. However, when the StandaloneMmCore is loaded the function UpdateMmFoundationPeCoffPermissions() starts applying the memory permissions based on the PE COFF sections as below: A. If the section is not executable, it first removes the executable permission of the section by calling TextUpdate(). TextUpdate() is the StandaloneMM MMU library function ArmSetMemoryRegionNoExec(). B. It then checks if the section is writable, and if it is it calls ReadWriteUpdater(), which invokes the StandaloneMM MMU library function ArmClearMemoryRegionReadOnly() to make the section writable. However, this results in the stack being made read-only between A and B. To understand this please see the following flow. 1. TF-A sets the entire StandaloneMM region as Read Only. 2. The stack is reserved in the data section by the early assembly entry point code. +--------------------+ <--- Start of Data Section | | | Data Section | | | | +----------------+ | <--- Stack region | | Stack | | | +----------------+ | | | +--------------------+ 3. The StanaloneMM early entry point code updates the attributes of the stack to Read Write. 4. When UpdateMmFoundationPeCoffPermissions() sets the permission of the data section to remove the Execute attribute, it calls ArmSetMemoryRegionNoExec(). 5. The ArmSetMemoryRegionNoExec() implementation gets the attributes of the first granule which is at the start of the data section, then clears the execute permission and applies the attribute for the entire data section. 6. Since TF-A has mapped the entire section as read only the first granule of the data section is read only and therefore the stack region attributes are changed to Read Only no execute. 7. Since the stack is read only after point A any updates to the stack result in an exception. To resolve this issue with update the library with FF-A v1.2, get/set memory permission per page unit. Links: https://developer.arm.com/documentation/den0140/latest/ [0] Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
2024-08-20 17:54:40 +02:00
OUT INT32 *RetVal
ArmPkg/ArmMmuLib: Add MMU Library suitable for use in S-EL0. The Standalone MM environment runs in S-EL0 in AArch64 on ARM Standard Platforms. Privileged firmware e.g. ARM Trusted Firmware sets up its architectural context including the initial translation tables for the S-EL1/EL0 translation regime. The MM environment will still request ARM TF to change the memory attributes of memory regions during initialization. The Standalone MM image is a FV that encapsulates the MM foundation and drivers. These are PE-COFF images with data and text segments. To initialise the MM environment, Arm Trusted Firmware has to create translation tables with sane default attributes for the memory occupied by the FV. This library sends SVCs to ARM Trusted Firmware to request memory permissions change for data and text segments. This patch adds a simple MMU library suitable for execution in S-EL0 and requesting memory permissions change operations from Arm Trusted Firmware. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2018-11-27 11:43:57 +01:00
)
{
ArmPkg: Fix uninitialised variable in ArmMmuStandaloneMmLib The following patches added support for StandaloneMM using FF-A: 9da5ee116a28 ArmPkg: Allow FF-A calls to set memory region's attributes 0e43e02b9bd8 ArmPkg: Allow FF-A calls to get memory region's attributes However, in the error handling logic for the Get/Set Memory attributes, the CLANG compiler reports that a status variable could be used without initialisation. This issue is a false positive and is not seen with GCC. The Get/Set Memory attributes operation is atomic and therefore an FFA_INTERRUPT or FFA_SUCCESS response is not expected in response to FFA_MSG_SEND_DIRECT_REQ. So the remaining cases that could occur are: - the target sends FFA_MSG_SEND_DIRECT_RESP with a success or failure code. or - FFA_MSG_SEND_DIRECT_REQ transmission failure. Therefore, - reorder the error handling conditions such that it prevents the uninitialised variable issue being flagged by CLANG. - move the repetitive code to a static helper function and add documentation at the appropriate places. - fix error handling in functions that invoke GetMemoryPermissions(). Signed-off-by: Sami Mujawar <sami.mujawar@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2021-02-25 18:11:10 +01:00
if ((SvcArgs == NULL) || (RetVal == NULL)) {
return EFI_INVALID_PARAMETER;
ArmPkg: Allow FF-A calls to get memory region's attributes Allow getting memory region's permissions using either of the Firmware Framework(FF-A) ABI transport or through the earlier used SVC calls. Signed-off-by: Achin Gupta <achin.gupta@arm.com> Co-developed-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sami Mujawar <sami.mujawar@arm.com> Acked-by: Ard Biesheuvel <ardb@kernel.org>
2021-02-19 07:36:04 +01:00
}
ArmPkg/ArmMmuLib: Add MMU Library suitable for use in S-EL0. The Standalone MM environment runs in S-EL0 in AArch64 on ARM Standard Platforms. Privileged firmware e.g. ARM Trusted Firmware sets up its architectural context including the initial translation tables for the S-EL1/EL0 translation regime. The MM environment will still request ARM TF to change the memory attributes of memory regions during initialization. The Standalone MM image is a FV that encapsulates the MM foundation and drivers. These are PE-COFF images with data and text segments. To initialise the MM environment, Arm Trusted Firmware has to create translation tables with sane default attributes for the memory occupied by the FV. This library sends SVCs to ARM Trusted Firmware to request memory permissions change for data and text segments. This patch adds a simple MMU library suitable for execution in S-EL0 and requesting memory permissions change operations from Arm Trusted Firmware. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2018-11-27 11:43:57 +01:00
ArmPkg: Fix uninitialised variable in ArmMmuStandaloneMmLib The following patches added support for StandaloneMM using FF-A: 9da5ee116a28 ArmPkg: Allow FF-A calls to set memory region's attributes 0e43e02b9bd8 ArmPkg: Allow FF-A calls to get memory region's attributes However, in the error handling logic for the Get/Set Memory attributes, the CLANG compiler reports that a status variable could be used without initialisation. This issue is a false positive and is not seen with GCC. The Get/Set Memory attributes operation is atomic and therefore an FFA_INTERRUPT or FFA_SUCCESS response is not expected in response to FFA_MSG_SEND_DIRECT_REQ. So the remaining cases that could occur are: - the target sends FFA_MSG_SEND_DIRECT_RESP with a success or failure code. or - FFA_MSG_SEND_DIRECT_REQ transmission failure. Therefore, - reorder the error handling conditions such that it prevents the uninitialised variable issue being flagged by CLANG. - move the repetitive code to a static helper function and add documentation at the appropriate places. - fix error handling in functions that invoke GetMemoryPermissions(). Signed-off-by: Sami Mujawar <sami.mujawar@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2021-02-25 18:11:10 +01:00
ArmCallSvc (SvcArgs);
ArmPkg/Library: Update StandaloneMmuLib with FF-A v1.2 with page granulirty The StandaloneMm implementation for Arm sets up the stack in the early startup code using the data section reserved in the assembly code. When TF-A loads the StandaloneMM binary in the DRAM it maps the entire StandaloneMM memory region as Read Only. Therefore, the initial startup assembly code updates the mem permissions of the stack region to Read Write. However, when the StandaloneMmCore is loaded the function UpdateMmFoundationPeCoffPermissions() starts applying the memory permissions based on the PE COFF sections as below: A. If the section is not executable, it first removes the executable permission of the section by calling TextUpdate(). TextUpdate() is the StandaloneMM MMU library function ArmSetMemoryRegionNoExec(). B. It then checks if the section is writable, and if it is it calls ReadWriteUpdater(), which invokes the StandaloneMM MMU library function ArmClearMemoryRegionReadOnly() to make the section writable. However, this results in the stack being made read-only between A and B. To understand this please see the following flow. 1. TF-A sets the entire StandaloneMM region as Read Only. 2. The stack is reserved in the data section by the early assembly entry point code. +--------------------+ <--- Start of Data Section | | | Data Section | | | | +----------------+ | <--- Stack region | | Stack | | | +----------------+ | | | +--------------------+ 3. The StanaloneMM early entry point code updates the attributes of the stack to Read Write. 4. When UpdateMmFoundationPeCoffPermissions() sets the permission of the data section to remove the Execute attribute, it calls ArmSetMemoryRegionNoExec(). 5. The ArmSetMemoryRegionNoExec() implementation gets the attributes of the first granule which is at the start of the data section, then clears the execute permission and applies the attribute for the entire data section. 6. Since TF-A has mapped the entire section as read only the first granule of the data section is read only and therefore the stack region attributes are changed to Read Only no execute. 7. Since the stack is read only after point A any updates to the stack result in an exception. To resolve this issue with update the library with FF-A v1.2, get/set memory permission per page unit. Links: https://developer.arm.com/documentation/den0140/latest/ [0] Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
2024-08-20 17:54:40 +02:00
if (UseFfaAbis) {
if (IS_FID_FFA_ERROR (SvcArgs->Arg0)) {
return FfaStatusToEfiStatus (SvcArgs->Arg2);
ArmPkg: Allow FF-A calls to get memory region's attributes Allow getting memory region's permissions using either of the Firmware Framework(FF-A) ABI transport or through the earlier used SVC calls. Signed-off-by: Achin Gupta <achin.gupta@arm.com> Co-developed-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sami Mujawar <sami.mujawar@arm.com> Acked-by: Ard Biesheuvel <ardb@kernel.org>
2021-02-19 07:36:04 +01:00
}
ArmPkg/Library: Update StandaloneMmuLib with FF-A v1.2 with page granulirty The StandaloneMm implementation for Arm sets up the stack in the early startup code using the data section reserved in the assembly code. When TF-A loads the StandaloneMM binary in the DRAM it maps the entire StandaloneMM memory region as Read Only. Therefore, the initial startup assembly code updates the mem permissions of the stack region to Read Write. However, when the StandaloneMmCore is loaded the function UpdateMmFoundationPeCoffPermissions() starts applying the memory permissions based on the PE COFF sections as below: A. If the section is not executable, it first removes the executable permission of the section by calling TextUpdate(). TextUpdate() is the StandaloneMM MMU library function ArmSetMemoryRegionNoExec(). B. It then checks if the section is writable, and if it is it calls ReadWriteUpdater(), which invokes the StandaloneMM MMU library function ArmClearMemoryRegionReadOnly() to make the section writable. However, this results in the stack being made read-only between A and B. To understand this please see the following flow. 1. TF-A sets the entire StandaloneMM region as Read Only. 2. The stack is reserved in the data section by the early assembly entry point code. +--------------------+ <--- Start of Data Section | | | Data Section | | | | +----------------+ | <--- Stack region | | Stack | | | +----------------+ | | | +--------------------+ 3. The StanaloneMM early entry point code updates the attributes of the stack to Read Write. 4. When UpdateMmFoundationPeCoffPermissions() sets the permission of the data section to remove the Execute attribute, it calls ArmSetMemoryRegionNoExec(). 5. The ArmSetMemoryRegionNoExec() implementation gets the attributes of the first granule which is at the start of the data section, then clears the execute permission and applies the attribute for the entire data section. 6. Since TF-A has mapped the entire section as read only the first granule of the data section is read only and therefore the stack region attributes are changed to Read Only no execute. 7. Since the stack is read only after point A any updates to the stack result in an exception. To resolve this issue with update the library with FF-A v1.2, get/set memory permission per page unit. Links: https://developer.arm.com/documentation/den0140/latest/ [0] Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
2024-08-20 17:54:40 +02:00
*RetVal = SvcArgs->Arg2;
} else {
// Check error response from Callee.
ArmPkg: Correct small typos The 'cspell' CI test detected some small typos in ArmPkg. Correct them. Cc: Bret Barkelew <bret.barkelew@microsoft.com> Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Leif Lindholm <leif@nuviainc.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Sami Mujawar <sami.mujawar@arm.com> Signed-off-by: Pierre Gondois <Pierre.Gondois@arm.com> Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
2021-04-20 16:25:17 +02:00
// Bit 31 set means there is an error returned
ArmPkg: Fix uninitialised variable in ArmMmuStandaloneMmLib The following patches added support for StandaloneMM using FF-A: 9da5ee116a28 ArmPkg: Allow FF-A calls to set memory region's attributes 0e43e02b9bd8 ArmPkg: Allow FF-A calls to get memory region's attributes However, in the error handling logic for the Get/Set Memory attributes, the CLANG compiler reports that a status variable could be used without initialisation. This issue is a false positive and is not seen with GCC. The Get/Set Memory attributes operation is atomic and therefore an FFA_INTERRUPT or FFA_SUCCESS response is not expected in response to FFA_MSG_SEND_DIRECT_REQ. So the remaining cases that could occur are: - the target sends FFA_MSG_SEND_DIRECT_RESP with a success or failure code. or - FFA_MSG_SEND_DIRECT_REQ transmission failure. Therefore, - reorder the error handling conditions such that it prevents the uninitialised variable issue being flagged by CLANG. - move the repetitive code to a static helper function and add documentation at the appropriate places. - fix error handling in functions that invoke GetMemoryPermissions(). Signed-off-by: Sami Mujawar <sami.mujawar@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2021-02-25 18:11:10 +01:00
// See [1], Section 13.5.5.1 MM_SP_MEMORY_ATTRIBUTES_GET_AARCH64 and
// Section 13.5.5.2 MM_SP_MEMORY_ATTRIBUTES_SET_AARCH64.
ArmPkg/Library: Update StandaloneMmuLib with FF-A v1.2 with page granulirty The StandaloneMm implementation for Arm sets up the stack in the early startup code using the data section reserved in the assembly code. When TF-A loads the StandaloneMM binary in the DRAM it maps the entire StandaloneMM memory region as Read Only. Therefore, the initial startup assembly code updates the mem permissions of the stack region to Read Write. However, when the StandaloneMmCore is loaded the function UpdateMmFoundationPeCoffPermissions() starts applying the memory permissions based on the PE COFF sections as below: A. If the section is not executable, it first removes the executable permission of the section by calling TextUpdate(). TextUpdate() is the StandaloneMM MMU library function ArmSetMemoryRegionNoExec(). B. It then checks if the section is writable, and if it is it calls ReadWriteUpdater(), which invokes the StandaloneMM MMU library function ArmClearMemoryRegionReadOnly() to make the section writable. However, this results in the stack being made read-only between A and B. To understand this please see the following flow. 1. TF-A sets the entire StandaloneMM region as Read Only. 2. The stack is reserved in the data section by the early assembly entry point code. +--------------------+ <--- Start of Data Section | | | Data Section | | | | +----------------+ | <--- Stack region | | Stack | | | +----------------+ | | | +--------------------+ 3. The StanaloneMM early entry point code updates the attributes of the stack to Read Write. 4. When UpdateMmFoundationPeCoffPermissions() sets the permission of the data section to remove the Execute attribute, it calls ArmSetMemoryRegionNoExec(). 5. The ArmSetMemoryRegionNoExec() implementation gets the attributes of the first granule which is at the start of the data section, then clears the execute permission and applies the attribute for the entire data section. 6. Since TF-A has mapped the entire section as read only the first granule of the data section is read only and therefore the stack region attributes are changed to Read Only no execute. 7. Since the stack is read only after point A any updates to the stack result in an exception. To resolve this issue with update the library with FF-A v1.2, get/set memory permission per page unit. Links: https://developer.arm.com/documentation/den0140/latest/ [0] Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
2024-08-20 17:54:40 +02:00
if ((SvcArgs->Arg0 & BIT31) != 0) {
return SpmMmStatusToEfiStatus (SvcArgs->Arg0);
}
*RetVal = SvcArgs->Arg0;
ArmPkg/ArmMmuLib: Add MMU Library suitable for use in S-EL0. The Standalone MM environment runs in S-EL0 in AArch64 on ARM Standard Platforms. Privileged firmware e.g. ARM Trusted Firmware sets up its architectural context including the initial translation tables for the S-EL1/EL0 translation regime. The MM environment will still request ARM TF to change the memory attributes of memory regions during initialization. The Standalone MM image is a FV that encapsulates the MM foundation and drivers. These are PE-COFF images with data and text segments. To initialise the MM environment, Arm Trusted Firmware has to create translation tables with sane default attributes for the memory occupied by the FV. This library sends SVCs to ARM Trusted Firmware to request memory permissions change for data and text segments. This patch adds a simple MMU library suitable for execution in S-EL0 and requesting memory permissions change operations from Arm Trusted Firmware. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2018-11-27 11:43:57 +01:00
}
return EFI_SUCCESS;
}
ArmPkg: Fix uninitialised variable in ArmMmuStandaloneMmLib The following patches added support for StandaloneMM using FF-A: 9da5ee116a28 ArmPkg: Allow FF-A calls to set memory region's attributes 0e43e02b9bd8 ArmPkg: Allow FF-A calls to get memory region's attributes However, in the error handling logic for the Get/Set Memory attributes, the CLANG compiler reports that a status variable could be used without initialisation. This issue is a false positive and is not seen with GCC. The Get/Set Memory attributes operation is atomic and therefore an FFA_INTERRUPT or FFA_SUCCESS response is not expected in response to FFA_MSG_SEND_DIRECT_REQ. So the remaining cases that could occur are: - the target sends FFA_MSG_SEND_DIRECT_RESP with a success or failure code. or - FFA_MSG_SEND_DIRECT_REQ transmission failure. Therefore, - reorder the error handling conditions such that it prevents the uninitialised variable issue being flagged by CLANG. - move the repetitive code to a static helper function and add documentation at the appropriate places. - fix error handling in functions that invoke GetMemoryPermissions(). Signed-off-by: Sami Mujawar <sami.mujawar@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2021-02-25 18:11:10 +01:00
/** Request the permission attributes of a memory region from S-EL0.
ArmPkg/Library: Update StandaloneMmuLib with FF-A v1.2 with page granulirty The StandaloneMm implementation for Arm sets up the stack in the early startup code using the data section reserved in the assembly code. When TF-A loads the StandaloneMM binary in the DRAM it maps the entire StandaloneMM memory region as Read Only. Therefore, the initial startup assembly code updates the mem permissions of the stack region to Read Write. However, when the StandaloneMmCore is loaded the function UpdateMmFoundationPeCoffPermissions() starts applying the memory permissions based on the PE COFF sections as below: A. If the section is not executable, it first removes the executable permission of the section by calling TextUpdate(). TextUpdate() is the StandaloneMM MMU library function ArmSetMemoryRegionNoExec(). B. It then checks if the section is writable, and if it is it calls ReadWriteUpdater(), which invokes the StandaloneMM MMU library function ArmClearMemoryRegionReadOnly() to make the section writable. However, this results in the stack being made read-only between A and B. To understand this please see the following flow. 1. TF-A sets the entire StandaloneMM region as Read Only. 2. The stack is reserved in the data section by the early assembly entry point code. +--------------------+ <--- Start of Data Section | | | Data Section | | | | +----------------+ | <--- Stack region | | Stack | | | +----------------+ | | | +--------------------+ 3. The StanaloneMM early entry point code updates the attributes of the stack to Read Write. 4. When UpdateMmFoundationPeCoffPermissions() sets the permission of the data section to remove the Execute attribute, it calls ArmSetMemoryRegionNoExec(). 5. The ArmSetMemoryRegionNoExec() implementation gets the attributes of the first granule which is at the start of the data section, then clears the execute permission and applies the attribute for the entire data section. 6. Since TF-A has mapped the entire section as read only the first granule of the data section is read only and therefore the stack region attributes are changed to Read Only no execute. 7. Since the stack is read only after point A any updates to the stack result in an exception. To resolve this issue with update the library with FF-A v1.2, get/set memory permission per page unit. Links: https://developer.arm.com/documentation/den0140/latest/ [0] Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
2024-08-20 17:54:40 +02:00
@param [in] UseFfaAbis Use FF-A abis or not.
ArmPkg: Fix uninitialised variable in ArmMmuStandaloneMmLib The following patches added support for StandaloneMM using FF-A: 9da5ee116a28 ArmPkg: Allow FF-A calls to set memory region's attributes 0e43e02b9bd8 ArmPkg: Allow FF-A calls to get memory region's attributes However, in the error handling logic for the Get/Set Memory attributes, the CLANG compiler reports that a status variable could be used without initialisation. This issue is a false positive and is not seen with GCC. The Get/Set Memory attributes operation is atomic and therefore an FFA_INTERRUPT or FFA_SUCCESS response is not expected in response to FFA_MSG_SEND_DIRECT_REQ. So the remaining cases that could occur are: - the target sends FFA_MSG_SEND_DIRECT_RESP with a success or failure code. or - FFA_MSG_SEND_DIRECT_REQ transmission failure. Therefore, - reorder the error handling conditions such that it prevents the uninitialised variable issue being flagged by CLANG. - move the repetitive code to a static helper function and add documentation at the appropriate places. - fix error handling in functions that invoke GetMemoryPermissions(). Signed-off-by: Sami Mujawar <sami.mujawar@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2021-02-25 18:11:10 +01:00
@param [in] BaseAddress Base address for the memory region.
@param [out] MemoryAttributes Pointer to return the memory attributes.
@retval EFI_SUCCESS Request successfull.
@retval EFI_INVALID_PARAMETER A parameter is invalid.
@retval EFI_NOT_READY Callee is busy or not in a state to handle
this request.
@retval EFI_UNSUPPORTED This function is not implemented by the
callee.
@retval EFI_ABORTED Message target ran into an unexpected error
and has aborted.
@retval EFI_ACCESS_DENIED Access denied.
@retval EFI_OUT_OF_RESOURCES Out of memory to perform operation.
**/
ArmPkg/ArmMmuLib: Add MMU Library suitable for use in S-EL0. The Standalone MM environment runs in S-EL0 in AArch64 on ARM Standard Platforms. Privileged firmware e.g. ARM Trusted Firmware sets up its architectural context including the initial translation tables for the S-EL1/EL0 translation regime. The MM environment will still request ARM TF to change the memory attributes of memory regions during initialization. The Standalone MM image is a FV that encapsulates the MM foundation and drivers. These are PE-COFF images with data and text segments. To initialise the MM environment, Arm Trusted Firmware has to create translation tables with sane default attributes for the memory occupied by the FV. This library sends SVCs to ARM Trusted Firmware to request memory permissions change for data and text segments. This patch adds a simple MMU library suitable for execution in S-EL0 and requesting memory permissions change operations from Arm Trusted Firmware. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2018-11-27 11:43:57 +01:00
STATIC
EFI_STATUS
ArmPkg: Fix uninitialised variable in ArmMmuStandaloneMmLib The following patches added support for StandaloneMM using FF-A: 9da5ee116a28 ArmPkg: Allow FF-A calls to set memory region's attributes 0e43e02b9bd8 ArmPkg: Allow FF-A calls to get memory region's attributes However, in the error handling logic for the Get/Set Memory attributes, the CLANG compiler reports that a status variable could be used without initialisation. This issue is a false positive and is not seen with GCC. The Get/Set Memory attributes operation is atomic and therefore an FFA_INTERRUPT or FFA_SUCCESS response is not expected in response to FFA_MSG_SEND_DIRECT_REQ. So the remaining cases that could occur are: - the target sends FFA_MSG_SEND_DIRECT_RESP with a success or failure code. or - FFA_MSG_SEND_DIRECT_REQ transmission failure. Therefore, - reorder the error handling conditions such that it prevents the uninitialised variable issue being flagged by CLANG. - move the repetitive code to a static helper function and add documentation at the appropriate places. - fix error handling in functions that invoke GetMemoryPermissions(). Signed-off-by: Sami Mujawar <sami.mujawar@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2021-02-25 18:11:10 +01:00
GetMemoryPermissions (
ArmPkg/Library: Update StandaloneMmuLib with FF-A v1.2 with page granulirty The StandaloneMm implementation for Arm sets up the stack in the early startup code using the data section reserved in the assembly code. When TF-A loads the StandaloneMM binary in the DRAM it maps the entire StandaloneMM memory region as Read Only. Therefore, the initial startup assembly code updates the mem permissions of the stack region to Read Write. However, when the StandaloneMmCore is loaded the function UpdateMmFoundationPeCoffPermissions() starts applying the memory permissions based on the PE COFF sections as below: A. If the section is not executable, it first removes the executable permission of the section by calling TextUpdate(). TextUpdate() is the StandaloneMM MMU library function ArmSetMemoryRegionNoExec(). B. It then checks if the section is writable, and if it is it calls ReadWriteUpdater(), which invokes the StandaloneMM MMU library function ArmClearMemoryRegionReadOnly() to make the section writable. However, this results in the stack being made read-only between A and B. To understand this please see the following flow. 1. TF-A sets the entire StandaloneMM region as Read Only. 2. The stack is reserved in the data section by the early assembly entry point code. +--------------------+ <--- Start of Data Section | | | Data Section | | | | +----------------+ | <--- Stack region | | Stack | | | +----------------+ | | | +--------------------+ 3. The StanaloneMM early entry point code updates the attributes of the stack to Read Write. 4. When UpdateMmFoundationPeCoffPermissions() sets the permission of the data section to remove the Execute attribute, it calls ArmSetMemoryRegionNoExec(). 5. The ArmSetMemoryRegionNoExec() implementation gets the attributes of the first granule which is at the start of the data section, then clears the execute permission and applies the attribute for the entire data section. 6. Since TF-A has mapped the entire section as read only the first granule of the data section is read only and therefore the stack region attributes are changed to Read Only no execute. 7. Since the stack is read only after point A any updates to the stack result in an exception. To resolve this issue with update the library with FF-A v1.2, get/set memory permission per page unit. Links: https://developer.arm.com/documentation/den0140/latest/ [0] Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
2024-08-20 17:54:40 +02:00
IN BOOLEAN UseFfaAbis,
IN EFI_PHYSICAL_ADDRESS BaseAddress,
OUT UINT32 *MemoryAttributes
ArmPkg/ArmMmuLib: Add MMU Library suitable for use in S-EL0. The Standalone MM environment runs in S-EL0 in AArch64 on ARM Standard Platforms. Privileged firmware e.g. ARM Trusted Firmware sets up its architectural context including the initial translation tables for the S-EL1/EL0 translation regime. The MM environment will still request ARM TF to change the memory attributes of memory regions during initialization. The Standalone MM image is a FV that encapsulates the MM foundation and drivers. These are PE-COFF images with data and text segments. To initialise the MM environment, Arm Trusted Firmware has to create translation tables with sane default attributes for the memory occupied by the FV. This library sends SVCs to ARM Trusted Firmware to request memory permissions change for data and text segments. This patch adds a simple MMU library suitable for execution in S-EL0 and requesting memory permissions change operations from Arm Trusted Firmware. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2018-11-27 11:43:57 +01:00
)
{
ArmPkg: Fix uninitialised variable in ArmMmuStandaloneMmLib The following patches added support for StandaloneMM using FF-A: 9da5ee116a28 ArmPkg: Allow FF-A calls to set memory region's attributes 0e43e02b9bd8 ArmPkg: Allow FF-A calls to get memory region's attributes However, in the error handling logic for the Get/Set Memory attributes, the CLANG compiler reports that a status variable could be used without initialisation. This issue is a false positive and is not seen with GCC. The Get/Set Memory attributes operation is atomic and therefore an FFA_INTERRUPT or FFA_SUCCESS response is not expected in response to FFA_MSG_SEND_DIRECT_REQ. So the remaining cases that could occur are: - the target sends FFA_MSG_SEND_DIRECT_RESP with a success or failure code. or - FFA_MSG_SEND_DIRECT_REQ transmission failure. Therefore, - reorder the error handling conditions such that it prevents the uninitialised variable issue being flagged by CLANG. - move the repetitive code to a static helper function and add documentation at the appropriate places. - fix error handling in functions that invoke GetMemoryPermissions(). Signed-off-by: Sami Mujawar <sami.mujawar@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2021-02-25 18:11:10 +01:00
EFI_STATUS Status;
ArmPkg: Allow FF-A calls to set memory region's attributes Allow setting memory region's permissions using either of the Firmware Framework(FF-A) ABI transport or through the earlier used SVC calls. Signed-off-by: Achin Gupta <achin.gupta@arm.com> Co-developed-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sami Mujawar <sami.mujawar@arm.com> Acked-by: Ard Biesheuvel <ardb@kernel.org>
2021-02-19 07:36:05 +01:00
INT32 Ret;
ArmPkg: Fix uninitialised variable in ArmMmuStandaloneMmLib The following patches added support for StandaloneMM using FF-A: 9da5ee116a28 ArmPkg: Allow FF-A calls to set memory region's attributes 0e43e02b9bd8 ArmPkg: Allow FF-A calls to get memory region's attributes However, in the error handling logic for the Get/Set Memory attributes, the CLANG compiler reports that a status variable could be used without initialisation. This issue is a false positive and is not seen with GCC. The Get/Set Memory attributes operation is atomic and therefore an FFA_INTERRUPT or FFA_SUCCESS response is not expected in response to FFA_MSG_SEND_DIRECT_REQ. So the remaining cases that could occur are: - the target sends FFA_MSG_SEND_DIRECT_RESP with a success or failure code. or - FFA_MSG_SEND_DIRECT_REQ transmission failure. Therefore, - reorder the error handling conditions such that it prevents the uninitialised variable issue being flagged by CLANG. - move the repetitive code to a static helper function and add documentation at the appropriate places. - fix error handling in functions that invoke GetMemoryPermissions(). Signed-off-by: Sami Mujawar <sami.mujawar@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2021-02-25 18:11:10 +01:00
ARM_SVC_ARGS SvcArgs;
ArmPkg/Library: Update StandaloneMmuLib with FF-A v1.2 with page granulirty The StandaloneMm implementation for Arm sets up the stack in the early startup code using the data section reserved in the assembly code. When TF-A loads the StandaloneMM binary in the DRAM it maps the entire StandaloneMM memory region as Read Only. Therefore, the initial startup assembly code updates the mem permissions of the stack region to Read Write. However, when the StandaloneMmCore is loaded the function UpdateMmFoundationPeCoffPermissions() starts applying the memory permissions based on the PE COFF sections as below: A. If the section is not executable, it first removes the executable permission of the section by calling TextUpdate(). TextUpdate() is the StandaloneMM MMU library function ArmSetMemoryRegionNoExec(). B. It then checks if the section is writable, and if it is it calls ReadWriteUpdater(), which invokes the StandaloneMM MMU library function ArmClearMemoryRegionReadOnly() to make the section writable. However, this results in the stack being made read-only between A and B. To understand this please see the following flow. 1. TF-A sets the entire StandaloneMM region as Read Only. 2. The stack is reserved in the data section by the early assembly entry point code. +--------------------+ <--- Start of Data Section | | | Data Section | | | | +----------------+ | <--- Stack region | | Stack | | | +----------------+ | | | +--------------------+ 3. The StanaloneMM early entry point code updates the attributes of the stack to Read Write. 4. When UpdateMmFoundationPeCoffPermissions() sets the permission of the data section to remove the Execute attribute, it calls ArmSetMemoryRegionNoExec(). 5. The ArmSetMemoryRegionNoExec() implementation gets the attributes of the first granule which is at the start of the data section, then clears the execute permission and applies the attribute for the entire data section. 6. Since TF-A has mapped the entire section as read only the first granule of the data section is read only and therefore the stack region attributes are changed to Read Only no execute. 7. Since the stack is read only after point A any updates to the stack result in an exception. To resolve this issue with update the library with FF-A v1.2, get/set memory permission per page unit. Links: https://developer.arm.com/documentation/den0140/latest/ [0] Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
2024-08-20 17:54:40 +02:00
UINTN Fid;
ArmPkg/ArmMmuLib: Add MMU Library suitable for use in S-EL0. The Standalone MM environment runs in S-EL0 in AArch64 on ARM Standard Platforms. Privileged firmware e.g. ARM Trusted Firmware sets up its architectural context including the initial translation tables for the S-EL1/EL0 translation regime. The MM environment will still request ARM TF to change the memory attributes of memory regions during initialization. The Standalone MM image is a FV that encapsulates the MM foundation and drivers. These are PE-COFF images with data and text segments. To initialise the MM environment, Arm Trusted Firmware has to create translation tables with sane default attributes for the memory occupied by the FV. This library sends SVCs to ARM Trusted Firmware to request memory permissions change for data and text segments. This patch adds a simple MMU library suitable for execution in S-EL0 and requesting memory permissions change operations from Arm Trusted Firmware. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2018-11-27 11:43:57 +01:00
ArmPkg: Fix uninitialised variable in ArmMmuStandaloneMmLib The following patches added support for StandaloneMM using FF-A: 9da5ee116a28 ArmPkg: Allow FF-A calls to set memory region's attributes 0e43e02b9bd8 ArmPkg: Allow FF-A calls to get memory region's attributes However, in the error handling logic for the Get/Set Memory attributes, the CLANG compiler reports that a status variable could be used without initialisation. This issue is a false positive and is not seen with GCC. The Get/Set Memory attributes operation is atomic and therefore an FFA_INTERRUPT or FFA_SUCCESS response is not expected in response to FFA_MSG_SEND_DIRECT_REQ. So the remaining cases that could occur are: - the target sends FFA_MSG_SEND_DIRECT_RESP with a success or failure code. or - FFA_MSG_SEND_DIRECT_REQ transmission failure. Therefore, - reorder the error handling conditions such that it prevents the uninitialised variable issue being flagged by CLANG. - move the repetitive code to a static helper function and add documentation at the appropriate places. - fix error handling in functions that invoke GetMemoryPermissions(). Signed-off-by: Sami Mujawar <sami.mujawar@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2021-02-25 18:11:10 +01:00
if (MemoryAttributes == NULL) {
return EFI_INVALID_PARAMETER;
ArmPkg: Allow FF-A calls to set memory region's attributes Allow setting memory region's permissions using either of the Firmware Framework(FF-A) ABI transport or through the earlier used SVC calls. Signed-off-by: Achin Gupta <achin.gupta@arm.com> Co-developed-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sami Mujawar <sami.mujawar@arm.com> Acked-by: Ard Biesheuvel <ardb@kernel.org>
2021-02-19 07:36:05 +01:00
}
ArmPkg/ArmMmuLib: Add MMU Library suitable for use in S-EL0. The Standalone MM environment runs in S-EL0 in AArch64 on ARM Standard Platforms. Privileged firmware e.g. ARM Trusted Firmware sets up its architectural context including the initial translation tables for the S-EL1/EL0 translation regime. The MM environment will still request ARM TF to change the memory attributes of memory regions during initialization. The Standalone MM image is a FV that encapsulates the MM foundation and drivers. These are PE-COFF images with data and text segments. To initialise the MM environment, Arm Trusted Firmware has to create translation tables with sane default attributes for the memory occupied by the FV. This library sends SVCs to ARM Trusted Firmware to request memory permissions change for data and text segments. This patch adds a simple MMU library suitable for execution in S-EL0 and requesting memory permissions change operations from Arm Trusted Firmware. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2018-11-27 11:43:57 +01:00
ArmPkg: Fix uninitialised variable in ArmMmuStandaloneMmLib The following patches added support for StandaloneMM using FF-A: 9da5ee116a28 ArmPkg: Allow FF-A calls to set memory region's attributes 0e43e02b9bd8 ArmPkg: Allow FF-A calls to get memory region's attributes However, in the error handling logic for the Get/Set Memory attributes, the CLANG compiler reports that a status variable could be used without initialisation. This issue is a false positive and is not seen with GCC. The Get/Set Memory attributes operation is atomic and therefore an FFA_INTERRUPT or FFA_SUCCESS response is not expected in response to FFA_MSG_SEND_DIRECT_REQ. So the remaining cases that could occur are: - the target sends FFA_MSG_SEND_DIRECT_RESP with a success or failure code. or - FFA_MSG_SEND_DIRECT_REQ transmission failure. Therefore, - reorder the error handling conditions such that it prevents the uninitialised variable issue being flagged by CLANG. - move the repetitive code to a static helper function and add documentation at the appropriate places. - fix error handling in functions that invoke GetMemoryPermissions(). Signed-off-by: Sami Mujawar <sami.mujawar@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2021-02-25 18:11:10 +01:00
// Prepare the message parameters.
// See [1], Section 13.5.5.1 MM_SP_MEMORY_ATTRIBUTES_GET_AARCH64.
ArmPkg/Library: Update StandaloneMmuLib with FF-A v1.2 with page granulirty The StandaloneMm implementation for Arm sets up the stack in the early startup code using the data section reserved in the assembly code. When TF-A loads the StandaloneMM binary in the DRAM it maps the entire StandaloneMM memory region as Read Only. Therefore, the initial startup assembly code updates the mem permissions of the stack region to Read Write. However, when the StandaloneMmCore is loaded the function UpdateMmFoundationPeCoffPermissions() starts applying the memory permissions based on the PE COFF sections as below: A. If the section is not executable, it first removes the executable permission of the section by calling TextUpdate(). TextUpdate() is the StandaloneMM MMU library function ArmSetMemoryRegionNoExec(). B. It then checks if the section is writable, and if it is it calls ReadWriteUpdater(), which invokes the StandaloneMM MMU library function ArmClearMemoryRegionReadOnly() to make the section writable. However, this results in the stack being made read-only between A and B. To understand this please see the following flow. 1. TF-A sets the entire StandaloneMM region as Read Only. 2. The stack is reserved in the data section by the early assembly entry point code. +--------------------+ <--- Start of Data Section | | | Data Section | | | | +----------------+ | <--- Stack region | | Stack | | | +----------------+ | | | +--------------------+ 3. The StanaloneMM early entry point code updates the attributes of the stack to Read Write. 4. When UpdateMmFoundationPeCoffPermissions() sets the permission of the data section to remove the Execute attribute, it calls ArmSetMemoryRegionNoExec(). 5. The ArmSetMemoryRegionNoExec() implementation gets the attributes of the first granule which is at the start of the data section, then clears the execute permission and applies the attribute for the entire data section. 6. Since TF-A has mapped the entire section as read only the first granule of the data section is read only and therefore the stack region attributes are changed to Read Only no execute. 7. Since the stack is read only after point A any updates to the stack result in an exception. To resolve this issue with update the library with FF-A v1.2, get/set memory permission per page unit. Links: https://developer.arm.com/documentation/den0140/latest/ [0] Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
2024-08-20 17:54:40 +02:00
// See [3], Section 2.8 FFA_MEM_PERM_GET
Fid = (UseFfaAbis) ? ARM_FID_FFA_MEM_PERM_GET : ARM_FID_SPM_MM_SP_GET_MEM_ATTRIBUTES;
ArmPkg: Fix uninitialised variable in ArmMmuStandaloneMmLib The following patches added support for StandaloneMM using FF-A: 9da5ee116a28 ArmPkg: Allow FF-A calls to set memory region's attributes 0e43e02b9bd8 ArmPkg: Allow FF-A calls to get memory region's attributes However, in the error handling logic for the Get/Set Memory attributes, the CLANG compiler reports that a status variable could be used without initialisation. This issue is a false positive and is not seen with GCC. The Get/Set Memory attributes operation is atomic and therefore an FFA_INTERRUPT or FFA_SUCCESS response is not expected in response to FFA_MSG_SEND_DIRECT_REQ. So the remaining cases that could occur are: - the target sends FFA_MSG_SEND_DIRECT_RESP with a success or failure code. or - FFA_MSG_SEND_DIRECT_REQ transmission failure. Therefore, - reorder the error handling conditions such that it prevents the uninitialised variable issue being flagged by CLANG. - move the repetitive code to a static helper function and add documentation at the appropriate places. - fix error handling in functions that invoke GetMemoryPermissions(). Signed-off-by: Sami Mujawar <sami.mujawar@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2021-02-25 18:11:10 +01:00
ZeroMem (&SvcArgs, sizeof (ARM_SVC_ARGS));
ArmPkg/Library: Update StandaloneMmuLib with FF-A v1.2 with page granulirty The StandaloneMm implementation for Arm sets up the stack in the early startup code using the data section reserved in the assembly code. When TF-A loads the StandaloneMM binary in the DRAM it maps the entire StandaloneMM memory region as Read Only. Therefore, the initial startup assembly code updates the mem permissions of the stack region to Read Write. However, when the StandaloneMmCore is loaded the function UpdateMmFoundationPeCoffPermissions() starts applying the memory permissions based on the PE COFF sections as below: A. If the section is not executable, it first removes the executable permission of the section by calling TextUpdate(). TextUpdate() is the StandaloneMM MMU library function ArmSetMemoryRegionNoExec(). B. It then checks if the section is writable, and if it is it calls ReadWriteUpdater(), which invokes the StandaloneMM MMU library function ArmClearMemoryRegionReadOnly() to make the section writable. However, this results in the stack being made read-only between A and B. To understand this please see the following flow. 1. TF-A sets the entire StandaloneMM region as Read Only. 2. The stack is reserved in the data section by the early assembly entry point code. +--------------------+ <--- Start of Data Section | | | Data Section | | | | +----------------+ | <--- Stack region | | Stack | | | +----------------+ | | | +--------------------+ 3. The StanaloneMM early entry point code updates the attributes of the stack to Read Write. 4. When UpdateMmFoundationPeCoffPermissions() sets the permission of the data section to remove the Execute attribute, it calls ArmSetMemoryRegionNoExec(). 5. The ArmSetMemoryRegionNoExec() implementation gets the attributes of the first granule which is at the start of the data section, then clears the execute permission and applies the attribute for the entire data section. 6. Since TF-A has mapped the entire section as read only the first granule of the data section is read only and therefore the stack region attributes are changed to Read Only no execute. 7. Since the stack is read only after point A any updates to the stack result in an exception. To resolve this issue with update the library with FF-A v1.2, get/set memory permission per page unit. Links: https://developer.arm.com/documentation/den0140/latest/ [0] Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
2024-08-20 17:54:40 +02:00
SvcArgs.Arg0 = Fid;
SvcArgs.Arg1 = BaseAddress;
ArmPkg/ArmMmuLib: Add MMU Library suitable for use in S-EL0. The Standalone MM environment runs in S-EL0 in AArch64 on ARM Standard Platforms. Privileged firmware e.g. ARM Trusted Firmware sets up its architectural context including the initial translation tables for the S-EL1/EL0 translation regime. The MM environment will still request ARM TF to change the memory attributes of memory regions during initialization. The Standalone MM image is a FV that encapsulates the MM foundation and drivers. These are PE-COFF images with data and text segments. To initialise the MM environment, Arm Trusted Firmware has to create translation tables with sane default attributes for the memory occupied by the FV. This library sends SVCs to ARM Trusted Firmware to request memory permissions change for data and text segments. This patch adds a simple MMU library suitable for execution in S-EL0 and requesting memory permissions change operations from Arm Trusted Firmware. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2018-11-27 11:43:57 +01:00
ArmPkg/Library: Update StandaloneMmuLib with FF-A v1.2 with page granulirty The StandaloneMm implementation for Arm sets up the stack in the early startup code using the data section reserved in the assembly code. When TF-A loads the StandaloneMM binary in the DRAM it maps the entire StandaloneMM memory region as Read Only. Therefore, the initial startup assembly code updates the mem permissions of the stack region to Read Write. However, when the StandaloneMmCore is loaded the function UpdateMmFoundationPeCoffPermissions() starts applying the memory permissions based on the PE COFF sections as below: A. If the section is not executable, it first removes the executable permission of the section by calling TextUpdate(). TextUpdate() is the StandaloneMM MMU library function ArmSetMemoryRegionNoExec(). B. It then checks if the section is writable, and if it is it calls ReadWriteUpdater(), which invokes the StandaloneMM MMU library function ArmClearMemoryRegionReadOnly() to make the section writable. However, this results in the stack being made read-only between A and B. To understand this please see the following flow. 1. TF-A sets the entire StandaloneMM region as Read Only. 2. The stack is reserved in the data section by the early assembly entry point code. +--------------------+ <--- Start of Data Section | | | Data Section | | | | +----------------+ | <--- Stack region | | Stack | | | +----------------+ | | | +--------------------+ 3. The StanaloneMM early entry point code updates the attributes of the stack to Read Write. 4. When UpdateMmFoundationPeCoffPermissions() sets the permission of the data section to remove the Execute attribute, it calls ArmSetMemoryRegionNoExec(). 5. The ArmSetMemoryRegionNoExec() implementation gets the attributes of the first granule which is at the start of the data section, then clears the execute permission and applies the attribute for the entire data section. 6. Since TF-A has mapped the entire section as read only the first granule of the data section is read only and therefore the stack region attributes are changed to Read Only no execute. 7. Since the stack is read only after point A any updates to the stack result in an exception. To resolve this issue with update the library with FF-A v1.2, get/set memory permission per page unit. Links: https://developer.arm.com/documentation/den0140/latest/ [0] Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
2024-08-20 17:54:40 +02:00
Status = SendMemoryPermissionRequest (UseFfaAbis, &SvcArgs, &Ret);
ArmPkg: Fix uninitialised variable in ArmMmuStandaloneMmLib The following patches added support for StandaloneMM using FF-A: 9da5ee116a28 ArmPkg: Allow FF-A calls to set memory region's attributes 0e43e02b9bd8 ArmPkg: Allow FF-A calls to get memory region's attributes However, in the error handling logic for the Get/Set Memory attributes, the CLANG compiler reports that a status variable could be used without initialisation. This issue is a false positive and is not seen with GCC. The Get/Set Memory attributes operation is atomic and therefore an FFA_INTERRUPT or FFA_SUCCESS response is not expected in response to FFA_MSG_SEND_DIRECT_REQ. So the remaining cases that could occur are: - the target sends FFA_MSG_SEND_DIRECT_RESP with a success or failure code. or - FFA_MSG_SEND_DIRECT_REQ transmission failure. Therefore, - reorder the error handling conditions such that it prevents the uninitialised variable issue being flagged by CLANG. - move the repetitive code to a static helper function and add documentation at the appropriate places. - fix error handling in functions that invoke GetMemoryPermissions(). Signed-off-by: Sami Mujawar <sami.mujawar@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2021-02-25 18:11:10 +01:00
if (EFI_ERROR (Status)) {
*MemoryAttributes = 0;
ArmPkg/Library: Update StandaloneMmuLib with FF-A v1.2 with page granulirty The StandaloneMm implementation for Arm sets up the stack in the early startup code using the data section reserved in the assembly code. When TF-A loads the StandaloneMM binary in the DRAM it maps the entire StandaloneMM memory region as Read Only. Therefore, the initial startup assembly code updates the mem permissions of the stack region to Read Write. However, when the StandaloneMmCore is loaded the function UpdateMmFoundationPeCoffPermissions() starts applying the memory permissions based on the PE COFF sections as below: A. If the section is not executable, it first removes the executable permission of the section by calling TextUpdate(). TextUpdate() is the StandaloneMM MMU library function ArmSetMemoryRegionNoExec(). B. It then checks if the section is writable, and if it is it calls ReadWriteUpdater(), which invokes the StandaloneMM MMU library function ArmClearMemoryRegionReadOnly() to make the section writable. However, this results in the stack being made read-only between A and B. To understand this please see the following flow. 1. TF-A sets the entire StandaloneMM region as Read Only. 2. The stack is reserved in the data section by the early assembly entry point code. +--------------------+ <--- Start of Data Section | | | Data Section | | | | +----------------+ | <--- Stack region | | Stack | | | +----------------+ | | | +--------------------+ 3. The StanaloneMM early entry point code updates the attributes of the stack to Read Write. 4. When UpdateMmFoundationPeCoffPermissions() sets the permission of the data section to remove the Execute attribute, it calls ArmSetMemoryRegionNoExec(). 5. The ArmSetMemoryRegionNoExec() implementation gets the attributes of the first granule which is at the start of the data section, then clears the execute permission and applies the attribute for the entire data section. 6. Since TF-A has mapped the entire section as read only the first granule of the data section is read only and therefore the stack region attributes are changed to Read Only no execute. 7. Since the stack is read only after point A any updates to the stack result in an exception. To resolve this issue with update the library with FF-A v1.2, get/set memory permission per page unit. Links: https://developer.arm.com/documentation/den0140/latest/ [0] Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
2024-08-20 17:54:40 +02:00
} else {
*MemoryAttributes = Ret;
ArmPkg: Fix uninitialised variable in ArmMmuStandaloneMmLib The following patches added support for StandaloneMM using FF-A: 9da5ee116a28 ArmPkg: Allow FF-A calls to set memory region's attributes 0e43e02b9bd8 ArmPkg: Allow FF-A calls to get memory region's attributes However, in the error handling logic for the Get/Set Memory attributes, the CLANG compiler reports that a status variable could be used without initialisation. This issue is a false positive and is not seen with GCC. The Get/Set Memory attributes operation is atomic and therefore an FFA_INTERRUPT or FFA_SUCCESS response is not expected in response to FFA_MSG_SEND_DIRECT_REQ. So the remaining cases that could occur are: - the target sends FFA_MSG_SEND_DIRECT_RESP with a success or failure code. or - FFA_MSG_SEND_DIRECT_REQ transmission failure. Therefore, - reorder the error handling conditions such that it prevents the uninitialised variable issue being flagged by CLANG. - move the repetitive code to a static helper function and add documentation at the appropriate places. - fix error handling in functions that invoke GetMemoryPermissions(). Signed-off-by: Sami Mujawar <sami.mujawar@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2021-02-25 18:11:10 +01:00
}
ArmPkg/ArmMmuLib: Add MMU Library suitable for use in S-EL0. The Standalone MM environment runs in S-EL0 in AArch64 on ARM Standard Platforms. Privileged firmware e.g. ARM Trusted Firmware sets up its architectural context including the initial translation tables for the S-EL1/EL0 translation regime. The MM environment will still request ARM TF to change the memory attributes of memory regions during initialization. The Standalone MM image is a FV that encapsulates the MM foundation and drivers. These are PE-COFF images with data and text segments. To initialise the MM environment, Arm Trusted Firmware has to create translation tables with sane default attributes for the memory occupied by the FV. This library sends SVCs to ARM Trusted Firmware to request memory permissions change for data and text segments. This patch adds a simple MMU library suitable for execution in S-EL0 and requesting memory permissions change operations from Arm Trusted Firmware. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2018-11-27 11:43:57 +01:00
ArmPkg: Fix uninitialised variable in ArmMmuStandaloneMmLib The following patches added support for StandaloneMM using FF-A: 9da5ee116a28 ArmPkg: Allow FF-A calls to set memory region's attributes 0e43e02b9bd8 ArmPkg: Allow FF-A calls to get memory region's attributes However, in the error handling logic for the Get/Set Memory attributes, the CLANG compiler reports that a status variable could be used without initialisation. This issue is a false positive and is not seen with GCC. The Get/Set Memory attributes operation is atomic and therefore an FFA_INTERRUPT or FFA_SUCCESS response is not expected in response to FFA_MSG_SEND_DIRECT_REQ. So the remaining cases that could occur are: - the target sends FFA_MSG_SEND_DIRECT_RESP with a success or failure code. or - FFA_MSG_SEND_DIRECT_REQ transmission failure. Therefore, - reorder the error handling conditions such that it prevents the uninitialised variable issue being flagged by CLANG. - move the repetitive code to a static helper function and add documentation at the appropriate places. - fix error handling in functions that invoke GetMemoryPermissions(). Signed-off-by: Sami Mujawar <sami.mujawar@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2021-02-25 18:11:10 +01:00
return Status;
}
ArmPkg/ArmMmuLib: Add MMU Library suitable for use in S-EL0. The Standalone MM environment runs in S-EL0 in AArch64 on ARM Standard Platforms. Privileged firmware e.g. ARM Trusted Firmware sets up its architectural context including the initial translation tables for the S-EL1/EL0 translation regime. The MM environment will still request ARM TF to change the memory attributes of memory regions during initialization. The Standalone MM image is a FV that encapsulates the MM foundation and drivers. These are PE-COFF images with data and text segments. To initialise the MM environment, Arm Trusted Firmware has to create translation tables with sane default attributes for the memory occupied by the FV. This library sends SVCs to ARM Trusted Firmware to request memory permissions change for data and text segments. This patch adds a simple MMU library suitable for execution in S-EL0 and requesting memory permissions change operations from Arm Trusted Firmware. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2018-11-27 11:43:57 +01:00
ArmPkg/Library: Update StandaloneMmuLib with FF-A v1.2 with page granulirty The StandaloneMm implementation for Arm sets up the stack in the early startup code using the data section reserved in the assembly code. When TF-A loads the StandaloneMM binary in the DRAM it maps the entire StandaloneMM memory region as Read Only. Therefore, the initial startup assembly code updates the mem permissions of the stack region to Read Write. However, when the StandaloneMmCore is loaded the function UpdateMmFoundationPeCoffPermissions() starts applying the memory permissions based on the PE COFF sections as below: A. If the section is not executable, it first removes the executable permission of the section by calling TextUpdate(). TextUpdate() is the StandaloneMM MMU library function ArmSetMemoryRegionNoExec(). B. It then checks if the section is writable, and if it is it calls ReadWriteUpdater(), which invokes the StandaloneMM MMU library function ArmClearMemoryRegionReadOnly() to make the section writable. However, this results in the stack being made read-only between A and B. To understand this please see the following flow. 1. TF-A sets the entire StandaloneMM region as Read Only. 2. The stack is reserved in the data section by the early assembly entry point code. +--------------------+ <--- Start of Data Section | | | Data Section | | | | +----------------+ | <--- Stack region | | Stack | | | +----------------+ | | | +--------------------+ 3. The StanaloneMM early entry point code updates the attributes of the stack to Read Write. 4. When UpdateMmFoundationPeCoffPermissions() sets the permission of the data section to remove the Execute attribute, it calls ArmSetMemoryRegionNoExec(). 5. The ArmSetMemoryRegionNoExec() implementation gets the attributes of the first granule which is at the start of the data section, then clears the execute permission and applies the attribute for the entire data section. 6. Since TF-A has mapped the entire section as read only the first granule of the data section is read only and therefore the stack region attributes are changed to Read Only no execute. 7. Since the stack is read only after point A any updates to the stack result in an exception. To resolve this issue with update the library with FF-A v1.2, get/set memory permission per page unit. Links: https://developer.arm.com/documentation/den0140/latest/ [0] Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
2024-08-20 17:54:40 +02:00
/** Request the permission attributes of the S-EL0 memory region to be updated.
ArmPkg: Fix uninitialised variable in ArmMmuStandaloneMmLib The following patches added support for StandaloneMM using FF-A: 9da5ee116a28 ArmPkg: Allow FF-A calls to set memory region's attributes 0e43e02b9bd8 ArmPkg: Allow FF-A calls to get memory region's attributes However, in the error handling logic for the Get/Set Memory attributes, the CLANG compiler reports that a status variable could be used without initialisation. This issue is a false positive and is not seen with GCC. The Get/Set Memory attributes operation is atomic and therefore an FFA_INTERRUPT or FFA_SUCCESS response is not expected in response to FFA_MSG_SEND_DIRECT_REQ. So the remaining cases that could occur are: - the target sends FFA_MSG_SEND_DIRECT_RESP with a success or failure code. or - FFA_MSG_SEND_DIRECT_REQ transmission failure. Therefore, - reorder the error handling conditions such that it prevents the uninitialised variable issue being flagged by CLANG. - move the repetitive code to a static helper function and add documentation at the appropriate places. - fix error handling in functions that invoke GetMemoryPermissions(). Signed-off-by: Sami Mujawar <sami.mujawar@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2021-02-25 18:11:10 +01:00
ArmPkg/Library: Update StandaloneMmuLib with FF-A v1.2 with page granulirty The StandaloneMm implementation for Arm sets up the stack in the early startup code using the data section reserved in the assembly code. When TF-A loads the StandaloneMM binary in the DRAM it maps the entire StandaloneMM memory region as Read Only. Therefore, the initial startup assembly code updates the mem permissions of the stack region to Read Write. However, when the StandaloneMmCore is loaded the function UpdateMmFoundationPeCoffPermissions() starts applying the memory permissions based on the PE COFF sections as below: A. If the section is not executable, it first removes the executable permission of the section by calling TextUpdate(). TextUpdate() is the StandaloneMM MMU library function ArmSetMemoryRegionNoExec(). B. It then checks if the section is writable, and if it is it calls ReadWriteUpdater(), which invokes the StandaloneMM MMU library function ArmClearMemoryRegionReadOnly() to make the section writable. However, this results in the stack being made read-only between A and B. To understand this please see the following flow. 1. TF-A sets the entire StandaloneMM region as Read Only. 2. The stack is reserved in the data section by the early assembly entry point code. +--------------------+ <--- Start of Data Section | | | Data Section | | | | +----------------+ | <--- Stack region | | Stack | | | +----------------+ | | | +--------------------+ 3. The StanaloneMM early entry point code updates the attributes of the stack to Read Write. 4. When UpdateMmFoundationPeCoffPermissions() sets the permission of the data section to remove the Execute attribute, it calls ArmSetMemoryRegionNoExec(). 5. The ArmSetMemoryRegionNoExec() implementation gets the attributes of the first granule which is at the start of the data section, then clears the execute permission and applies the attribute for the entire data section. 6. Since TF-A has mapped the entire section as read only the first granule of the data section is read only and therefore the stack region attributes are changed to Read Only no execute. 7. Since the stack is read only after point A any updates to the stack result in an exception. To resolve this issue with update the library with FF-A v1.2, get/set memory permission per page unit. Links: https://developer.arm.com/documentation/den0140/latest/ [0] Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
2024-08-20 17:54:40 +02:00
@param [in] UseFfaAbis Use FF-A abis or not.
ArmPkg: Fix uninitialised variable in ArmMmuStandaloneMmLib The following patches added support for StandaloneMM using FF-A: 9da5ee116a28 ArmPkg: Allow FF-A calls to set memory region's attributes 0e43e02b9bd8 ArmPkg: Allow FF-A calls to get memory region's attributes However, in the error handling logic for the Get/Set Memory attributes, the CLANG compiler reports that a status variable could be used without initialisation. This issue is a false positive and is not seen with GCC. The Get/Set Memory attributes operation is atomic and therefore an FFA_INTERRUPT or FFA_SUCCESS response is not expected in response to FFA_MSG_SEND_DIRECT_REQ. So the remaining cases that could occur are: - the target sends FFA_MSG_SEND_DIRECT_RESP with a success or failure code. or - FFA_MSG_SEND_DIRECT_REQ transmission failure. Therefore, - reorder the error handling conditions such that it prevents the uninitialised variable issue being flagged by CLANG. - move the repetitive code to a static helper function and add documentation at the appropriate places. - fix error handling in functions that invoke GetMemoryPermissions(). Signed-off-by: Sami Mujawar <sami.mujawar@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2021-02-25 18:11:10 +01:00
@param [in] BaseAddress Base address for the memory region.
@param [in] Length Length of the memory region.
@param [in] Permissions Memory access controls attributes.
@retval EFI_SUCCESS Request successfull.
@retval EFI_INVALID_PARAMETER A parameter is invalid.
@retval EFI_NOT_READY Callee is busy or not in a state to handle
this request.
@retval EFI_UNSUPPORTED This function is not implemented by the
callee.
@retval EFI_ABORTED Message target ran into an unexpected error
and has aborted.
@retval EFI_ACCESS_DENIED Access denied.
@retval EFI_OUT_OF_RESOURCES Out of memory to perform operation.
**/
STATIC
EFI_STATUS
RequestMemoryPermissionChange (
ArmPkg/Library: Update StandaloneMmuLib with FF-A v1.2 with page granulirty The StandaloneMm implementation for Arm sets up the stack in the early startup code using the data section reserved in the assembly code. When TF-A loads the StandaloneMM binary in the DRAM it maps the entire StandaloneMM memory region as Read Only. Therefore, the initial startup assembly code updates the mem permissions of the stack region to Read Write. However, when the StandaloneMmCore is loaded the function UpdateMmFoundationPeCoffPermissions() starts applying the memory permissions based on the PE COFF sections as below: A. If the section is not executable, it first removes the executable permission of the section by calling TextUpdate(). TextUpdate() is the StandaloneMM MMU library function ArmSetMemoryRegionNoExec(). B. It then checks if the section is writable, and if it is it calls ReadWriteUpdater(), which invokes the StandaloneMM MMU library function ArmClearMemoryRegionReadOnly() to make the section writable. However, this results in the stack being made read-only between A and B. To understand this please see the following flow. 1. TF-A sets the entire StandaloneMM region as Read Only. 2. The stack is reserved in the data section by the early assembly entry point code. +--------------------+ <--- Start of Data Section | | | Data Section | | | | +----------------+ | <--- Stack region | | Stack | | | +----------------+ | | | +--------------------+ 3. The StanaloneMM early entry point code updates the attributes of the stack to Read Write. 4. When UpdateMmFoundationPeCoffPermissions() sets the permission of the data section to remove the Execute attribute, it calls ArmSetMemoryRegionNoExec(). 5. The ArmSetMemoryRegionNoExec() implementation gets the attributes of the first granule which is at the start of the data section, then clears the execute permission and applies the attribute for the entire data section. 6. Since TF-A has mapped the entire section as read only the first granule of the data section is read only and therefore the stack region attributes are changed to Read Only no execute. 7. Since the stack is read only after point A any updates to the stack result in an exception. To resolve this issue with update the library with FF-A v1.2, get/set memory permission per page unit. Links: https://developer.arm.com/documentation/den0140/latest/ [0] Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
2024-08-20 17:54:40 +02:00
IN BOOLEAN UseFfaAbis,
ArmPkg: Fix uninitialised variable in ArmMmuStandaloneMmLib The following patches added support for StandaloneMM using FF-A: 9da5ee116a28 ArmPkg: Allow FF-A calls to set memory region's attributes 0e43e02b9bd8 ArmPkg: Allow FF-A calls to get memory region's attributes However, in the error handling logic for the Get/Set Memory attributes, the CLANG compiler reports that a status variable could be used without initialisation. This issue is a false positive and is not seen with GCC. The Get/Set Memory attributes operation is atomic and therefore an FFA_INTERRUPT or FFA_SUCCESS response is not expected in response to FFA_MSG_SEND_DIRECT_REQ. So the remaining cases that could occur are: - the target sends FFA_MSG_SEND_DIRECT_RESP with a success or failure code. or - FFA_MSG_SEND_DIRECT_REQ transmission failure. Therefore, - reorder the error handling conditions such that it prevents the uninitialised variable issue being flagged by CLANG. - move the repetitive code to a static helper function and add documentation at the appropriate places. - fix error handling in functions that invoke GetMemoryPermissions(). Signed-off-by: Sami Mujawar <sami.mujawar@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2021-02-25 18:11:10 +01:00
IN EFI_PHYSICAL_ADDRESS BaseAddress,
IN UINT64 Length,
IN UINT32 Permissions
)
{
INT32 Ret;
ARM_SVC_ARGS SvcArgs;
ArmPkg/Library: Update StandaloneMmuLib with FF-A v1.2 with page granulirty The StandaloneMm implementation for Arm sets up the stack in the early startup code using the data section reserved in the assembly code. When TF-A loads the StandaloneMM binary in the DRAM it maps the entire StandaloneMM memory region as Read Only. Therefore, the initial startup assembly code updates the mem permissions of the stack region to Read Write. However, when the StandaloneMmCore is loaded the function UpdateMmFoundationPeCoffPermissions() starts applying the memory permissions based on the PE COFF sections as below: A. If the section is not executable, it first removes the executable permission of the section by calling TextUpdate(). TextUpdate() is the StandaloneMM MMU library function ArmSetMemoryRegionNoExec(). B. It then checks if the section is writable, and if it is it calls ReadWriteUpdater(), which invokes the StandaloneMM MMU library function ArmClearMemoryRegionReadOnly() to make the section writable. However, this results in the stack being made read-only between A and B. To understand this please see the following flow. 1. TF-A sets the entire StandaloneMM region as Read Only. 2. The stack is reserved in the data section by the early assembly entry point code. +--------------------+ <--- Start of Data Section | | | Data Section | | | | +----------------+ | <--- Stack region | | Stack | | | +----------------+ | | | +--------------------+ 3. The StanaloneMM early entry point code updates the attributes of the stack to Read Write. 4. When UpdateMmFoundationPeCoffPermissions() sets the permission of the data section to remove the Execute attribute, it calls ArmSetMemoryRegionNoExec(). 5. The ArmSetMemoryRegionNoExec() implementation gets the attributes of the first granule which is at the start of the data section, then clears the execute permission and applies the attribute for the entire data section. 6. Since TF-A has mapped the entire section as read only the first granule of the data section is read only and therefore the stack region attributes are changed to Read Only no execute. 7. Since the stack is read only after point A any updates to the stack result in an exception. To resolve this issue with update the library with FF-A v1.2, get/set memory permission per page unit. Links: https://developer.arm.com/documentation/den0140/latest/ [0] Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
2024-08-20 17:54:40 +02:00
UINTN Fid;
ArmPkg: Fix uninitialised variable in ArmMmuStandaloneMmLib The following patches added support for StandaloneMM using FF-A: 9da5ee116a28 ArmPkg: Allow FF-A calls to set memory region's attributes 0e43e02b9bd8 ArmPkg: Allow FF-A calls to get memory region's attributes However, in the error handling logic for the Get/Set Memory attributes, the CLANG compiler reports that a status variable could be used without initialisation. This issue is a false positive and is not seen with GCC. The Get/Set Memory attributes operation is atomic and therefore an FFA_INTERRUPT or FFA_SUCCESS response is not expected in response to FFA_MSG_SEND_DIRECT_REQ. So the remaining cases that could occur are: - the target sends FFA_MSG_SEND_DIRECT_RESP with a success or failure code. or - FFA_MSG_SEND_DIRECT_REQ transmission failure. Therefore, - reorder the error handling conditions such that it prevents the uninitialised variable issue being flagged by CLANG. - move the repetitive code to a static helper function and add documentation at the appropriate places. - fix error handling in functions that invoke GetMemoryPermissions(). Signed-off-by: Sami Mujawar <sami.mujawar@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2021-02-25 18:11:10 +01:00
// Prepare the message parameters.
// See [1], Section 13.5.5.2 MM_SP_MEMORY_ATTRIBUTES_SET_AARCH64.
ArmPkg/Library: Update StandaloneMmuLib with FF-A v1.2 with page granulirty The StandaloneMm implementation for Arm sets up the stack in the early startup code using the data section reserved in the assembly code. When TF-A loads the StandaloneMM binary in the DRAM it maps the entire StandaloneMM memory region as Read Only. Therefore, the initial startup assembly code updates the mem permissions of the stack region to Read Write. However, when the StandaloneMmCore is loaded the function UpdateMmFoundationPeCoffPermissions() starts applying the memory permissions based on the PE COFF sections as below: A. If the section is not executable, it first removes the executable permission of the section by calling TextUpdate(). TextUpdate() is the StandaloneMM MMU library function ArmSetMemoryRegionNoExec(). B. It then checks if the section is writable, and if it is it calls ReadWriteUpdater(), which invokes the StandaloneMM MMU library function ArmClearMemoryRegionReadOnly() to make the section writable. However, this results in the stack being made read-only between A and B. To understand this please see the following flow. 1. TF-A sets the entire StandaloneMM region as Read Only. 2. The stack is reserved in the data section by the early assembly entry point code. +--------------------+ <--- Start of Data Section | | | Data Section | | | | +----------------+ | <--- Stack region | | Stack | | | +----------------+ | | | +--------------------+ 3. The StanaloneMM early entry point code updates the attributes of the stack to Read Write. 4. When UpdateMmFoundationPeCoffPermissions() sets the permission of the data section to remove the Execute attribute, it calls ArmSetMemoryRegionNoExec(). 5. The ArmSetMemoryRegionNoExec() implementation gets the attributes of the first granule which is at the start of the data section, then clears the execute permission and applies the attribute for the entire data section. 6. Since TF-A has mapped the entire section as read only the first granule of the data section is read only and therefore the stack region attributes are changed to Read Only no execute. 7. Since the stack is read only after point A any updates to the stack result in an exception. To resolve this issue with update the library with FF-A v1.2, get/set memory permission per page unit. Links: https://developer.arm.com/documentation/den0140/latest/ [0] Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
2024-08-20 17:54:40 +02:00
// See [3], Section 2.9 FFA_MEM_PERM_SET
Fid = (UseFfaAbis) ? ARM_FID_FFA_MEM_PERM_SET : ARM_FID_SPM_MM_SP_SET_MEM_ATTRIBUTES;
ArmPkg: Fix uninitialised variable in ArmMmuStandaloneMmLib The following patches added support for StandaloneMM using FF-A: 9da5ee116a28 ArmPkg: Allow FF-A calls to set memory region's attributes 0e43e02b9bd8 ArmPkg: Allow FF-A calls to get memory region's attributes However, in the error handling logic for the Get/Set Memory attributes, the CLANG compiler reports that a status variable could be used without initialisation. This issue is a false positive and is not seen with GCC. The Get/Set Memory attributes operation is atomic and therefore an FFA_INTERRUPT or FFA_SUCCESS response is not expected in response to FFA_MSG_SEND_DIRECT_REQ. So the remaining cases that could occur are: - the target sends FFA_MSG_SEND_DIRECT_RESP with a success or failure code. or - FFA_MSG_SEND_DIRECT_REQ transmission failure. Therefore, - reorder the error handling conditions such that it prevents the uninitialised variable issue being flagged by CLANG. - move the repetitive code to a static helper function and add documentation at the appropriate places. - fix error handling in functions that invoke GetMemoryPermissions(). Signed-off-by: Sami Mujawar <sami.mujawar@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2021-02-25 18:11:10 +01:00
ZeroMem (&SvcArgs, sizeof (ARM_SVC_ARGS));
ArmPkg/ArmMmuLib: Add MMU Library suitable for use in S-EL0. The Standalone MM environment runs in S-EL0 in AArch64 on ARM Standard Platforms. Privileged firmware e.g. ARM Trusted Firmware sets up its architectural context including the initial translation tables for the S-EL1/EL0 translation regime. The MM environment will still request ARM TF to change the memory attributes of memory regions during initialization. The Standalone MM image is a FV that encapsulates the MM foundation and drivers. These are PE-COFF images with data and text segments. To initialise the MM environment, Arm Trusted Firmware has to create translation tables with sane default attributes for the memory occupied by the FV. This library sends SVCs to ARM Trusted Firmware to request memory permissions change for data and text segments. This patch adds a simple MMU library suitable for execution in S-EL0 and requesting memory permissions change operations from Arm Trusted Firmware. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2018-11-27 11:43:57 +01:00
ArmPkg/Library: Update StandaloneMmuLib with FF-A v1.2 with page granulirty The StandaloneMm implementation for Arm sets up the stack in the early startup code using the data section reserved in the assembly code. When TF-A loads the StandaloneMM binary in the DRAM it maps the entire StandaloneMM memory region as Read Only. Therefore, the initial startup assembly code updates the mem permissions of the stack region to Read Write. However, when the StandaloneMmCore is loaded the function UpdateMmFoundationPeCoffPermissions() starts applying the memory permissions based on the PE COFF sections as below: A. If the section is not executable, it first removes the executable permission of the section by calling TextUpdate(). TextUpdate() is the StandaloneMM MMU library function ArmSetMemoryRegionNoExec(). B. It then checks if the section is writable, and if it is it calls ReadWriteUpdater(), which invokes the StandaloneMM MMU library function ArmClearMemoryRegionReadOnly() to make the section writable. However, this results in the stack being made read-only between A and B. To understand this please see the following flow. 1. TF-A sets the entire StandaloneMM region as Read Only. 2. The stack is reserved in the data section by the early assembly entry point code. +--------------------+ <--- Start of Data Section | | | Data Section | | | | +----------------+ | <--- Stack region | | Stack | | | +----------------+ | | | +--------------------+ 3. The StanaloneMM early entry point code updates the attributes of the stack to Read Write. 4. When UpdateMmFoundationPeCoffPermissions() sets the permission of the data section to remove the Execute attribute, it calls ArmSetMemoryRegionNoExec(). 5. The ArmSetMemoryRegionNoExec() implementation gets the attributes of the first granule which is at the start of the data section, then clears the execute permission and applies the attribute for the entire data section. 6. Since TF-A has mapped the entire section as read only the first granule of the data section is read only and therefore the stack region attributes are changed to Read Only no execute. 7. Since the stack is read only after point A any updates to the stack result in an exception. To resolve this issue with update the library with FF-A v1.2, get/set memory permission per page unit. Links: https://developer.arm.com/documentation/den0140/latest/ [0] Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
2024-08-20 17:54:40 +02:00
SvcArgs.Arg0 = Fid;
SvcArgs.Arg1 = BaseAddress;
SvcArgs.Arg2 = EFI_SIZE_TO_PAGES (Length);
SvcArgs.Arg3 = Permissions;
return SendMemoryPermissionRequest (UseFfaAbis, &SvcArgs, &Ret);
ArmPkg/ArmMmuLib: Add MMU Library suitable for use in S-EL0. The Standalone MM environment runs in S-EL0 in AArch64 on ARM Standard Platforms. Privileged firmware e.g. ARM Trusted Firmware sets up its architectural context including the initial translation tables for the S-EL1/EL0 translation regime. The MM environment will still request ARM TF to change the memory attributes of memory regions during initialization. The Standalone MM image is a FV that encapsulates the MM foundation and drivers. These are PE-COFF images with data and text segments. To initialise the MM environment, Arm Trusted Firmware has to create translation tables with sane default attributes for the memory occupied by the FV. This library sends SVCs to ARM Trusted Firmware to request memory permissions change for data and text segments. This patch adds a simple MMU library suitable for execution in S-EL0 and requesting memory permissions change operations from Arm Trusted Firmware. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2018-11-27 11:43:57 +01:00
}
EFI_STATUS
ArmSetMemoryRegionNoExec (
IN EFI_PHYSICAL_ADDRESS BaseAddress,
IN UINT64 Length
)
{
EFI_STATUS Status;
UINT32 MemoryAttributes;
ArmPkg/Library: Update StandaloneMmuLib with FF-A v1.2 with page granulirty The StandaloneMm implementation for Arm sets up the stack in the early startup code using the data section reserved in the assembly code. When TF-A loads the StandaloneMM binary in the DRAM it maps the entire StandaloneMM memory region as Read Only. Therefore, the initial startup assembly code updates the mem permissions of the stack region to Read Write. However, when the StandaloneMmCore is loaded the function UpdateMmFoundationPeCoffPermissions() starts applying the memory permissions based on the PE COFF sections as below: A. If the section is not executable, it first removes the executable permission of the section by calling TextUpdate(). TextUpdate() is the StandaloneMM MMU library function ArmSetMemoryRegionNoExec(). B. It then checks if the section is writable, and if it is it calls ReadWriteUpdater(), which invokes the StandaloneMM MMU library function ArmClearMemoryRegionReadOnly() to make the section writable. However, this results in the stack being made read-only between A and B. To understand this please see the following flow. 1. TF-A sets the entire StandaloneMM region as Read Only. 2. The stack is reserved in the data section by the early assembly entry point code. +--------------------+ <--- Start of Data Section | | | Data Section | | | | +----------------+ | <--- Stack region | | Stack | | | +----------------+ | | | +--------------------+ 3. The StanaloneMM early entry point code updates the attributes of the stack to Read Write. 4. When UpdateMmFoundationPeCoffPermissions() sets the permission of the data section to remove the Execute attribute, it calls ArmSetMemoryRegionNoExec(). 5. The ArmSetMemoryRegionNoExec() implementation gets the attributes of the first granule which is at the start of the data section, then clears the execute permission and applies the attribute for the entire data section. 6. Since TF-A has mapped the entire section as read only the first granule of the data section is read only and therefore the stack region attributes are changed to Read Only no execute. 7. Since the stack is read only after point A any updates to the stack result in an exception. To resolve this issue with update the library with FF-A v1.2, get/set memory permission per page unit. Links: https://developer.arm.com/documentation/den0140/latest/ [0] Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
2024-08-20 17:54:40 +02:00
UINT32 PermissionRequest;
BOOLEAN UseFfaAbis;
UINTN Size;
UseFfaAbis = IsFfaMemoryAbiSupported ();
Size = EFI_PAGE_SIZE;
while (Length > 0) {
Status = GetMemoryPermissions (UseFfaAbis, BaseAddress, &MemoryAttributes);
if (EFI_ERROR (Status)) {
break;
}
if (UseFfaAbis) {
PermissionRequest = ARM_FFA_SET_MEM_ATTR_MAKE_PERM_REQUEST (
MemoryAttributes,
ARM_FFA_SET_MEM_ATTR_CODE_PERM_XN
);
} else {
PermissionRequest = ARM_SPM_MM_SET_MEM_ATTR_MAKE_PERM_REQUEST (
MemoryAttributes,
ARM_SPM_MM_SET_MEM_ATTR_CODE_PERM_XN
);
}
if (Length < Size) {
Length = Size;
}
Status = RequestMemoryPermissionChange (
UseFfaAbis,
BaseAddress,
Size,
PermissionRequest
);
if (EFI_ERROR (Status)) {
return Status;
}
Length -= Size;
BaseAddress += Size;
} // while
ArmPkg: Apply uncrustify changes REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3737 Apply uncrustify changes to .c/.h files in the ArmPkg package Cc: Andrew Fish <afish@apple.com> Cc: Leif Lindholm <leif@nuviainc.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Andrew Fish <afish@apple.com>
2021-12-05 23:53:50 +01:00
ArmPkg: Fix uninitialised variable in ArmMmuStandaloneMmLib The following patches added support for StandaloneMM using FF-A: 9da5ee116a28 ArmPkg: Allow FF-A calls to set memory region's attributes 0e43e02b9bd8 ArmPkg: Allow FF-A calls to get memory region's attributes However, in the error handling logic for the Get/Set Memory attributes, the CLANG compiler reports that a status variable could be used without initialisation. This issue is a false positive and is not seen with GCC. The Get/Set Memory attributes operation is atomic and therefore an FFA_INTERRUPT or FFA_SUCCESS response is not expected in response to FFA_MSG_SEND_DIRECT_REQ. So the remaining cases that could occur are: - the target sends FFA_MSG_SEND_DIRECT_RESP with a success or failure code. or - FFA_MSG_SEND_DIRECT_REQ transmission failure. Therefore, - reorder the error handling conditions such that it prevents the uninitialised variable issue being flagged by CLANG. - move the repetitive code to a static helper function and add documentation at the appropriate places. - fix error handling in functions that invoke GetMemoryPermissions(). Signed-off-by: Sami Mujawar <sami.mujawar@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2021-02-25 18:11:10 +01:00
return Status;
ArmPkg/ArmMmuLib: Add MMU Library suitable for use in S-EL0. The Standalone MM environment runs in S-EL0 in AArch64 on ARM Standard Platforms. Privileged firmware e.g. ARM Trusted Firmware sets up its architectural context including the initial translation tables for the S-EL1/EL0 translation regime. The MM environment will still request ARM TF to change the memory attributes of memory regions during initialization. The Standalone MM image is a FV that encapsulates the MM foundation and drivers. These are PE-COFF images with data and text segments. To initialise the MM environment, Arm Trusted Firmware has to create translation tables with sane default attributes for the memory occupied by the FV. This library sends SVCs to ARM Trusted Firmware to request memory permissions change for data and text segments. This patch adds a simple MMU library suitable for execution in S-EL0 and requesting memory permissions change operations from Arm Trusted Firmware. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2018-11-27 11:43:57 +01:00
}
EFI_STATUS
ArmClearMemoryRegionNoExec (
IN EFI_PHYSICAL_ADDRESS BaseAddress,
IN UINT64 Length
)
{
EFI_STATUS Status;
UINT32 MemoryAttributes;
ArmPkg/Library: Update StandaloneMmuLib with FF-A v1.2 with page granulirty The StandaloneMm implementation for Arm sets up the stack in the early startup code using the data section reserved in the assembly code. When TF-A loads the StandaloneMM binary in the DRAM it maps the entire StandaloneMM memory region as Read Only. Therefore, the initial startup assembly code updates the mem permissions of the stack region to Read Write. However, when the StandaloneMmCore is loaded the function UpdateMmFoundationPeCoffPermissions() starts applying the memory permissions based on the PE COFF sections as below: A. If the section is not executable, it first removes the executable permission of the section by calling TextUpdate(). TextUpdate() is the StandaloneMM MMU library function ArmSetMemoryRegionNoExec(). B. It then checks if the section is writable, and if it is it calls ReadWriteUpdater(), which invokes the StandaloneMM MMU library function ArmClearMemoryRegionReadOnly() to make the section writable. However, this results in the stack being made read-only between A and B. To understand this please see the following flow. 1. TF-A sets the entire StandaloneMM region as Read Only. 2. The stack is reserved in the data section by the early assembly entry point code. +--------------------+ <--- Start of Data Section | | | Data Section | | | | +----------------+ | <--- Stack region | | Stack | | | +----------------+ | | | +--------------------+ 3. The StanaloneMM early entry point code updates the attributes of the stack to Read Write. 4. When UpdateMmFoundationPeCoffPermissions() sets the permission of the data section to remove the Execute attribute, it calls ArmSetMemoryRegionNoExec(). 5. The ArmSetMemoryRegionNoExec() implementation gets the attributes of the first granule which is at the start of the data section, then clears the execute permission and applies the attribute for the entire data section. 6. Since TF-A has mapped the entire section as read only the first granule of the data section is read only and therefore the stack region attributes are changed to Read Only no execute. 7. Since the stack is read only after point A any updates to the stack result in an exception. To resolve this issue with update the library with FF-A v1.2, get/set memory permission per page unit. Links: https://developer.arm.com/documentation/den0140/latest/ [0] Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
2024-08-20 17:54:40 +02:00
UINT32 PermissionRequest;
BOOLEAN UseFfaAbis;
UINTN Size;
UseFfaAbis = IsFfaMemoryAbiSupported ();
Size = EFI_PAGE_SIZE;
while (Length > 0) {
Status = GetMemoryPermissions (UseFfaAbis, BaseAddress, &MemoryAttributes);
if (EFI_ERROR (Status)) {
break;
}
if (UseFfaAbis) {
PermissionRequest = ARM_FFA_SET_MEM_ATTR_MAKE_PERM_REQUEST (
MemoryAttributes,
ARM_FFA_SET_MEM_ATTR_CODE_PERM_X
);
} else {
PermissionRequest = ARM_SPM_MM_SET_MEM_ATTR_MAKE_PERM_REQUEST (
MemoryAttributes,
ARM_SPM_MM_SET_MEM_ATTR_CODE_PERM_X
);
}
if (Length < Size) {
Length = Size;
}
Status = RequestMemoryPermissionChange (
UseFfaAbis,
BaseAddress,
Size,
PermissionRequest
);
if (EFI_ERROR (Status)) {
return Status;
}
Length -= Size;
BaseAddress += Size;
} // while
ArmPkg: Apply uncrustify changes REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3737 Apply uncrustify changes to .c/.h files in the ArmPkg package Cc: Andrew Fish <afish@apple.com> Cc: Leif Lindholm <leif@nuviainc.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Andrew Fish <afish@apple.com>
2021-12-05 23:53:50 +01:00
ArmPkg: Fix uninitialised variable in ArmMmuStandaloneMmLib The following patches added support for StandaloneMM using FF-A: 9da5ee116a28 ArmPkg: Allow FF-A calls to set memory region's attributes 0e43e02b9bd8 ArmPkg: Allow FF-A calls to get memory region's attributes However, in the error handling logic for the Get/Set Memory attributes, the CLANG compiler reports that a status variable could be used without initialisation. This issue is a false positive and is not seen with GCC. The Get/Set Memory attributes operation is atomic and therefore an FFA_INTERRUPT or FFA_SUCCESS response is not expected in response to FFA_MSG_SEND_DIRECT_REQ. So the remaining cases that could occur are: - the target sends FFA_MSG_SEND_DIRECT_RESP with a success or failure code. or - FFA_MSG_SEND_DIRECT_REQ transmission failure. Therefore, - reorder the error handling conditions such that it prevents the uninitialised variable issue being flagged by CLANG. - move the repetitive code to a static helper function and add documentation at the appropriate places. - fix error handling in functions that invoke GetMemoryPermissions(). Signed-off-by: Sami Mujawar <sami.mujawar@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2021-02-25 18:11:10 +01:00
return Status;
ArmPkg/ArmMmuLib: Add MMU Library suitable for use in S-EL0. The Standalone MM environment runs in S-EL0 in AArch64 on ARM Standard Platforms. Privileged firmware e.g. ARM Trusted Firmware sets up its architectural context including the initial translation tables for the S-EL1/EL0 translation regime. The MM environment will still request ARM TF to change the memory attributes of memory regions during initialization. The Standalone MM image is a FV that encapsulates the MM foundation and drivers. These are PE-COFF images with data and text segments. To initialise the MM environment, Arm Trusted Firmware has to create translation tables with sane default attributes for the memory occupied by the FV. This library sends SVCs to ARM Trusted Firmware to request memory permissions change for data and text segments. This patch adds a simple MMU library suitable for execution in S-EL0 and requesting memory permissions change operations from Arm Trusted Firmware. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2018-11-27 11:43:57 +01:00
}
EFI_STATUS
ArmSetMemoryRegionReadOnly (
IN EFI_PHYSICAL_ADDRESS BaseAddress,
IN UINT64 Length
)
{
EFI_STATUS Status;
UINT32 MemoryAttributes;
ArmPkg/Library: Update StandaloneMmuLib with FF-A v1.2 with page granulirty The StandaloneMm implementation for Arm sets up the stack in the early startup code using the data section reserved in the assembly code. When TF-A loads the StandaloneMM binary in the DRAM it maps the entire StandaloneMM memory region as Read Only. Therefore, the initial startup assembly code updates the mem permissions of the stack region to Read Write. However, when the StandaloneMmCore is loaded the function UpdateMmFoundationPeCoffPermissions() starts applying the memory permissions based on the PE COFF sections as below: A. If the section is not executable, it first removes the executable permission of the section by calling TextUpdate(). TextUpdate() is the StandaloneMM MMU library function ArmSetMemoryRegionNoExec(). B. It then checks if the section is writable, and if it is it calls ReadWriteUpdater(), which invokes the StandaloneMM MMU library function ArmClearMemoryRegionReadOnly() to make the section writable. However, this results in the stack being made read-only between A and B. To understand this please see the following flow. 1. TF-A sets the entire StandaloneMM region as Read Only. 2. The stack is reserved in the data section by the early assembly entry point code. +--------------------+ <--- Start of Data Section | | | Data Section | | | | +----------------+ | <--- Stack region | | Stack | | | +----------------+ | | | +--------------------+ 3. The StanaloneMM early entry point code updates the attributes of the stack to Read Write. 4. When UpdateMmFoundationPeCoffPermissions() sets the permission of the data section to remove the Execute attribute, it calls ArmSetMemoryRegionNoExec(). 5. The ArmSetMemoryRegionNoExec() implementation gets the attributes of the first granule which is at the start of the data section, then clears the execute permission and applies the attribute for the entire data section. 6. Since TF-A has mapped the entire section as read only the first granule of the data section is read only and therefore the stack region attributes are changed to Read Only no execute. 7. Since the stack is read only after point A any updates to the stack result in an exception. To resolve this issue with update the library with FF-A v1.2, get/set memory permission per page unit. Links: https://developer.arm.com/documentation/den0140/latest/ [0] Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
2024-08-20 17:54:40 +02:00
UINT32 PermissionRequest;
BOOLEAN UseFfaAbis;
UINTN Size;
UseFfaAbis = IsFfaMemoryAbiSupported ();
Size = EFI_PAGE_SIZE;
while (Length > 0) {
Status = GetMemoryPermissions (UseFfaAbis, BaseAddress, &MemoryAttributes);
if (EFI_ERROR (Status)) {
break;
}
if (UseFfaAbis) {
PermissionRequest = ARM_FFA_SET_MEM_ATTR_MAKE_PERM_REQUEST (
ARM_FFA_SET_MEM_ATTR_DATA_PERM_RO,
(MemoryAttributes >> ARM_FFA_SET_MEM_ATTR_CODE_PERM_SHIFT)
);
} else {
PermissionRequest = ARM_SPM_MM_SET_MEM_ATTR_MAKE_PERM_REQUEST (
ARM_SPM_MM_SET_MEM_ATTR_DATA_PERM_RO,
(MemoryAttributes >> ARM_SPM_MM_SET_MEM_ATTR_CODE_PERM_SHIFT)
);
}
if (Length < Size) {
Length = Size;
}
Status = RequestMemoryPermissionChange (
UseFfaAbis,
BaseAddress,
Size,
PermissionRequest
);
if (EFI_ERROR (Status)) {
return Status;
}
Length -= Size;
BaseAddress += Size;
} // while
ArmPkg: Apply uncrustify changes REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3737 Apply uncrustify changes to .c/.h files in the ArmPkg package Cc: Andrew Fish <afish@apple.com> Cc: Leif Lindholm <leif@nuviainc.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Andrew Fish <afish@apple.com>
2021-12-05 23:53:50 +01:00
ArmPkg: Fix uninitialised variable in ArmMmuStandaloneMmLib The following patches added support for StandaloneMM using FF-A: 9da5ee116a28 ArmPkg: Allow FF-A calls to set memory region's attributes 0e43e02b9bd8 ArmPkg: Allow FF-A calls to get memory region's attributes However, in the error handling logic for the Get/Set Memory attributes, the CLANG compiler reports that a status variable could be used without initialisation. This issue is a false positive and is not seen with GCC. The Get/Set Memory attributes operation is atomic and therefore an FFA_INTERRUPT or FFA_SUCCESS response is not expected in response to FFA_MSG_SEND_DIRECT_REQ. So the remaining cases that could occur are: - the target sends FFA_MSG_SEND_DIRECT_RESP with a success or failure code. or - FFA_MSG_SEND_DIRECT_REQ transmission failure. Therefore, - reorder the error handling conditions such that it prevents the uninitialised variable issue being flagged by CLANG. - move the repetitive code to a static helper function and add documentation at the appropriate places. - fix error handling in functions that invoke GetMemoryPermissions(). Signed-off-by: Sami Mujawar <sami.mujawar@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2021-02-25 18:11:10 +01:00
return Status;
ArmPkg/ArmMmuLib: Add MMU Library suitable for use in S-EL0. The Standalone MM environment runs in S-EL0 in AArch64 on ARM Standard Platforms. Privileged firmware e.g. ARM Trusted Firmware sets up its architectural context including the initial translation tables for the S-EL1/EL0 translation regime. The MM environment will still request ARM TF to change the memory attributes of memory regions during initialization. The Standalone MM image is a FV that encapsulates the MM foundation and drivers. These are PE-COFF images with data and text segments. To initialise the MM environment, Arm Trusted Firmware has to create translation tables with sane default attributes for the memory occupied by the FV. This library sends SVCs to ARM Trusted Firmware to request memory permissions change for data and text segments. This patch adds a simple MMU library suitable for execution in S-EL0 and requesting memory permissions change operations from Arm Trusted Firmware. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2018-11-27 11:43:57 +01:00
}
EFI_STATUS
ArmClearMemoryRegionReadOnly (
IN EFI_PHYSICAL_ADDRESS BaseAddress,
IN UINT64 Length
)
{
EFI_STATUS Status;
UINT32 MemoryAttributes;
UINT32 PermissionRequest;
ArmPkg/Library: Update StandaloneMmuLib with FF-A v1.2 with page granulirty The StandaloneMm implementation for Arm sets up the stack in the early startup code using the data section reserved in the assembly code. When TF-A loads the StandaloneMM binary in the DRAM it maps the entire StandaloneMM memory region as Read Only. Therefore, the initial startup assembly code updates the mem permissions of the stack region to Read Write. However, when the StandaloneMmCore is loaded the function UpdateMmFoundationPeCoffPermissions() starts applying the memory permissions based on the PE COFF sections as below: A. If the section is not executable, it first removes the executable permission of the section by calling TextUpdate(). TextUpdate() is the StandaloneMM MMU library function ArmSetMemoryRegionNoExec(). B. It then checks if the section is writable, and if it is it calls ReadWriteUpdater(), which invokes the StandaloneMM MMU library function ArmClearMemoryRegionReadOnly() to make the section writable. However, this results in the stack being made read-only between A and B. To understand this please see the following flow. 1. TF-A sets the entire StandaloneMM region as Read Only. 2. The stack is reserved in the data section by the early assembly entry point code. +--------------------+ <--- Start of Data Section | | | Data Section | | | | +----------------+ | <--- Stack region | | Stack | | | +----------------+ | | | +--------------------+ 3. The StanaloneMM early entry point code updates the attributes of the stack to Read Write. 4. When UpdateMmFoundationPeCoffPermissions() sets the permission of the data section to remove the Execute attribute, it calls ArmSetMemoryRegionNoExec(). 5. The ArmSetMemoryRegionNoExec() implementation gets the attributes of the first granule which is at the start of the data section, then clears the execute permission and applies the attribute for the entire data section. 6. Since TF-A has mapped the entire section as read only the first granule of the data section is read only and therefore the stack region attributes are changed to Read Only no execute. 7. Since the stack is read only after point A any updates to the stack result in an exception. To resolve this issue with update the library with FF-A v1.2, get/set memory permission per page unit. Links: https://developer.arm.com/documentation/den0140/latest/ [0] Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
2024-08-20 17:54:40 +02:00
BOOLEAN UseFfaAbis;
UINTN Size;
ArmPkg/ArmMmuLib: Add MMU Library suitable for use in S-EL0. The Standalone MM environment runs in S-EL0 in AArch64 on ARM Standard Platforms. Privileged firmware e.g. ARM Trusted Firmware sets up its architectural context including the initial translation tables for the S-EL1/EL0 translation regime. The MM environment will still request ARM TF to change the memory attributes of memory regions during initialization. The Standalone MM image is a FV that encapsulates the MM foundation and drivers. These are PE-COFF images with data and text segments. To initialise the MM environment, Arm Trusted Firmware has to create translation tables with sane default attributes for the memory occupied by the FV. This library sends SVCs to ARM Trusted Firmware to request memory permissions change for data and text segments. This patch adds a simple MMU library suitable for execution in S-EL0 and requesting memory permissions change operations from Arm Trusted Firmware. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2018-11-27 11:43:57 +01:00
ArmPkg/Library: Update StandaloneMmuLib with FF-A v1.2 with page granulirty The StandaloneMm implementation for Arm sets up the stack in the early startup code using the data section reserved in the assembly code. When TF-A loads the StandaloneMM binary in the DRAM it maps the entire StandaloneMM memory region as Read Only. Therefore, the initial startup assembly code updates the mem permissions of the stack region to Read Write. However, when the StandaloneMmCore is loaded the function UpdateMmFoundationPeCoffPermissions() starts applying the memory permissions based on the PE COFF sections as below: A. If the section is not executable, it first removes the executable permission of the section by calling TextUpdate(). TextUpdate() is the StandaloneMM MMU library function ArmSetMemoryRegionNoExec(). B. It then checks if the section is writable, and if it is it calls ReadWriteUpdater(), which invokes the StandaloneMM MMU library function ArmClearMemoryRegionReadOnly() to make the section writable. However, this results in the stack being made read-only between A and B. To understand this please see the following flow. 1. TF-A sets the entire StandaloneMM region as Read Only. 2. The stack is reserved in the data section by the early assembly entry point code. +--------------------+ <--- Start of Data Section | | | Data Section | | | | +----------------+ | <--- Stack region | | Stack | | | +----------------+ | | | +--------------------+ 3. The StanaloneMM early entry point code updates the attributes of the stack to Read Write. 4. When UpdateMmFoundationPeCoffPermissions() sets the permission of the data section to remove the Execute attribute, it calls ArmSetMemoryRegionNoExec(). 5. The ArmSetMemoryRegionNoExec() implementation gets the attributes of the first granule which is at the start of the data section, then clears the execute permission and applies the attribute for the entire data section. 6. Since TF-A has mapped the entire section as read only the first granule of the data section is read only and therefore the stack region attributes are changed to Read Only no execute. 7. Since the stack is read only after point A any updates to the stack result in an exception. To resolve this issue with update the library with FF-A v1.2, get/set memory permission per page unit. Links: https://developer.arm.com/documentation/den0140/latest/ [0] Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
2024-08-20 17:54:40 +02:00
UseFfaAbis = IsFfaMemoryAbiSupported ();
Size = EFI_PAGE_SIZE;
while (Length > 0) {
Status = GetMemoryPermissions (UseFfaAbis, BaseAddress, &MemoryAttributes);
if (EFI_ERROR (Status)) {
break;
}
if (UseFfaAbis) {
PermissionRequest = ARM_FFA_SET_MEM_ATTR_MAKE_PERM_REQUEST (
ARM_FFA_SET_MEM_ATTR_DATA_PERM_RW,
(MemoryAttributes >> ARM_FFA_SET_MEM_ATTR_CODE_PERM_SHIFT)
);
} else {
PermissionRequest = ARM_SPM_MM_SET_MEM_ATTR_MAKE_PERM_REQUEST (
ARM_SPM_MM_SET_MEM_ATTR_DATA_PERM_RW,
(MemoryAttributes >> ARM_SPM_MM_SET_MEM_ATTR_CODE_PERM_SHIFT)
);
}
if (Length < Size) {
Length = Size;
}
Status = RequestMemoryPermissionChange (
UseFfaAbis,
BaseAddress,
Size,
PermissionRequest
);
if (EFI_ERROR (Status)) {
return Status;
}
Length -= Size;
BaseAddress += Size;
} // while
ArmPkg: Apply uncrustify changes REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3737 Apply uncrustify changes to .c/.h files in the ArmPkg package Cc: Andrew Fish <afish@apple.com> Cc: Leif Lindholm <leif@nuviainc.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Andrew Fish <afish@apple.com>
2021-12-05 23:53:50 +01:00
ArmPkg: Fix uninitialised variable in ArmMmuStandaloneMmLib The following patches added support for StandaloneMM using FF-A: 9da5ee116a28 ArmPkg: Allow FF-A calls to set memory region's attributes 0e43e02b9bd8 ArmPkg: Allow FF-A calls to get memory region's attributes However, in the error handling logic for the Get/Set Memory attributes, the CLANG compiler reports that a status variable could be used without initialisation. This issue is a false positive and is not seen with GCC. The Get/Set Memory attributes operation is atomic and therefore an FFA_INTERRUPT or FFA_SUCCESS response is not expected in response to FFA_MSG_SEND_DIRECT_REQ. So the remaining cases that could occur are: - the target sends FFA_MSG_SEND_DIRECT_RESP with a success or failure code. or - FFA_MSG_SEND_DIRECT_REQ transmission failure. Therefore, - reorder the error handling conditions such that it prevents the uninitialised variable issue being flagged by CLANG. - move the repetitive code to a static helper function and add documentation at the appropriate places. - fix error handling in functions that invoke GetMemoryPermissions(). Signed-off-by: Sami Mujawar <sami.mujawar@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
2021-02-25 18:11:10 +01:00
return Status;
ArmPkg/ArmMmuLib: Add MMU Library suitable for use in S-EL0. The Standalone MM environment runs in S-EL0 in AArch64 on ARM Standard Platforms. Privileged firmware e.g. ARM Trusted Firmware sets up its architectural context including the initial translation tables for the S-EL1/EL0 translation regime. The MM environment will still request ARM TF to change the memory attributes of memory regions during initialization. The Standalone MM image is a FV that encapsulates the MM foundation and drivers. These are PE-COFF images with data and text segments. To initialise the MM environment, Arm Trusted Firmware has to create translation tables with sane default attributes for the memory occupied by the FV. This library sends SVCs to ARM Trusted Firmware to request memory permissions change for data and text segments. This patch adds a simple MMU library suitable for execution in S-EL0 and requesting memory permissions change operations from Arm Trusted Firmware. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2018-11-27 11:43:57 +01:00
}