2017-03-08 14:40:23 +00:00
|
|
|
/*
|
|
|
|
|
* Copyright (c) 2017, ARM Limited and Contributors. All rights reserved.
|
|
|
|
|
*
|
2017-05-03 09:38:09 +01:00
|
|
|
* SPDX-License-Identifier: BSD-3-Clause
|
2017-03-08 14:40:23 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <arch.h>
|
|
|
|
|
#include <arch_helpers.h>
|
|
|
|
|
#include <assert.h>
|
|
|
|
|
#include <bl_common.h>
|
|
|
|
|
#include <cassert.h>
|
|
|
|
|
#include <common_def.h>
|
|
|
|
|
#include <sys/types.h>
|
|
|
|
|
#include <utils.h>
|
2017-08-07 11:20:13 +01:00
|
|
|
#include <utils_def.h>
|
2017-03-08 14:40:23 +00:00
|
|
|
#include <xlat_tables_v2.h>
|
|
|
|
|
#include "../xlat_tables_private.h"
|
|
|
|
|
|
2017-10-25 11:53:25 +01:00
|
|
|
unsigned long long tcr_physical_addr_size_bits(unsigned long long max_addr)
|
2017-03-08 14:40:23 +00:00
|
|
|
{
|
|
|
|
|
/* Physical address can't exceed 48 bits */
|
|
|
|
|
assert((max_addr & ADDR_MASK_48_TO_63) == 0);
|
|
|
|
|
|
|
|
|
|
/* 48 bits address */
|
|
|
|
|
if (max_addr & ADDR_MASK_44_TO_47)
|
|
|
|
|
return TCR_PS_BITS_256TB;
|
|
|
|
|
|
|
|
|
|
/* 44 bits address */
|
|
|
|
|
if (max_addr & ADDR_MASK_42_TO_43)
|
|
|
|
|
return TCR_PS_BITS_16TB;
|
|
|
|
|
|
|
|
|
|
/* 42 bits address */
|
|
|
|
|
if (max_addr & ADDR_MASK_40_TO_41)
|
|
|
|
|
return TCR_PS_BITS_4TB;
|
|
|
|
|
|
|
|
|
|
/* 40 bits address */
|
|
|
|
|
if (max_addr & ADDR_MASK_36_TO_39)
|
|
|
|
|
return TCR_PS_BITS_1TB;
|
|
|
|
|
|
|
|
|
|
/* 36 bits address */
|
|
|
|
|
if (max_addr & ADDR_MASK_32_TO_35)
|
|
|
|
|
return TCR_PS_BITS_64GB;
|
|
|
|
|
|
|
|
|
|
return TCR_PS_BITS_4GB;
|
|
|
|
|
}
|
|
|
|
|
|
2017-03-22 15:48:51 +00:00
|
|
|
#if ENABLE_ASSERTIONS
|
2017-03-08 14:40:23 +00:00
|
|
|
/* Physical Address ranges supported in the AArch64 Memory Model */
|
|
|
|
|
static const unsigned int pa_range_bits_arr[] = {
|
|
|
|
|
PARANGE_0000, PARANGE_0001, PARANGE_0010, PARANGE_0011, PARANGE_0100,
|
2017-11-17 09:52:53 +00:00
|
|
|
PARANGE_0101,
|
|
|
|
|
#if ARM_ARCH_AT_LEAST(8, 2)
|
|
|
|
|
PARANGE_0110,
|
|
|
|
|
#endif
|
2017-03-08 14:40:23 +00:00
|
|
|
};
|
|
|
|
|
|
2017-05-31 13:31:48 +01:00
|
|
|
unsigned long long xlat_arch_get_max_supported_pa(void)
|
2017-03-08 14:40:23 +00:00
|
|
|
{
|
|
|
|
|
u_register_t pa_range = read_id_aa64mmfr0_el1() &
|
|
|
|
|
ID_AA64MMFR0_EL1_PARANGE_MASK;
|
|
|
|
|
|
|
|
|
|
/* All other values are reserved */
|
|
|
|
|
assert(pa_range < ARRAY_SIZE(pa_range_bits_arr));
|
|
|
|
|
|
2018-02-16 21:12:58 +00:00
|
|
|
return (1ULL << pa_range_bits_arr[pa_range]) - 1ULL;
|
2017-03-08 14:40:23 +00:00
|
|
|
}
|
2017-03-22 15:48:51 +00:00
|
|
|
#endif /* ENABLE_ASSERTIONS*/
|
2017-03-08 14:40:23 +00:00
|
|
|
|
2017-10-04 16:52:15 +01:00
|
|
|
int is_mmu_enabled_ctx(const xlat_ctx_t *ctx)
|
2017-03-08 14:40:23 +00:00
|
|
|
{
|
2017-10-04 16:52:15 +01:00
|
|
|
if (ctx->xlat_regime == EL1_EL0_REGIME) {
|
|
|
|
|
assert(xlat_arch_current_el() >= 1);
|
|
|
|
|
return (read_sctlr_el1() & SCTLR_M_BIT) != 0;
|
|
|
|
|
} else {
|
|
|
|
|
assert(ctx->xlat_regime == EL3_REGIME);
|
|
|
|
|
assert(xlat_arch_current_el() >= 3);
|
|
|
|
|
return (read_sctlr_el3() & SCTLR_M_BIT) != 0;
|
|
|
|
|
}
|
2017-03-08 14:40:23 +00:00
|
|
|
}
|
|
|
|
|
|
2017-10-04 16:52:15 +01:00
|
|
|
|
2017-02-27 17:23:54 +00:00
|
|
|
void xlat_arch_tlbi_va(uintptr_t va)
|
2017-09-25 15:23:22 +01:00
|
|
|
{
|
|
|
|
|
#if IMAGE_EL == 1
|
|
|
|
|
assert(IS_IN_EL(1));
|
|
|
|
|
xlat_arch_tlbi_va_regime(va, EL1_EL0_REGIME);
|
|
|
|
|
#elif IMAGE_EL == 3
|
|
|
|
|
assert(IS_IN_EL(3));
|
|
|
|
|
xlat_arch_tlbi_va_regime(va, EL3_REGIME);
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void xlat_arch_tlbi_va_regime(uintptr_t va, xlat_regime_t xlat_regime)
|
2017-02-27 17:23:54 +00:00
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Ensure the translation table write has drained into memory before
|
|
|
|
|
* invalidating the TLB entry.
|
|
|
|
|
*/
|
|
|
|
|
dsbishst();
|
|
|
|
|
|
2017-09-25 15:23:22 +01:00
|
|
|
/*
|
|
|
|
|
* This function only supports invalidation of TLB entries for the EL3
|
|
|
|
|
* and EL1&0 translation regimes.
|
|
|
|
|
*
|
|
|
|
|
* Also, it is architecturally UNDEFINED to invalidate TLBs of a higher
|
|
|
|
|
* exception level (see section D4.9.2 of the ARM ARM rev B.a).
|
|
|
|
|
*/
|
|
|
|
|
if (xlat_regime == EL1_EL0_REGIME) {
|
|
|
|
|
assert(xlat_arch_current_el() >= 1);
|
|
|
|
|
tlbivaae1is(TLBI_ADDR(va));
|
|
|
|
|
} else {
|
|
|
|
|
assert(xlat_regime == EL3_REGIME);
|
|
|
|
|
assert(xlat_arch_current_el() >= 3);
|
|
|
|
|
tlbivae3is(TLBI_ADDR(va));
|
|
|
|
|
}
|
2017-02-27 17:23:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void xlat_arch_tlbi_va_sync(void)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* A TLB maintenance instruction can complete at any time after
|
|
|
|
|
* it is issued, but is only guaranteed to be complete after the
|
|
|
|
|
* execution of DSB by the PE that executed the TLB maintenance
|
|
|
|
|
* instruction. After the TLB invalidate instruction is
|
|
|
|
|
* complete, no new memory accesses using the invalidated TLB
|
|
|
|
|
* entries will be observed by any observer of the system
|
|
|
|
|
* domain. See section D4.8.2 of the ARMv8 (issue k), paragraph
|
|
|
|
|
* "Ordering and completion of TLB maintenance instructions".
|
|
|
|
|
*/
|
|
|
|
|
dsbish();
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* The effects of a completed TLB maintenance instruction are
|
|
|
|
|
* only guaranteed to be visible on the PE that executed the
|
|
|
|
|
* instruction after the execution of an ISB instruction by the
|
|
|
|
|
* PE that executed the TLB maintenance instruction.
|
|
|
|
|
*/
|
|
|
|
|
isb();
|
|
|
|
|
}
|
|
|
|
|
|
Fix execute-never permissions in xlat tables libs
Translation regimes that only support one virtual address space (such as
the ones for EL2 and EL3) can flag memory regions as execute-never by
setting to 1 the XN bit in the Upper Attributes field in the translation
tables descriptors. Translation regimes that support two different
virtual address spaces (such as the one shared by EL1 and EL0) use bits
PXN and UXN instead.
The Trusted Firmware runs at EL3 and EL1, it has to handle translation
tables of both translation regimes, but the previous code handled both
regimes the same way, as if both had only 1 VA range.
When trying to set a descriptor as execute-never it would set the XN
bit correctly in EL3, but it would set the XN bit in EL1 as well. XN is
at the same bit position as UXN, which means that EL0 was being
prevented from executing code at this region, not EL1 as the code
intended. Therefore, the PXN bit was unset to 0 all the time. The result
is that, in AArch64 mode, read-only data sections of BL2 weren't
protected from being executed.
This patch adds support of translation regimes with two virtual address
spaces to both versions of the translation tables library, fixing the
execute-never permissions for translation tables in EL1.
The library currently does not support initializing translation tables
for EL0 software, therefore it does not set/unset the UXN bit. If EL1
software needs to initialize translation tables for EL0 software, it
should use a different library instead.
Change-Id: If27588f9820ff42988851d90dc92801c8ecbe0c9
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2017-04-27 13:30:22 +01:00
|
|
|
int xlat_arch_current_el(void)
|
|
|
|
|
{
|
|
|
|
|
int el = GET_EL(read_CurrentEl());
|
|
|
|
|
|
|
|
|
|
assert(el > 0);
|
|
|
|
|
|
|
|
|
|
return el;
|
|
|
|
|
}
|
|
|
|
|
|
2017-03-08 14:40:23 +00:00
|
|
|
/*******************************************************************************
|
|
|
|
|
* Macro generating the code for the function enabling the MMU in the given
|
|
|
|
|
* exception level, assuming that the pagetables have already been created.
|
|
|
|
|
*
|
|
|
|
|
* _el: Exception level at which the function will run
|
|
|
|
|
* _tlbi_fct: Function to invalidate the TLBs at the current
|
|
|
|
|
* exception level
|
|
|
|
|
******************************************************************************/
|
2017-05-31 13:38:51 +01:00
|
|
|
#define DEFINE_ENABLE_MMU_EL(_el, _tlbi_fct) \
|
|
|
|
|
static void enable_mmu_internal_el##_el(int flags, \
|
|
|
|
|
uint64_t mair, \
|
|
|
|
|
uint64_t tcr, \
|
|
|
|
|
uint64_t ttbr) \
|
2017-03-08 14:40:23 +00:00
|
|
|
{ \
|
2017-05-31 13:38:51 +01:00
|
|
|
uint32_t sctlr = read_sctlr_el##_el(); \
|
|
|
|
|
assert((sctlr & SCTLR_M_BIT) == 0); \
|
2017-03-08 14:40:23 +00:00
|
|
|
\
|
|
|
|
|
/* Invalidate TLBs at the current exception level */ \
|
|
|
|
|
_tlbi_fct(); \
|
|
|
|
|
\
|
|
|
|
|
write_mair_el##_el(mair); \
|
|
|
|
|
write_tcr_el##_el(tcr); \
|
2017-08-07 11:20:13 +01:00
|
|
|
\
|
|
|
|
|
/* Set TTBR bits as well */ \
|
|
|
|
|
if (ARM_ARCH_AT_LEAST(8, 2)) { \
|
|
|
|
|
/* Enable CnP bit so as to share page tables */ \
|
|
|
|
|
/* with all PEs. This is mandatory for */ \
|
|
|
|
|
/* ARMv8.2 implementations. */ \
|
|
|
|
|
ttbr |= TTBR_CNP_BIT; \
|
|
|
|
|
} \
|
2017-03-08 14:40:23 +00:00
|
|
|
write_ttbr0_el##_el(ttbr); \
|
|
|
|
|
\
|
|
|
|
|
/* Ensure all translation table writes have drained */ \
|
|
|
|
|
/* into memory, the TLB invalidation is complete, */ \
|
|
|
|
|
/* and translation register writes are committed */ \
|
|
|
|
|
/* before enabling the MMU */ \
|
2017-02-24 11:39:22 +00:00
|
|
|
dsbish(); \
|
2017-03-08 14:40:23 +00:00
|
|
|
isb(); \
|
|
|
|
|
\
|
|
|
|
|
sctlr |= SCTLR_WXN_BIT | SCTLR_M_BIT; \
|
|
|
|
|
if (flags & DISABLE_DCACHE) \
|
|
|
|
|
sctlr &= ~SCTLR_C_BIT; \
|
|
|
|
|
else \
|
|
|
|
|
sctlr |= SCTLR_C_BIT; \
|
|
|
|
|
\
|
|
|
|
|
write_sctlr_el##_el(sctlr); \
|
|
|
|
|
\
|
|
|
|
|
/* Ensure the MMU enable takes effect immediately */ \
|
|
|
|
|
isb(); \
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Define EL1 and EL3 variants of the function enabling the MMU */
|
|
|
|
|
#if IMAGE_EL == 1
|
2017-05-31 13:38:51 +01:00
|
|
|
DEFINE_ENABLE_MMU_EL(1, tlbivmalle1)
|
2017-03-08 14:40:23 +00:00
|
|
|
#elif IMAGE_EL == 3
|
2017-05-31 13:38:51 +01:00
|
|
|
DEFINE_ENABLE_MMU_EL(3, tlbialle3)
|
2017-03-08 14:40:23 +00:00
|
|
|
#endif
|
|
|
|
|
|
2017-05-31 13:31:48 +01:00
|
|
|
void enable_mmu_arch(unsigned int flags,
|
|
|
|
|
uint64_t *base_table,
|
2017-07-11 15:11:10 +01:00
|
|
|
unsigned long long max_pa,
|
|
|
|
|
uintptr_t max_va)
|
2017-03-08 14:40:23 +00:00
|
|
|
{
|
2017-05-31 13:38:51 +01:00
|
|
|
uint64_t mair, ttbr, tcr;
|
|
|
|
|
|
|
|
|
|
/* Set attributes in the right indices of the MAIR. */
|
|
|
|
|
mair = MAIR_ATTR_SET(ATTR_DEVICE, ATTR_DEVICE_INDEX);
|
|
|
|
|
mair |= MAIR_ATTR_SET(ATTR_IWBWA_OWBWA_NTR, ATTR_IWBWA_OWBWA_NTR_INDEX);
|
|
|
|
|
mair |= MAIR_ATTR_SET(ATTR_NON_CACHEABLE, ATTR_NON_CACHEABLE_INDEX);
|
|
|
|
|
|
|
|
|
|
ttbr = (uint64_t) base_table;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Set TCR bits as well.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Limit the input address ranges and memory region sizes translated
|
|
|
|
|
* using TTBR0 to the given virtual address space size.
|
|
|
|
|
*/
|
2017-07-11 15:11:10 +01:00
|
|
|
assert(max_va < UINTPTR_MAX);
|
|
|
|
|
uintptr_t virtual_addr_space_size = max_va + 1;
|
|
|
|
|
assert(CHECK_VIRT_ADDR_SPACE_SIZE(virtual_addr_space_size));
|
|
|
|
|
/*
|
2017-07-19 10:11:13 +01:00
|
|
|
* __builtin_ctzll(0) is undefined but here we are guaranteed that
|
2017-07-11 15:11:10 +01:00
|
|
|
* virtual_addr_space_size is in the range [1,UINTPTR_MAX].
|
|
|
|
|
*/
|
2017-07-19 10:11:13 +01:00
|
|
|
tcr = 64 - __builtin_ctzll(virtual_addr_space_size);
|
2017-05-31 13:38:51 +01:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Set the cacheability and shareability attributes for memory
|
|
|
|
|
* associated with translation table walks.
|
|
|
|
|
*/
|
|
|
|
|
if (flags & XLAT_TABLE_NC) {
|
|
|
|
|
/* Inner & outer non-cacheable non-shareable. */
|
|
|
|
|
tcr |= TCR_SH_NON_SHAREABLE |
|
|
|
|
|
TCR_RGN_OUTER_NC | TCR_RGN_INNER_NC;
|
|
|
|
|
} else {
|
|
|
|
|
/* Inner & outer WBWA & shareable. */
|
|
|
|
|
tcr |= TCR_SH_INNER_SHAREABLE |
|
|
|
|
|
TCR_RGN_OUTER_WBA | TCR_RGN_INNER_WBA;
|
|
|
|
|
}
|
|
|
|
|
|
2017-05-31 13:31:48 +01:00
|
|
|
/*
|
|
|
|
|
* It is safer to restrict the max physical address accessible by the
|
|
|
|
|
* hardware as much as possible.
|
|
|
|
|
*/
|
2017-10-25 11:53:25 +01:00
|
|
|
unsigned long long tcr_ps_bits = tcr_physical_addr_size_bits(max_pa);
|
2017-05-31 13:31:48 +01:00
|
|
|
|
2017-03-08 14:40:23 +00:00
|
|
|
#if IMAGE_EL == 1
|
|
|
|
|
assert(IS_IN_EL(1));
|
Set TCR_EL1.EPD1 bit to 1
In the S-EL1&0 translation regime we aren't using the higher VA range,
whose translation table base address is held in TTBR1_EL1. The bit
TCR_EL1.EPD1 can be used to disable translations using TTBR1_EL1, but
the code wasn't setting it to 1. Additionally, other fields in TCR1_EL1
associated with the higher VA range (TBI1, TG1, SH1, ORGN1, IRGN1 and
A1) weren't set correctly as they were left as 0. In particular, 0 is a
reserved value for TG1. Also, TBBR1_EL1 was not explicitly set and its
reset value is UNKNOWN.
Therefore memory accesses to the higher VA range would result in
unpredictable behaviour as a translation table walk would be attempted
using an UNKNOWN value in TTBR1_EL1.
On the FVP and Juno platforms accessing the higher VA range resulted in
a translation fault, but this may not always be the case on all
platforms.
This patch sets the bit TCR_EL1.EPD1 to 1 so that any kind of
unpredictable behaviour is prevented.
This bug only affects the AArch64 version of the code, the AArch32
version sets this bit to 1 as expected.
Change-Id: I481c000deda5bc33a475631301767b9e0474a303
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2017-09-15 10:30:34 +01:00
|
|
|
/*
|
|
|
|
|
* TCR_EL1.EPD1: Disable translation table walk for addresses that are
|
|
|
|
|
* translated using TTBR1_EL1.
|
|
|
|
|
*/
|
|
|
|
|
tcr |= TCR_EPD1_BIT | (tcr_ps_bits << TCR_EL1_IPS_SHIFT);
|
2017-05-31 13:38:51 +01:00
|
|
|
enable_mmu_internal_el1(flags, mair, tcr, ttbr);
|
2017-03-08 14:40:23 +00:00
|
|
|
#elif IMAGE_EL == 3
|
|
|
|
|
assert(IS_IN_EL(3));
|
2017-05-31 13:38:51 +01:00
|
|
|
tcr |= TCR_EL3_RES1 | (tcr_ps_bits << TCR_EL3_PS_SHIFT);
|
|
|
|
|
enable_mmu_internal_el3(flags, mair, tcr, ttbr);
|
2017-03-08 14:40:23 +00:00
|
|
|
#endif
|
|
|
|
|
}
|
