path: root/arch/arm64/kvm/hyp/nvhe/ffa.c

// SPDX-License-Identifier: GPL-2.0-only
/*
 * FF-A v1.0 proxy to filter out invalid memory-sharing SMC calls issued by
 * the host. FF-A is a slightly more palatable abbreviation of "Arm Firmware
 * Framework for Arm A-profile", which is specified by Arm in document
 * number DEN0077.
 *
 * Copyright (C) 2022 - Google LLC
 * Author: Andrew Walbran <qwandor@google.com>
 *
 * This driver hooks into the SMC trapping logic for the host and intercepts
 * all calls falling within the FF-A range. Each call is either:
 *
 *	- Forwarded on unmodified to the SPMD at EL3
 *	- Rejected as "unsupported"
 *	- Accompanied by a host stage-2 page-table check/update and reissued
 *
 * Consequently, any attempts by the host to make guest memory pages
 * accessible to the secure world using FF-A will be detected either here
 * (in the case that the memory is already owned by the guest) or during
 * donation to the guest (in the case that the memory was previously shared
 * with the secure world).
 *
 * To allow the rolling-back of page-table updates and FF-A calls in the
 * event of failure, operations involving the RXTX buffers are locked for
 * the duration and are therefore serialised.
 */

#include <linux/arm-smccc.h>
#include <linux/arm_ffa.h>
#include <asm/kvm_pkvm.h>

#include <nvhe/ffa.h>
#include <nvhe/mem_protect.h>
#include <nvhe/memory.h>
#include <nvhe/trap_handler.h>
#include <nvhe/spinlock.h>

/*
 * "ID value 0 must be returned at the Non-secure physical FF-A instance"
 * We share this ID with the host.
 */
#define HOST_FFA_ID	0

/*
 * A buffer to hold the maximum descriptor size we can see from the host,
 * which is required when the SPMD returns a fragmented FFA_MEM_RETRIEVE_RESP
 * when resolving the handle on the reclaim path.
 */
struct kvm_ffa_descriptor_buffer {
	void	*buf;
	size_t	len;
};

static struct kvm_ffa_descriptor_buffer ffa_desc_buf;

struct kvm_ffa_buffers {
	hyp_spinlock_t lock;
	void *tx;
	void *rx;
};

/*
 * Note that we don't currently lock these buffers explicitly, instead
 * relying on the locking of the host FFA buffers as we only have one
 * client.
 */
static struct kvm_ffa_buffers hyp_buffers;
static struct kvm_ffa_buffers host_buffers;
static u32 hyp_ffa_version;
static bool has_version_negotiated;
static hyp_spinlock_t version_lock;

static void ffa_to_smccc_error(struct arm_smccc_1_2_regs *res, u64 ffa_errno)
{
	*res = (struct arm_smccc_1_2_regs) {
		.a0	= FFA_ERROR,
		.a2	= ffa_errno,
	};
}

static void ffa_to_smccc_res_prop(struct arm_smccc_1_2_regs *res, int ret, u64 prop)
{
	if (ret == FFA_RET_SUCCESS) {
		*res = (struct arm_smccc_1_2_regs) { .a0 = FFA_SUCCESS,
						      .a2 = prop };
	} else {
		ffa_to_smccc_error(res, ret);
	}
}

static void ffa_to_smccc_res(struct arm_smccc_1_2_regs *res, int ret)
{
	ffa_to_smccc_res_prop(res, ret, 0);
}

static void ffa_set_retval(struct kvm_cpu_context *ctxt,
			   struct arm_smccc_1_2_regs *res)
{
	cpu_reg(ctxt, 0) = res->a0;
	cpu_reg(ctxt, 1) = res->a1;
	cpu_reg(ctxt, 2) = res->a2;
	cpu_reg(ctxt, 3) = res->a3;
	cpu_reg(ctxt, 4) = res->a4;
	cpu_reg(ctxt, 5) = res->a5;
	cpu_reg(ctxt, 6) = res->a6;
	cpu_reg(ctxt, 7) = res->a7;

	/*
	 * DEN0028C 2.6: SMC32/HVC32 call from aarch64 must preserve x8-x30.
	 *
	 * In FF-A 1.2, we cannot rely on the function ID sent by the caller to
	 * detect 32-bit calls because the CPU cycle management interfaces (e.g.
	 * FFA_MSG_WAIT, FFA_RUN) are 32-bit only but can have 64-bit responses.
	 *
	 * FFA-1.3 introduces 64-bit variants of the CPU cycle management
	 * interfaces. Moreover, FF-A 1.3 clarifies that SMC32 direct requests
	 * complete with SMC32 direct responses which *should* allow us use the
	 * function ID sent by the caller to determine whether to return x8-x17.
	 *
	 * Note that we also cannot rely on function IDs in the response.
	 *
	 * Given the above, assume SMC64 and send back x0-x17 unconditionally
	 * as the passthrough code (__kvm_hyp_host_forward_smc) does the same.
	 */
	cpu_reg(ctxt, 8) = res->a8;
	cpu_reg(ctxt, 9) = res->a9;
	cpu_reg(ctxt, 10) = res->a10;
	cpu_reg(ctxt, 11) = res->a11;
	cpu_reg(ctxt, 12) = res->a12;
	cpu_reg(ctxt, 13) = res->a13;
	cpu_reg(ctxt, 14) = res->a14;
	cpu_reg(ctxt, 15) = res->a15;
	cpu_reg(ctxt, 16) = res->a16;
	cpu_reg(ctxt, 17) = res->a17;
}

static bool is_ffa_call(u64 func_id)
{
	return ARM_SMCCC_IS_FAST_CALL(func_id) &&
	       ARM_SMCCC_OWNER_NUM(func_id) == ARM_SMCCC_OWNER_STANDARD &&
	       ARM_SMCCC_FUNC_NUM(func_id) >= FFA_MIN_FUNC_NUM &&
	       ARM_SMCCC_FUNC_NUM(func_id) <= FFA_MAX_FUNC_NUM;
}

static int ffa_map_hyp_buffers(u64 ffa_page_count)
{
	struct arm_smccc_1_2_regs res;

	arm_smccc_1_2_smc(&(struct arm_smccc_1_2_regs) {
		.a0 = FFA_FN64_RXTX_MAP,
		.a1 = hyp_virt_to_phys(hyp_buffers.tx),
		.a2 = hyp_virt_to_phys(hyp_buffers.rx),
		.a3 = ffa_page_count,
	}, &res);