热门标签
热门文章
- 1Docker容器与虚拟化技术:OpenEuler 部署 docker容器应用
- 2存储xss实现获取cookie(本地实战)
- 3基于ESP32搭建物联网服务器四(最简单的WEB服务器)_espasyncwebserver
- 4Mac OS X开机启动Path had bad permissions错误解决方案_macos系统 load failed: 122: path had bad ownership/p
- 5网络原理 | 协议分层(OSI七层模型、TCP/IP五层模型)、封装和分用_网络分层及协议
- 6python离线安装第三方库whl_详细说明如何在pycharm不联网的情况下,离线安装第三方库及依赖包(如sklearn)...
- 7在eclipse导入SSH项目_eclipse导入运行ssh项目
- 8用QT实现学生教师登录系统
- 9element-ui的表格实现无限滚动效果_elementui table表格滚动方法可以重复滚动
- 10问题是缺失libgtkglext-x11-1._libgtkglext1
当前位置: article > 正文
【ARM64 ATF 系列 2 -- ATF SMC 异常处理流程 2】_smc同步异常详解
作者:知新_RL | 2024-02-22 11:43:20
赞
踩
smc同步异常详解
SMC 触发及处理
Linux kernel 运行在 Non-Secure EL1,如果要进入TEE,首先需要调用汇编指令 smc 进入 EL3,由 monitor(ATF)来完成 Non-Secure world到 Secure world的切换。在 mtk 平台上函数 mt_secure_call 是进入EL3 的入口函数,它调用 smc 指令并通过x0~x3传入四个参数。其中x0中是多个位域的一个编码,根据它可以找到哪个service以及service中的哪一项服务。
static noinline int mt_secure_call(u64 function_id, u64 arg0, u64 arg1, u64 arg2)
{
register u64 reg0 __asm__("x0") = function_id;
register u64 reg1 __asm__("x1") = arg0;
register u64 reg2 __asm__("x2") = arg1;
register u64 reg3 __asm__("x3") = arg2;
int ret = 0;
asm volatile ("smc #0\n" : "+r" (reg0) :"r"(reg1), "r"(reg2), "r"(reg3));
ret = (int)reg0;
return ret;
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
前面运行指令smc触发一个同步异常,进入EL3异常向量表对应同步异常入口,如下(bl31/aarch64/runtime_exceptions.S)
/* ---------------------------------------------------------------------
* The following code handles secure monitor calls.
* Depending upon the execution state from where the SMC has been
* invoked, it frees some general purpose registers to perform the
* remaining tasks. They involve finding the runtime service handler
* that is the target of the SMC & switching to runtime stacks (SP_EL0)
* before calling the handler.
*
* Note that x30 has been explicitly saved and can be used here
* ---------------------------------------------------------------------
*/
func smc_handler
smc_handler32:
/* Check whether aarch32 issued an SMC64 */
tbnz x0, #FUNCID_CC_SHIFT, smc_prohibited
smc_handler64:
/* NOTE: The code below must preserve x0-x4 */
/*
* Save general purpose and ARMv8.3-PAuth registers (if enabled).
* If Secure Cycle Counter is not disabled in MDCR_EL3 when
* ARMv8.5-PMU is implemented, save PMCR_EL0 and disable Cycle Counter.
* Also set the PSTATE to a known state.
*/
bl prepare_el3_entry
#if ENABLE_PAUTH
/* Load and program APIAKey firmware key */
bl pauth_load_bl31_apiakey
#endif
/*
* Populate the parameters for the SMC handler.
* We already have x0-x4 in place. x5 will point to a cookie (not used
* now). x6 will point to the context structure (SP_EL3) and x7 will
* contain flags we need to pass to the handler.
*/
mov x5, xzr
mov x6, sp
/*
* Restore the saved C runtime stack value which will become the new
* SP_EL0 i.e. EL3 runtime stack. It was saved in the 'cpu_context'
* structure prior to the last ERET from EL3.
*/
ldr x12, [x6, #CTX_EL3STATE_OFFSET + CTX_RUNTIME_SP]
/* Switch to SP_EL0 */
msr spsel, #MODE_SP_EL0
/*
* Save the SPSR_EL3, ELR_EL3, & SCR_EL3 in case there is a world
* switch during SMC handling.
* TODO: Revisit if all system registers can be saved later.
*/
mrs x16, spsr_el3
mrs x17, elr_el3
mrs x18, scr_el3
stp x16, x17, [x6, #CTX_EL3STATE_OFFSET + CTX_SPSR_EL3]
str x18, [x6, #CTX_EL3STATE_OFFSET + CTX_SCR_EL3]
/* Clear flag register */
mov x7, xzr
#if ENABLE_RME
/* Copy SCR_EL3.NSE bit to the flag to indicate caller's security */
ubfx x7, x18, #SCR_NSE_SHIFT, 1
/*
* Shift copied SCR_EL3.NSE bit by 5 to create space for
* SCR_EL3.NS bit. Bit 5 of the flag correspondes to
* the SCR_EL3.NSE bit.
*/
lsl x7, x7, #5
#endif /* ENABLE_RME */
/* Copy SCR_EL3.NS bit to the flag to indicate caller's security */
bfi x7, x18, #0, #1
mov sp, x12
/* Get the unique owning entity number */
ubfx x16, x0, #FUNCID_OEN_SHIFT, #FUNCID_OEN_WIDTH
ubfx x15, x0, #FUNCID_TYPE_SHIFT, #FUNCID_TYPE_WIDTH
orr x16, x16, x15, lsl #FUNCID_OEN_WIDTH
/* Load descriptor index from array of indices */
adrp x14, rt_svc_descs_indices
add x14, x14, :lo12:rt_svc_descs_indices
ldrb w15, [x14, x16]
/* Any index greater than 127 is invalid. Check bit 7. */
tbnz w15, 7, smc_unknown
/*
* Get the descriptor using the index
* x11 = (base + off), w15 = index
*
* handler = (base + off) + (index << log2(size))
*/
adr x11, (__RT_SVC_DESCS_START__ + RT_SVC_DESC_HANDLE)
lsl w10, w15, #RT_SVC_SIZE_LOG2
ldr x15, [x11, w10, uxtw]
/*
* Call the Secure Monitor Call handler and then drop directly into
* el3_exit() which will program any remaining architectural state
* prior to issuing the ERET to the desired lower EL.
*/
#if DEBUG
cbz x15, rt_svc_fw_critical_error
#endif
blr x15
b el3_exit
smc_unknown:
/*
* Unknown SMC call. Populate return value with SMC_UNK and call
* el3_exit() which will restore the remaining architectural state
* i.e., SYS, GP and PAuth registers(if any) prior to issuing the ERET
* to the desired lower EL.
*/
mov x0, #SMC_UNK
str x0, [x6, #CTX_GPREGS_OFFSET + CTX_GPREG_X0]
b el3_exit
smc_prohibited:
restore_ptw_el1_sys_regs
ldp x28, x29, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X28]
ldr x30, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_LR]
mov x0, #SMC_UNK
exception_return
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
函数 smc_handler64主要做了下面事情:
- 保存Non-Secure world中的
spsr_el3、elr_el3、scr_el3到栈中。 - 根据 function_id 找到对应的 runtime service, 查找方法:
Index = (function_id >> 24 & 0x3f) | ((function_id >> 31) << 6);
Handler = __RT_SVC_DESCS_START__ + RT_SVC_DESC_HANDLE + rt_svc_descs_indices[Index] << 5
__RT_SVC_DESCS_START__为rt_svc_descs的起始地址,RT_SVC_DESC_HANDLE为服务处理函数handle在结构体rt_svc_desc中的偏移,左移5,是因为结构体rt_svc_desc大小为32字节。 - 执行指令
blr x15跳转到 runtime service 的处理函数 handler 中执行,runtime service 的注册一般都是通过宏DECLARE_RT_SVC(_name, _start, _end, _type, _setup, _handle), 注册四填入的最后一个参数即是对应的中断处理函数。
smc_handler32 中使用的宏定义:
include/common/runtime_svc.h
/*
* Constants to allow the assembler access a runtime service
* descriptor
*/
#ifdef __aarch64__
#define RT_SVC_SIZE_LOG2 U(5)
#define RT_SVC_DESC_INIT U(16)
#define RT_SVC_DESC_HANDLE U(24)
#else
#define RT_SVC_SIZE_LOG2 U(4)
#define RT_SVC_DESC_INIT U(8)
#define RT_SVC_DESC_HANDLE U(12)
#endif /* __aarch64__ */
#define SIZEOF_RT_SVC_DESC (U(1) << RT_SVC_SIZE_LOG2)
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
include/lib/smccc.h
/*******************************************************************************
* Bit definitions inside the function id as per the SMC calling convention
******************************************************************************/
#define FUNCID_TYPE_SHIFT U(31)
#define FUNCID_TYPE_MASK U(0x1)
#define FUNCID_TYPE_WIDTH U(1)
#define FUNCID_CC_SHIFT U(30)
#define FUNCID_CC_MASK U(0x1)
#define FUNCID_CC_WIDTH U(1)
#define FUNCID_OEN_SHIFT U(24)
#define FUNCID_OEN_MASK U(0x3f)
#define FUNCID_OEN_WIDTH U(6)
#define FUNCID_NUM_SHIFT U(0)
#define FUNCID_NUM_MASK U(0xffff)
#define FUNCID_NUM_WIDTH U(16)
#define GET_SMC_NUM(id) (((id) >> FUNCID_NUM_SHIFT) & \
FUNCID_NUM_MASK)
#define GET_SMC_TYPE(id) (((id) >> FUNCID_TYPE_SHIFT) & \
FUNCID_TYPE_MASK)
#define GET_SMC_CC(id) (((id) >> FUNCID_CC_SHIFT) & \
FUNCID_CC_MASK)
#define GET_SMC_OEN(id) (((id) >> FUNCID_OEN_SHIFT) & \
FUNCID_OEN_MASK)
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/知新_RL/article/detail/129960
推荐阅读
相关标签
