当前位置:   article > 正文

【ARM64 ATF 系列 2 -- ATF SMC 异常处理流程 2】_smc同步异常详解

smc同步异常详解

文章目录

SMC 触发及处理

Linux kernel 运行在 Non-Secure EL1,如果要进入TEE,首先需要调用汇编指令 smc 进入 EL3,由 monitor(ATF)来完成 Non-Secure world到 Secure world的切换。在 mtk 平台上函数 mt_secure_call 是进入EL3 的入口函数,它调用 smc 指令并通过x0~x3传入四个参数。其中x0中是多个位域的一个编码,根据它可以找到哪个service以及service中的哪一项服务。

static noinline int mt_secure_call(u64 function_id, u64 arg0, u64 arg1, u64 arg2)
{   
    register u64 reg0 __asm__("x0") = function_id;
    register u64 reg1 __asm__("x1") = arg0;
    register u64 reg2 __asm__("x2") = arg1;
    register u64 reg3 __asm__("x3") = arg2;
    int ret = 0;
 
    asm volatile ("smc    #0\n" : "+r" (reg0) :"r"(reg1), "r"(reg2), "r"(reg3));
 
    ret = (int)reg0;
    return ret;
}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13

前面运行指令smc触发一个同步异常,进入EL3异常向量表对应同步异常入口,如下(bl31/aarch64/runtime_exceptions.S

        /* ---------------------------------------------------------------------
         * The following code handles secure monitor calls.
         * Depending upon the execution state from where the SMC has been
         * invoked, it frees some general purpose registers to perform the
         * remaining tasks. They involve finding the runtime service handler
         * that is the target of the SMC & switching to runtime stacks (SP_EL0)
         * before calling the handler.
         *
         * Note that x30 has been explicitly saved and can be used here
         * ---------------------------------------------------------------------
         */
func smc_handler
smc_handler32:
        /* Check whether aarch32 issued an SMC64 */
        tbnz    x0, #FUNCID_CC_SHIFT, smc_prohibited

smc_handler64:
        /* NOTE: The code below must preserve x0-x4 */

        /*
         * Save general purpose and ARMv8.3-PAuth registers (if enabled).
         * If Secure Cycle Counter is not disabled in MDCR_EL3 when
         * ARMv8.5-PMU is implemented, save PMCR_EL0 and disable Cycle Counter.
         * Also set the PSTATE to a known state.
         */
        bl      prepare_el3_entry

#if ENABLE_PAUTH
        /* Load and program APIAKey firmware key */
        bl      pauth_load_bl31_apiakey
#endif

        /*
         * Populate the parameters for the SMC handler.
         * We already have x0-x4 in place. x5 will point to a cookie (not used
         * now). x6 will point to the context structure (SP_EL3) and x7 will
         * contain flags we need to pass to the handler.
         */
        mov     x5, xzr
        mov     x6, sp
        /*
         * Restore the saved C runtime stack value which will become the new
         * SP_EL0 i.e. EL3 runtime stack. It was saved in the 'cpu_context'
         * structure prior to the last ERET from EL3.
         */
        ldr     x12, [x6, #CTX_EL3STATE_OFFSET + CTX_RUNTIME_SP]

        /* Switch to SP_EL0 */
        msr     spsel, #MODE_SP_EL0

        /*
         * Save the SPSR_EL3, ELR_EL3, & SCR_EL3 in case there is a world
         * switch during SMC handling.
         * TODO: Revisit if all system registers can be saved later.
         */
        mrs     x16, spsr_el3
        mrs     x17, elr_el3
        mrs     x18, scr_el3
        stp     x16, x17, [x6, #CTX_EL3STATE_OFFSET + CTX_SPSR_EL3]
        str     x18, [x6, #CTX_EL3STATE_OFFSET + CTX_SCR_EL3]

        /* Clear flag register */
        mov     x7, xzr

#if ENABLE_RME
        /* Copy SCR_EL3.NSE bit to the flag to indicate caller's security */
        ubfx    x7, x18, #SCR_NSE_SHIFT, 1

        /*
         * Shift copied SCR_EL3.NSE bit by 5 to create space for
         * SCR_EL3.NS bit. Bit 5 of the flag correspondes to
         * the SCR_EL3.NSE bit.
         */
        lsl     x7, x7, #5
#endif /* ENABLE_RME */

        /* Copy SCR_EL3.NS bit to the flag to indicate caller's security */
        bfi     x7, x18, #0, #1
        mov     sp, x12

        /* Get the unique owning entity number */
        ubfx    x16, x0, #FUNCID_OEN_SHIFT, #FUNCID_OEN_WIDTH
        ubfx    x15, x0, #FUNCID_TYPE_SHIFT, #FUNCID_TYPE_WIDTH
        orr     x16, x16, x15, lsl #FUNCID_OEN_WIDTH

        /* Load descriptor index from array of indices */
        adrp    x14, rt_svc_descs_indices
        add     x14, x14, :lo12:rt_svc_descs_indices
        ldrb    w15, [x14, x16]

        /* Any index greater than 127 is invalid. Check bit 7. */
        tbnz    w15, 7, smc_unknown

        /*
         * Get the descriptor using the index
         * x11 = (base + off), w15 = index
         *
         * handler = (base + off) + (index << log2(size))
         */
        adr     x11, (__RT_SVC_DESCS_START__ + RT_SVC_DESC_HANDLE)
        lsl     w10, w15, #RT_SVC_SIZE_LOG2
        ldr     x15, [x11, w10, uxtw]

        /*
         * Call the Secure Monitor Call handler and then drop directly into
         * el3_exit() which will program any remaining architectural state
         * prior to issuing the ERET to the desired lower EL.
         */
#if DEBUG
        cbz     x15, rt_svc_fw_critical_error
#endif
        blr     x15

        b       el3_exit

smc_unknown:
        /*
         * Unknown SMC call. Populate return value with SMC_UNK and call
         * el3_exit() which will restore the remaining architectural state
         * i.e., SYS, GP and PAuth registers(if any) prior to issuing the ERET
         * to the desired lower EL.
         */
        mov     x0, #SMC_UNK
        str     x0, [x6, #CTX_GPREGS_OFFSET + CTX_GPREG_X0]
        b       el3_exit

smc_prohibited:
        restore_ptw_el1_sys_regs
        ldp     x28, x29, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X28]
        ldr     x30, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_LR]
        mov     x0, #SMC_UNK
        exception_return

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133

函数 smc_handler64主要做了下面事情:

  • 保存Non-Secure world中的 spsr_el3elr_el3scr_el3到栈中。
  • 根据 function_id 找到对应的 runtime service, 查找方法:
    Index = (function_id >> 24 & 0x3f) | ((function_id >> 31) << 6)
    Handler = __RT_SVC_DESCS_START__ + RT_SVC_DESC_HANDLE + rt_svc_descs_indices[Index] << 5
    __RT_SVC_DESCS_START__rt_svc_descs 的起始地址,RT_SVC_DESC_HANDLE 为服务处理函数 handle 在结构体rt_svc_desc 中的偏移,左移5,是因为结构体 rt_svc_desc 大小为 32字节。
  • 执行指令 blr x15 跳转到 runtime service 的处理函数 handler 中执行,runtime service 的注册一般都是通过宏DECLARE_RT_SVC(_name, _start, _end, _type, _setup, _handle), 注册四填入的最后一个参数即是对应的中断处理函数。

smc_handler32 中使用的宏定义
include/common/runtime_svc.h

/*
 * Constants to allow the assembler access a runtime service
 * descriptor
 */
#ifdef __aarch64__
#define RT_SVC_SIZE_LOG2        U(5)
#define RT_SVC_DESC_INIT        U(16)
#define RT_SVC_DESC_HANDLE      U(24)
#else
#define RT_SVC_SIZE_LOG2        U(4)
#define RT_SVC_DESC_INIT        U(8)
#define RT_SVC_DESC_HANDLE      U(12)
#endif /* __aarch64__ */
#define SIZEOF_RT_SVC_DESC      (U(1) << RT_SVC_SIZE_LOG2)
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14

include/lib/smccc.h

/*******************************************************************************
 * Bit definitions inside the function id as per the SMC calling convention
 ******************************************************************************/
#define FUNCID_TYPE_SHIFT               U(31)
#define FUNCID_TYPE_MASK                U(0x1)
#define FUNCID_TYPE_WIDTH               U(1)

#define FUNCID_CC_SHIFT                 U(30)
#define FUNCID_CC_MASK                  U(0x1)
#define FUNCID_CC_WIDTH                 U(1)

#define FUNCID_OEN_SHIFT                U(24)
#define FUNCID_OEN_MASK                 U(0x3f)
#define FUNCID_OEN_WIDTH                U(6)

#define FUNCID_NUM_SHIFT                U(0)
#define FUNCID_NUM_MASK                 U(0xffff)
#define FUNCID_NUM_WIDTH                U(16)

#define GET_SMC_NUM(id)                 (((id) >> FUNCID_NUM_SHIFT) & \
                                         FUNCID_NUM_MASK)
#define GET_SMC_TYPE(id)                (((id) >> FUNCID_TYPE_SHIFT) & \
                                         FUNCID_TYPE_MASK)
#define GET_SMC_CC(id)                  (((id) >> FUNCID_CC_SHIFT) & \
                                         FUNCID_CC_MASK)
#define GET_SMC_OEN(id)                 (((id) >> FUNCID_OEN_SHIFT) & \
                                         FUNCID_OEN_MASK)
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/知新_RL/article/detail/129960
推荐阅读
相关标签
  

闽ICP备14008679号