[U-Boot] [PATCH 1/1] efi_loader: refactor switch to non-secure mode

Heinrich Schuchardt xypron.glpk at gmx.de
Sun Dec 30 14:36:55 UTC 2018


Refactor the switch from supervisor to hypervisor to a new function called
at the beginning of do_bootefi().

Signed-off-by: Heinrich Schuchardt <xypron.glpk at gmx.de>
---
v3
	Move weak function to common/bootm.c.
	Rename functions.
	Add more comments.
	Avoid static variable for jump buffer.
v2
	Use weak function with implementation in arch directories
---
 arch/arm/cpu/armv7/Makefile          |  1 +
 arch/arm/cpu/armv7/exception_level.c | 56 ++++++++++++++++++++++
 arch/arm/cpu/armv8/Makefile          |  1 +
 arch/arm/cpu/armv8/exception_level.c | 55 +++++++++++++++++++++
 cmd/bootefi.c                        | 72 ++--------------------------
 common/bootm.c                       | 10 ++++
 include/bootm.h                      |  5 ++
 7 files changed, 132 insertions(+), 68 deletions(-)
 create mode 100644 arch/arm/cpu/armv7/exception_level.c
 create mode 100644 arch/arm/cpu/armv8/exception_level.c

diff --git a/arch/arm/cpu/armv7/Makefile b/arch/arm/cpu/armv7/Makefile
index 4f4647c90ac..8c955d0d528 100644
--- a/arch/arm/cpu/armv7/Makefile
+++ b/arch/arm/cpu/armv7/Makefile
@@ -14,6 +14,7 @@ obj-$(CONFIG_SYS_ARM_MPU) += mpu_v7r.o
 
 ifneq ($(CONFIG_SPL_BUILD),y)
 obj-$(CONFIG_EFI_LOADER) += sctlr.o
+obj-$(CONFIG_ARMV7_NONSEC) += exception_level.o
 endif
 
 ifneq ($(CONFIG_SKIP_LOWLEVEL_INIT),y)
diff --git a/arch/arm/cpu/armv7/exception_level.c b/arch/arm/cpu/armv7/exception_level.c
new file mode 100644
index 00000000000..e116435623f
--- /dev/null
+++ b/arch/arm/cpu/armv7/exception_level.c
@@ -0,0 +1,56 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Switch to non-secure mode
+ *
+ * Copyright (c) 2018 Heinrich Schuchardt
+ *
+ * This module contains the ARMv7 specific code required for leaving the
+ * secure mode before booting an operating system.
+ */
+
+#include <common.h>
+#include <bootm.h>
+#include <asm/armv7.h>
+#include <asm/secure.h>
+#include <asm/setjmp.h>
+
+/**
+ * entry_non_secure() - entry point when switching to non-secure mode
+ *
+ * When switching to non-secure mode switch_to_non_secure_mode() calls this
+ * function passing a jump buffer. We use this jump buffer to restoring the
+ * original stack and register state.
+ *
+ * @non_secure_jmp:	jump buffer for restoring stack and registers
+ */
+static void entry_non_secure(struct jmp_buf_data *non_secure_jmp)
+{
+	dcache_enable();
+	debug("Reached non-secure mode\n");
+
+	/* Restore stack and registers saved in switch_to_non_secure_mode() */
+	longjmp(non_secure_jmp, 1);
+}
+
+/**
+ * switch_to_non_secure_mode() - switch to non-secure mode
+ *
+ * Operating systems are expected to run in non-secure mode. Here we check if
+ * we are running in secure mode and switch to non-secure mode if necessary.
+ */
+void switch_to_non_secure_mode(void)
+{
+	static bool is_nonsec;
+	struct jmp_buf_data non_secure_jmp;
+
+	if (armv7_boot_nonsec() && !is_nonsec) {
+		if (setjmp(&non_secure_jmp))
+			return;
+		dcache_disable();	/* flush cache before switch to HYP */
+		armv7_init_nonsec();
+		is_nonsec = true;
+		secure_ram_addr(_do_nonsec_entry)(entry_non_secure,
+						  (uintptr_t)&non_secure_jmp,
+						  0, 0);
+	}
+}
diff --git a/arch/arm/cpu/armv8/Makefile b/arch/arm/cpu/armv8/Makefile
index 52c8daa0496..8b0b887a696 100644
--- a/arch/arm/cpu/armv8/Makefile
+++ b/arch/arm/cpu/armv8/Makefile
@@ -14,6 +14,7 @@ ifdef CONFIG_SPL_BUILD
 obj-$(CONFIG_ARMV8_SPL_EXCEPTION_VECTORS) += exceptions.o
 else
 obj-y	+= exceptions.o
+obj-y   += exception_level.o
 endif
 obj-y	+= cache.o
 obj-y	+= tlb.o
diff --git a/arch/arm/cpu/armv8/exception_level.c b/arch/arm/cpu/armv8/exception_level.c
new file mode 100644
index 00000000000..245af3f1d4e
--- /dev/null
+++ b/arch/arm/cpu/armv8/exception_level.c
@@ -0,0 +1,55 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Switch to non-secure mode
+ *
+ * Copyright (c) 2018 Heinrich Schuchardt
+ *
+ * This module contains the ARMv8 specific code required to adjust the exception
+ * level before booting an operating system.
+ */
+
+#include <common.h>
+#include <bootm.h>
+#include <asm/setjmp.h>
+
+/**
+ * entry_non_secure() - entry point when switching to non-secure mode
+ *
+ * When switching to non-secure mode switch_to_non_secure_mode() calls this
+ * function passing a jump buffer. We use this jump buffer to restoring the
+ * original stack and register state.
+ *
+ * @non_secure_jmp:	jump buffer for restoring stack and registers
+ */
+static void entry_non_secure(struct jmp_buf_data *non_secure_jmp)
+{
+	dcache_enable();
+	debug("Reached non-secure mode\n");
+
+	/* Restore stack and registers saved in switch_to_non_secure_mode() */
+	longjmp(non_secure_jmp, 1);
+}
+
+/**
+ * switch_to_non_secure_mode() - switch to non-secure mode
+ *
+ * Exception level EL3 is meant to be used by the secure monitor only (ARM
+ * trusted firmware being one embodiment). The operating system shall be
+ * started at exception level EL2. So here we check the exception level
+ * and switch it if necessary.
+ */
+void switch_to_non_secure_mode(void)
+{
+	struct jmp_buf_data non_secure_jmp;
+
+	/* On AArch64 we need to make sure we call our payload in < EL3 */
+	if (current_el() == 3) {
+		if (setjmp(&non_secure_jmp))
+			return;
+		dcache_disable();	/* flush cache before switch to EL2 */
+
+		/* Move into EL2 and keep running there */
+		armv8_switch_to_el2((uintptr_t)&non_secure_jmp, 0, 0, 0,
+				    (uintptr_t)entry_non_secure, ES_TO_AARCH64);
+	}
+}
diff --git a/cmd/bootefi.c b/cmd/bootefi.c
index 23639ced7a0..4c87dca808f 100644
--- a/cmd/bootefi.c
+++ b/cmd/bootefi.c
@@ -5,8 +5,9 @@
  *  Copyright (c) 2016 Alexander Graf
  */
 
-#include <charset.h>
 #include <common.h>
+#include <bootm.h>
+#include <charset.h>
 #include <command.h>
 #include <dm.h>
 #include <efi_loader.h>
@@ -21,17 +22,11 @@
 #include <asm-generic/unaligned.h>
 #include <linux/linkage.h>
 
-#ifdef CONFIG_ARMV7_NONSEC
-#include <asm/armv7.h>
-#include <asm/secure.h>
-#endif
-
 DECLARE_GLOBAL_DATA_PTR;
 
 #define OBJ_LIST_NOT_INITIALIZED 1
 
 static efi_status_t efi_obj_list_initialized = OBJ_LIST_NOT_INITIALIZED;
-
 static struct efi_device_path *bootefi_image_path;
 static struct efi_device_path *bootefi_device_path;
 
@@ -233,34 +228,6 @@ static efi_status_t efi_do_enter(
 	return ret;
 }
 
-#ifdef CONFIG_ARM64
-static efi_status_t efi_run_in_el2(EFIAPI efi_status_t (*entry)(
-			efi_handle_t image_handle, struct efi_system_table *st),
-			efi_handle_t image_handle, struct efi_system_table *st)
-{
-	/* Enable caches again */
-	dcache_enable();
-
-	return efi_do_enter(image_handle, st, entry);
-}
-#endif
-
-#ifdef CONFIG_ARMV7_NONSEC
-static bool is_nonsec;
-
-static efi_status_t efi_run_in_hyp(EFIAPI efi_status_t (*entry)(
-			efi_handle_t image_handle, struct efi_system_table *st),
-			efi_handle_t image_handle, struct efi_system_table *st)
-{
-	/* Enable caches again */
-	dcache_enable();
-
-	is_nonsec = true;
-
-	return efi_do_enter(image_handle, st, entry);
-}
-#endif
-
 /*
  * efi_carve_out_dt_rsv() - Carve out DT reserved memory ranges
  *
@@ -440,39 +407,6 @@ static efi_status_t do_bootefi_exec(void *efi,
 		goto err_prepare;
 	}
 
-#ifdef CONFIG_ARM64
-	/* On AArch64 we need to make sure we call our payload in < EL3 */
-	if (current_el() == 3) {
-		smp_kick_all_cpus();
-		dcache_disable();	/* flush cache before switch to EL2 */
-
-		/* Move into EL2 and keep running there */
-		armv8_switch_to_el2((ulong)entry,
-				    (ulong)&image_obj->header,
-				    (ulong)&systab, 0, (ulong)efi_run_in_el2,
-				    ES_TO_AARCH64);
-
-		/* Should never reach here, efi exits with longjmp */
-		while (1) { }
-	}
-#endif
-
-#ifdef CONFIG_ARMV7_NONSEC
-	if (armv7_boot_nonsec() && !is_nonsec) {
-		dcache_disable();	/* flush cache before switch to HYP */
-
-		armv7_init_nonsec();
-		secure_ram_addr(_do_nonsec_entry)(
-					efi_run_in_hyp,
-					(uintptr_t)entry,
-					(uintptr_t)&image_obj->header,
-					(uintptr_t)&systab);
-
-		/* Should never reach here, efi exits with longjmp */
-		while (1) { }
-	}
-#endif
-
 	ret = efi_do_enter(&image_obj->header, &systab, entry);
 
 err_prepare:
@@ -558,6 +492,8 @@ static int do_bootefi(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
 	/* Allow unaligned memory access */
 	allow_unaligned();
 
+	switch_to_non_secure_mode();
+
 	/* Initialize EFI drivers */
 	r = efi_init_obj_list();
 	if (r != EFI_SUCCESS) {
diff --git a/common/bootm.c b/common/bootm.c
index 8bf84ebcb7e..e34d3ac8f44 100644
--- a/common/bootm.c
+++ b/common/bootm.c
@@ -915,6 +915,16 @@ static const void *boot_get_kernel(cmd_tbl_t *cmdtp, int flag, int argc,
 
 	return buf;
 }
+
+/**
+ * switch_to_non_secure_mode() - switch to non-secure mode
+ *
+ * This routine is overridden by architectures requiring this feature.
+ */
+void __weak switch_to_non_secure_mode(void)
+{
+}
+
 #else /* USE_HOSTCC */
 
 void memmove_wd(void *to, void *from, size_t len, ulong chunksz)
diff --git a/include/bootm.h b/include/bootm.h
index 0501414e0dc..81b7252bd4d 100644
--- a/include/bootm.h
+++ b/include/bootm.h
@@ -80,4 +80,9 @@ int bootm_decomp_image(int comp, ulong load, ulong image_start, int type,
  */
 void board_quiesce_devices(void);
 
+/**
+ * switch_to_non_secure_mode() - switch to non-secure mode
+ */
+void switch_to_non_secure_mode(void);
+
 #endif
-- 
2.19.2



More information about the U-Boot mailing list