Lines Matching +full:service +full:- +full:management
7 Two implementations of a Secure Partition Manager co-exist in the TF-A codebase:
9 - SPM based on the FF-A specification (:ref:`Secure Partition Manager`).
10 - SPM based on the MM interface.
16 resides at EL3 and management services run from isolated Secure Partitions at S-EL0.
17 The communication protocol is established through the Management Mode (MM) interface.
22 In some market segments that primarily deal with client-side devices like mobile
26 used by Non-secure world applications to access these services. A Trusted OS
27 fulfils the requirements of a security service as described above.
29 Management services are typically implemented at the highest level of privilege
30 in the system, i.e. EL3 in Trusted Firmware-A (TF-A). The service requirements are
31 fulfilled by the execution environment provided by TF-A.
37 In other market segments that primarily deal with server-side devices (e.g. data
40 other interfaces (e.g. ACPI TCG TPM interface, UEFI runtime variable service).
42 Placement of management and security functions with diverse requirements in a
43 privileged Exception Level (i.e. EL3 or S-EL1) makes security auditing of
51 S-EL0 that can be used to implement simple management and security services.
52 Since S-EL0 is an unprivileged Exception Level, a Secure Partition relies on
53 privileged firmware (i.e. TF-A) to be granted access to system and processor
58 - Memory and device regions in the system address map.
60 - PE system registers.
62 - A range of synchronous exceptions (e.g. SMC function identifiers).
64 Note that currently TF-A only supports handling one Secure Partition.
66 A Secure Partition enables TF-A to implement only the essential secure
67 services in EL3 and instantiate the rest in a partition in S-EL0.
72 Armv8-A software stack. A single or multiple Secure Partitions provide secure
73 services to software components in the Non-secure world and other Secure
78 The TF-A build system is responsible for including the Secure Partition image
86 - Allocate resources requested by the Secure Partition.
88 - Perform architectural and system setup required by the Secure Partition to
89 fulfil a service request.
91 - Implement a standard interface that is used for initialising a Secure
96 - Implement a standard interface that is used by a Secure Partition to fulfil
97 service requests.
99 - Implement a standard interface that is used by the Non-secure world for
100 accessing the services exported by a Secure Partition. A service can be
116 Building TF-A with Secure Partition support
117 -------------------------------------------
121 service always runs to completion (e.g. the requested services cannot be
126 SPM bootflow, a Secure Partition image executing at S-EL0 replaces the Secure
127 Payload image executing at S-EL1 (e.g. a Trusted OS). Both are referred to as
130 A working prototype of a SP has been implemented by re-purposing the EDK2 code
131 and tools, leveraging the concept of the *Standalone Management Mode (MM)* in
132 the UEFI specification (see the PI v1.6 Volume 4: Management Mode Core
136 To enable SPM support in TF-A, the source code must be compiled with the build
145 Then build TF-A with SPM support and include the Standalone MM Secure Partition
154 -------------------------------------
156 TF-A exports a porting interface that enables a platform to specify the system
161 - A Secure Partition is considered a BL32 image, so the same defines that apply
164 - The following defines are needed to allocate space for the translation tables
168 - The functions ``plat_get_secure_partition_mmap()`` and
173 - ``plat_get_secure_partition_mmap()`` returns an array of mmap regions that
177 - ``plat_get_secure_partition_boot_info()`` returns a
185 -----------------------------------
189 interface defined in the `Management Mode Interface Specification`_ (*Arm DEN
190 0060A*) is used to invoke a Secure Partition service as a Fast Call.
192 The mechanism used to identify a service within the partition depends on the
193 service implementation. It is assumed that the caller of the service will be
196 Specification v1.6. Management Mode Core Interface* specifies that a GUID is
197 used to identify a management mode service. A client populates the GUID in the
202 when the requested operation has completed. A service invoked through the
208 -----------------------------------------
210 The exchange of data between the Non-secure world and the partition takes place
214 to the Non-secure world or discovered through a platform discovery mechanism
215 e.g. ACPI table or device tree. It is possible for the Non-secure world to
218 specified in Section 3.2.3 of the `Management Mode Interface Specification`_
222 agreed between the Non-secure world and the Secure Partition. For example, in
223 the `Management Mode Interface specification`_ (*Arm DEN 0060A*), Section 4
224 describes that the communication buffer shared between the Non-secure world and
225 the Management Mode (MM) in the Secure world must be of the type
227 Platform Initialisation Specification v1.6. Management Mode Core Interface*.
228 Any caller of a MM service will have to use the ``EFI_MM_COMMUNICATE_HEADER``
237 ------------------
240 S-EL0, the SPM should define the following types of interfaces:
242 - Interfaces that enable access to privileged operations from S-EL0. These
247 - Interfaces that establish the control path between the SPM and the Secure
251 Secure Partition to initialise itself and export its services in S-EL0. These
252 interfaces are not accessible from the Non-secure world.
259 depending on the implemented Exception levels. In S-EL0, the Supervisor Call
265 A SVC causes an exception to be taken to S-EL1. TF-A assumes ownership of S-EL1
266 and installs a simple exception vector table in S-EL1 that relays a SVC request
268 SMC request, Trusted Firmware-A returns control directly to S-EL0 through an
275 32-bit and 64-bit calling conventions for the SMC and HVC conduits. The SVC
277 and SVC64 calling conventions are equivalent to the 32-bit (SMC32) and the
278 64-bit (SMC64) calling conventions respectively.
283 A service request is initiated from the SPM through an exception return
284 instruction (ERET) to S-EL0. Later, the Secure Partition issues an SVC
288 - A request to initialise the Secure Partition during system boot.
290 - A request to handle a runtime service request.
296 An ERET instruction is used by TF-A to return to S-EL0 with the result of the
300 partition (e.g. management of memory attributes in the translation tables for
307 Secure Service calls range (see `SMC Calling Convention`_ (*Arm DEN 0028B*)
313 Secure Partition Event Management
316 The Secure Partition provides an Event Management interface that is used by the
317 SPM to delegate service requests to the Secure Partition. The interface also
320 - Register with the SPM a service that it provides.
321 - Indicate completion of a service request delegated by the SPM
324 ------------------------
329 - Description
333 - Parameters
335 - **uint32** - Function ID
337 - SVC32 Version: **0x84000060**
339 - Return parameters
341 - **int32** - Status
345 - Bit [31]: Must be 0
346 - Bits [30:16]: Major Version. Must be 0 for this revision of the SPM
348 - Bits [15:0]: Minor Version. Must be 1 for this revision of the SPM
353 - ``NOT_SUPPORTED``: SPM interface is not supported or not available for the
356 - Usage
360 number is a 31-bit unsigned integer, with the upper 15 bits denoting the major
364 - Different major revision values indicate possibly incompatible functions.
366 - For two revisions, A and B, for which the major revision values are
372 - Implementation responsibilities
382 -------------------------------
385 enable initialisation of a service in S-EL0. The responsibilities of the SPM are
394 The entry point for service requests that should be handled as Fast Calls is
401 At cold boot, system registers accessible from S-EL0 will be in their reset
403 architectural setup to enable execution in S-EL0
429 S-EL0 or S-EL1.
434 System registers that influence software execution in S-EL0 are setup by the SPM
439 - ``UCI=1``
440 - ``EOE=0``
441 - ``WXN=1``
442 - ``nTWE=1``
443 - ``nTWI=1``
444 - ``UCT=1``
445 - ``DZE=1``
446 - ``I=1``
447 - ``UMA=0``
448 - ``SA0=1``
449 - ``C=1``
450 - ``A=1``
451 - ``M=1``
455 - ``FPEN=b'11``
459 - ``D,A,I,F=1``
460 - ``CurrentEL=0`` (EL0)
461 - ``SpSel=0`` (Thread mode)
462 - ``NRW=0`` (AArch64)
467 SPM will invoke the entry point of a service by executing an ERET instruction.
468 This transition into S-EL0 is special since it is not in response to a previous
469 request through a SVC instruction. This is the first entry into S-EL0. The
471 "Return State" column of Table 3-1 in Section 3.1 "Register use in AArch64 SMC
477 A non-zero value will indicate that the SPM has initialised the stack pointer
482 2. ``X4-X30``
486 3. ``X0-X3``
490 - ``X0``: Virtual address of a buffer shared between EL3 and S-EL0. The
491 buffer will be mapped in the Secure EL1&0 translation regime with read-only
494 - ``X1``: Size of the buffer in bytes.
496 - ``X2``: Cookie value (*IMPLEMENTATION DEFINED*).
498 - ``X3``: Cookie value (*IMPLEMENTATION DEFINED*).
501 ------------------------
504 invocation (i.e. a SMC from the Non-secure world). These requests are delegated
508 completion of a partition service request.
513 - Description
515 Signal completion of the last SP service request.
517 - Parameters
519 - **uint32** - Function ID
521 - SVC64 Version: **0xC4000061**
523 - **int32** - Event Status Code
529 - ``SUCCESS`` : Used to indicate that the Secure Partition was initialised
532 - Any other value greater than 0 is used to pass a specific Event Status
538 - Return parameters
540 - **int32** - Event ID/Return Code
548 from the Non-secure world.
552 - ``NOT_SUPPORTED``: Function was called from the Non-secure world.
557 - **uint32** - Event Context Address
563 The buffer is mapped in the Secure EL1&0 translation regime with read-only
566 For the SVC64 version, this parameter is a 64-bit Virtual Address (VA).
568 For the SVC32 version, this parameter is a 32-bit Virtual Address (VA).
570 - **uint32** - Event context size
574 - **uint32/uint64** - Event Cookie
578 - Usage
585 - Caller responsibilities
590 - Callee responsibilities
600 specify the properties of the event and be populated in ``X0-X3/W0-W3``
603 Secure Partition Memory Management
604 ----------------------------------
606 A Secure Partition executes at S-EL0, which is an unprivileged Exception Level.
612 and their usage can be found in the `Armv8-A ARM`_ (*Arm DDI 0487*).
623 could implement a loader for a standard executable file format (e.g. an PE-COFF
626 executable file and their permission attributes (e.g. read-write data, read-only
645 - Description
647 Request the permission attributes of a memory region from S-EL0.
649 - Parameters
651 - **uint32** Function ID
653 - SVC64 Version: **0xC4000064**
655 - **uint64** Base Address
657 This parameter is a 64-bit Virtual Address (VA).
662 - Return parameters
664 - **int32** - Memory Attributes/Return Code
668 - Bits[1:0] : Data access permission
670 - b'00 : No access
671 - b'01 : Read-Write access
672 - b'10 : Reserved
673 - b'11 : Read-only access
675 - Bit[2]: Instruction access permission
677 - b'0 : Executable
678 - b'1 : Non-executable
680 - Bit[30:3] : Reserved. SBZ.
682 - Bit[31] : Must be 0
686 - ``INVALID_PARAMETERS``: The Secure Partition is not allowed to access the
689 - ``NOT_SUPPORTED`` : The SPM does not support retrieval of attributes of
691 function was called from the Non-secure world. Also returned if it is
697 - Usage
699 This function is used to request the permission attributes for S-EL0 on a
705 - Caller responsibilities
710 - Callee responsibilities
718 - Description
720 Set the permission attributes of a memory region from S-EL0.
722 - Parameters
724 - **uint32** - Function ID
726 - SVC64 Version: **0xC4000065**
728 - **uint64** - Base Address
730 This parameter is a 64-bit Virtual Address (VA).
736 - **uint32** - Page count
741 - **uint32** - Memory Access Controls
743 - Bits[1:0] : Data access permission
745 - b'00 : No access
746 - b'01 : Read-Write access
747 - b'10 : Reserved
748 - b'11 : Read-only access
750 - Bit[2] : Instruction access permission
752 - b'0 : Executable
753 - b'1 : Non-executable
755 - Bits[31:3] : Reserved. SBZ.
761 - Return parameters
763 - **int32** - Return Code
765 - ``SUCCESS``: The Memory Access Controls were changed successfully.
767 - ``DENIED``: The SPM is servicing a request to change the attributes of a
770 - ``INVALID_PARAMETER``: An invalid combination of Memory Access Controls
775 - ``NO_MEMORY``: The SPM does not have memory resources to change the
778 - ``NOT_SUPPORTED``: The SPM does not permit change of attributes of any
780 called from the Non-secure world. Also returned if it is used after
786 - Usage
788 This function is used to change the permission attributes for S-EL0 on a
796 signal that it is initialised and ready to receive run-time requests.
798 - Caller responsibilities
803 - Callee responsibilities
807 of the S-EL1 translation regime if this function is called on different PEs
811 -----------
813 .. csv-table::
817 ``NOT_SUPPORTED``,-1
818 ``INVALID_PARAMETER``,-2
819 ``DENIED``,-3
820 ``NO_MEMORY``,-5
821 ``NOT_PRESENT``,-7
823 --------------
825 *Copyright (c) 2017-2021, Arm Limited and Contributors. All rights reserved.*
827 .. _Armv8-A ARM: https://developer.arm.com/docs/ddi0487/latest/arm-architecture-reference-manual-ar…
828 .. _instructions in the EDK2 repository: https://github.com/tianocore/edk2-staging/blob/AArch64Stan…