1 // SPDX-License-Identifier: GPL-2.0-only
3  * FF-A v1.0 proxy to filter out invalid memory-sharing SMC calls issued by
4  * the host. FF-A is a slightly more palatable abbreviation of "Arm Firmware
5  * Framework for Arm A-profile", which is specified by Arm in document
8  * Copyright (C) 2022 - Google LLC
12  * all calls falling within the FF-A range. Each call is either:
14  *	- Forwarded on unmodified to the SPMD at EL3
15  *	- Rejected as "unsupported"
16  *	- Accompanied by a host stage-2 page-table check/update and reissued
19  * accessible to the secure world using FF-A will be detected either here
22  * with the secure world).
24  * To allow the rolling-back of page-table updates and FF-A calls in the
29 #include <linux/arm-smccc.h>
40  * "ID value 0 must be returned at the Non-secure physical FF-A instance"
100 	cpu_reg(ctxt, 0) = res->a0;  in ffa_set_retval()
101 	cpu_reg(ctxt, 1) = res->a1;  in ffa_set_retval()
102 	cpu_reg(ctxt, 2) = res->a2;  in ffa_set_retval()
103 	cpu_reg(ctxt, 3) = res->a3;  in ffa_set_retval()
310 		u64 sz = (u64)range->pg_cnt * FFA_PAGE_SIZE;  in __ffa_host_share_ranges()
311 		u64 pfn = hyp_phys_to_pfn(range->address);  in __ffa_host_share_ranges()
330 		u64 sz = (u64)range->pg_cnt * FFA_PAGE_SIZE;  in __ffa_host_unshare_ranges()
331 		u64 pfn = hyp_phys_to_pfn(range->address);  in __ffa_host_unshare_ranges()
404 		WARN_ON(res->a0 != FFA_SUCCESS);  in do_ffa_mem_frag_tx()
409 	if (res->a0 != FFA_SUCCESS && res->a0 != FFA_MEM_FRAG_RX)  in do_ffa_mem_frag_tx()
421 	 * the host stage-2 changes. The pages previously marked as shared will  in do_ffa_mem_frag_tx()
438 	struct ffa_composite_mem_region *reg;  in __do_ffa_mem_xfer()  local
471 	offset = ep_mem_access->composite_off;  in __do_ffa_mem_xfer()
472 	if (!offset || buf->ep_count != 1 || buf->sender_id != HOST_FFA_ID) {  in __do_ffa_mem_xfer()
482 	reg = (void *)buf + offset;  in __do_ffa_mem_xfer()
483 	nr_ranges = ((void *)buf + fraglen) - (void *)reg->constituents;  in __do_ffa_mem_xfer()
484 	if (nr_ranges % sizeof(reg->constituents[0])) {  in __do_ffa_mem_xfer()
489 	nr_ranges /= sizeof(reg->constituents[0]);  in __do_ffa_mem_xfer()
490 	ret = ffa_host_share_ranges(reg->constituents, nr_ranges);  in __do_ffa_mem_xfer()
496 		if (res->a0 != FFA_MEM_FRAG_RX)  in __do_ffa_mem_xfer()
499 		if (res->a3 != fraglen)  in __do_ffa_mem_xfer()
501 	} else if (res->a0 != FFA_SUCCESS) {  in __do_ffa_mem_xfer()
513 	WARN_ON(ffa_host_unshare_ranges(reg->constituents, nr_ranges));  in __do_ffa_mem_xfer()
531 	struct ffa_composite_mem_region *reg;  in do_ffa_mem_reclaim()  local
549 	if (res->a0 != FFA_MEM_RETRIEVE_RESP)  in do_ffa_mem_reclaim()
552 	len = res->a1;  in do_ffa_mem_reclaim()
553 	fraglen = res->a2;  in do_ffa_mem_reclaim()
557 	offset = ep_mem_access->composite_off;  in do_ffa_mem_reclaim()
582 		if (res->a0 != FFA_MEM_FRAG_TX) {  in do_ffa_mem_reclaim()
587 		fraglen = res->a3;  in do_ffa_mem_reclaim()
593 	if (res->a0 != FFA_SUCCESS)  in do_ffa_mem_reclaim()
596 	reg = (void *)buf + offset;  in do_ffa_mem_reclaim()
598 	WARN_ON(ffa_host_unshare_ranges(reg->constituents,  in do_ffa_mem_reclaim()
599 					reg->addr_range_cnt));  in do_ffa_mem_reclaim()
626 	/* 32-bit variants of 64-bit calls */  in ffa_call_supported()
673 		return -EOPNOTSUPP;  in hyp_ffa_post_init()
676 		return -EINVAL;  in hyp_ffa_post_init()
681 		return -EOPNOTSUPP;  in hyp_ffa_post_init()
694 		return -EINVAL;  in hyp_ffa_post_init()
698 		return -EOPNOTSUPP;  in hyp_ffa_post_init()
709 		res->a0 = FFA_RET_NOT_SUPPORTED;  in do_ffa_version()
715 		res->a0 = hyp_ffa_version;  in do_ffa_version()
727 		if (res->a0 == FFA_RET_NOT_SUPPORTED)  in do_ffa_version()
734 		res->a0 = FFA_RET_NOT_SUPPORTED;  in do_ffa_version()
737 		res->a0 = hyp_ffa_version;  in do_ffa_version()
763 	if (res->a0 != FFA_SUCCESS)  in do_ffa_part_get()
766 	count = res->a2;  in do_ffa_part_get()
775 		partition_sz  = res->a3;  in do_ffa_part_get()
797 	 * There's no way we can tell what a non-standard SMC call might  in kvm_host_ffa_handler()
801 	 * RNG access and crash reporting.  in kvm_host_ffa_handler()
805 	 * the firmware doesn't expose a mechanism to access arbitrary  in kvm_host_ffa_handler()
806 	 * non-secure memory. Short of a per-device table of SMCs, this  in kvm_host_ffa_handler()
873 	 * Firmware returns the maximum supported version of the FF-A  in hyp_ffa_init()
875 	 * backwards-compatible with the hyp according to the rules in DEN0077A  in hyp_ffa_init()
886 		return -EOPNOTSUPP;  in hyp_ffa_init()
901 			  (hyp_ffa_proxy_pages() - (2 * KVM_FFA_MBOX_NR_PAGES)),  in hyp_ffa_init()