Age | Commit message (Collapse) | Author |
|
Allow the switch to a second stage secure monitor just before
switching to non-secure.
This allows a resident piece of firmware to be active once the
kernel has been entered (the u-boot monitor is dead anyway,
its pages being reused).
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Acked-by: Ian Campbell <ijc@hellion.org.uk>
|
|
The current non-sec switching code suffers from one major issue:
it cannot run in secure RAM, as a large part of u-boot still needs
to be run while we're switched to non-secure.
This patch reworks the whole HYP/non-secure strategy by:
- making sure the secure code is the *last* thing u-boot executes
before entering the payload
- performing an exception return from secure mode directly into
the payload
- allowing the code to be dynamically relocated to secure RAM
before switching to non-secure.
This involves quite a bit of horrible code, specially as u-boot
relocation is quite primitive.
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Acked-by: Ian Campbell <ijc@hellion.org.uk>
|
|
Before switching to non-secure, make sure that CNTVOFF is set
to zero on all CPUs. Otherwise, kernel running in non-secure
without HYP enabled (hence using virtual timers) may observe
timers that are not synchronized, effectively seeing time
going backward...
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Acked-by: Ian Campbell <ijc@hellion.org.uk>
|
|
A CP15 instruction execution can be reordered, requiring an
isb to be sure it is executed in program order.
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Acked-by: Ian Campbell <ijc@hellion.org.uk>
|
|
The lower 5 bit of MVBAR is UNK/SBZP.
So, Monitor Vector Base Address must be 32-byte aligned.
On the other hand, the secure monitor handler does not need
32-byte alignment.
This commit moves ".algin 5" directive to the correct place.
Signed-off-by: Masahiro Yamada <yamada.m@jp.panasonic.com>
Cc: Andre Przywara <andre.przywara@linaro.org>
Acked-by: Andre Przywara <andre.przywara@linaro.org>
|
|
The original creation of arch/arm/cpu/armv7/{virt-v7.c,nonsec_virt.S}
predates the SPDX conversion, so the original elaborate license
statements sneaked in.
Fix this by replacing them with the proper abbreviation.
Signed-off-by: Andre Przywara <andre.przywara@linaro.org>
|
|
For the KVM and XEN hypervisors to be usable, we need to enter the
kernel in HYP mode. Now that we already are in non-secure state,
HYP mode switching is within short reach.
While doing the non-secure switch, we have to enable the HVC
instruction and setup the HYP mode HVBAR (while still secure).
The actual switch is done by dropping back from a HYP mode handler
without actually leaving HYP mode, so we introduce a new handler
routine in our new secure exception vector table.
In the assembly switching routine we save and restore the banked LR
and SP registers around the hypercall to do the actual HYP mode
switch.
The C routine first checks whether we are in HYP mode already and
also whether the virtualization extensions are available. It also
checks whether the HYP mode switch was finally successful.
The bootm command part only calls the new function after the
non-secure switch.
Signed-off-by: Andre Przywara <andre.przywara@linaro.org>
|
|
Currently the non-secure switch is only done for the boot processor.
To enable full SMP support, we have to switch all secondary cores
into non-secure state also.
So we add an entry point for secondary CPUs coming out of low-power
state and make sure we put them into WFI again after having switched
to non-secure state.
For this we acknowledge and EOI the wake-up IPI, then go into WFI.
Once being kicked out of it later, we sanity check that the start
address has actually been changed (since another attempt to switch
to non-secure would block the core) and jump to the new address.
The actual CPU kick is done by sending an inter-processor interrupt
via the GIC to all CPU interfaces except the requesting processor.
The secondary cores will then setup their respective GIC CPU
interface.
While this approach is pretty universal across several ARMv7 boards,
we make this function weak in case someone needs to tweak this for
a specific board.
The way of setting the secondary's start address is board specific,
but mostly different only in the actual SMP pen address, so we also
provide a weak default implementation and just depend on the proper
address to be set in the config file.
Signed-off-by: Andre Przywara <andre.przywara@linaro.org>
|
|
While actually switching to non-secure state is one thing, another
part of this process is to make sure that we still have full access
to the interrupt controller (GIC).
The GIC is fully aware of secure vs. non-secure state, some
registers are banked, others may be configured to be accessible from
secure state only.
To be as generic as possible, we get the GIC memory mapped address
based on the PERIPHBASE value in the CBAR register. Since this
register is not architecturally defined, we check the MIDR before to
be from an A15 or A7.
For CPUs not having the CBAR or boards with wrong information herein
we allow providing the base address as a configuration variable.
Now that we know the GIC address, we:
a) allow private interrupts to be delivered to the core
(GICD_IGROUPR0 = 0xFFFFFFFF)
b) enable the CPU interface (GICC_CTLR[0] = 1)
c) set the priority filter to allow non-secure interrupts
(GICC_PMR = 0xFF)
Also we allow access to all coprocessor interfaces from non-secure
state by writing the appropriate bits in the NSACR register.
The generic timer base frequency register is only accessible from
secure state, so we have to program it now. Actually this should be
done from primary firmware before, but some boards seems to omit
this, so if needed we do this here with a board specific value.
The Versatile Express board does not need this, so we remove the
frequency from the configuration file here.
After having switched to non-secure state, we also enable the
non-secure GIC CPU interface, since this register is banked.
Since we need to call this routine also directly from the smp_pen
later (where we don't have any stack), we can only use caller saved
registers r0-r3 and r12 to not mess with the compiler.
Signed-off-by: Andre Przywara <andre.przywara@linaro.org>
|
|
A prerequisite for using virtualization is to be in HYP mode, which
requires the CPU to be in non-secure state first.
Add a new file in arch/arm/cpu/armv7 to hold a monitor handler routine
which switches the CPU to non-secure state by setting the NS and
associated bits.
According to the ARM architecture reference manual this should not be
done in SVC mode, so we have to setup a SMC handler for this.
We create a new vector table to avoid interference with other boards.
The MVBAR register will be programmed later just before the smc call.
Signed-off-by: Andre Przywara <andre.przywara@linaro.org>
|