mirror of
https://github.com/u-boot/u-boot.git
synced 2024-12-21 02:33:27 +08:00
38510a4b34
Allow the switch to a second stage secure monitor just before switching to non-secure. This allows a resident piece of firmware to be active once the kernel has been entered (the u-boot monitor is dead anyway, its pages being reused). Signed-off-by: Marc Zyngier <marc.zyngier@arm.com> Acked-by: Ian Campbell <ijc@hellion.org.uk>
203 lines
5.1 KiB
ArmAsm
203 lines
5.1 KiB
ArmAsm
/*
|
|
* code for switching cores into non-secure state and into HYP mode
|
|
*
|
|
* Copyright (c) 2013 Andre Przywara <andre.przywara@linaro.org>
|
|
*
|
|
* SPDX-License-Identifier: GPL-2.0+
|
|
*/
|
|
|
|
#include <config.h>
|
|
#include <linux/linkage.h>
|
|
#include <asm/gic.h>
|
|
#include <asm/armv7.h>
|
|
#include <asm/proc-armv/ptrace.h>
|
|
|
|
.arch_extension sec
|
|
.arch_extension virt
|
|
|
|
.pushsection ._secure.text, "ax"
|
|
|
|
.align 5
|
|
/* the vector table for secure state and HYP mode */
|
|
_monitor_vectors:
|
|
.word 0 /* reset */
|
|
.word 0 /* undef */
|
|
adr pc, _secure_monitor
|
|
.word 0
|
|
.word 0
|
|
.word 0
|
|
.word 0
|
|
.word 0
|
|
|
|
.macro is_cpu_virt_capable tmp
|
|
mrc p15, 0, \tmp, c0, c1, 1 @ read ID_PFR1
|
|
and \tmp, \tmp, #CPUID_ARM_VIRT_MASK @ mask virtualization bits
|
|
cmp \tmp, #(1 << CPUID_ARM_VIRT_SHIFT)
|
|
.endm
|
|
|
|
/*
|
|
* secure monitor handler
|
|
* U-boot calls this "software interrupt" in start.S
|
|
* This is executed on a "smc" instruction, we use a "smc #0" to switch
|
|
* to non-secure state.
|
|
* r0, r1, r2: passed to the callee
|
|
* ip: target PC
|
|
*/
|
|
_secure_monitor:
|
|
#ifdef CONFIG_ARMV7_PSCI
|
|
ldr r5, =_psci_vectors @ Switch to the next monitor
|
|
mcr p15, 0, r5, c12, c0, 1
|
|
isb
|
|
|
|
@ Obtain a secure stack, and configure the PSCI backend
|
|
bl psci_arch_init
|
|
#endif
|
|
|
|
mrc p15, 0, r5, c1, c1, 0 @ read SCR
|
|
bic r5, r5, #0x4a @ clear IRQ, EA, nET bits
|
|
orr r5, r5, #0x31 @ enable NS, AW, FW bits
|
|
@ FIQ preserved for secure mode
|
|
mov r6, #SVC_MODE @ default mode is SVC
|
|
is_cpu_virt_capable r4
|
|
#ifdef CONFIG_ARMV7_VIRT
|
|
orreq r5, r5, #0x100 @ allow HVC instruction
|
|
moveq r6, #HYP_MODE @ Enter the kernel as HYP
|
|
#endif
|
|
|
|
mcr p15, 0, r5, c1, c1, 0 @ write SCR (with NS bit set)
|
|
isb
|
|
|
|
bne 1f
|
|
|
|
@ Reset CNTVOFF to 0 before leaving monitor mode
|
|
mrc p15, 0, r4, c0, c1, 1 @ read ID_PFR1
|
|
ands r4, r4, #CPUID_ARM_GENTIMER_MASK @ test arch timer bits
|
|
movne r4, #0
|
|
mcrrne p15, 4, r4, r4, c14 @ Reset CNTVOFF to zero
|
|
1:
|
|
mov lr, ip
|
|
mov ip, #(F_BIT | I_BIT | A_BIT) @ Set A, I and F
|
|
tst lr, #1 @ Check for Thumb PC
|
|
orrne ip, ip, #T_BIT @ Set T if Thumb
|
|
orr ip, ip, r6 @ Slot target mode in
|
|
msr spsr_cxfs, ip @ Set full SPSR
|
|
movs pc, lr @ ERET to non-secure
|
|
|
|
ENTRY(_do_nonsec_entry)
|
|
mov ip, r0
|
|
mov r0, r1
|
|
mov r1, r2
|
|
mov r2, r3
|
|
smc #0
|
|
ENDPROC(_do_nonsec_entry)
|
|
|
|
.macro get_cbar_addr addr
|
|
#ifdef CONFIG_ARM_GIC_BASE_ADDRESS
|
|
ldr \addr, =CONFIG_ARM_GIC_BASE_ADDRESS
|
|
#else
|
|
mrc p15, 4, \addr, c15, c0, 0 @ read CBAR
|
|
bfc \addr, #0, #15 @ clear reserved bits
|
|
#endif
|
|
.endm
|
|
|
|
.macro get_gicd_addr addr
|
|
get_cbar_addr \addr
|
|
add \addr, \addr, #GIC_DIST_OFFSET @ GIC dist i/f offset
|
|
.endm
|
|
|
|
.macro get_gicc_addr addr, tmp
|
|
get_cbar_addr \addr
|
|
is_cpu_virt_capable \tmp
|
|
movne \tmp, #GIC_CPU_OFFSET_A9 @ GIC CPU offset for A9
|
|
moveq \tmp, #GIC_CPU_OFFSET_A15 @ GIC CPU offset for A15/A7
|
|
add \addr, \addr, \tmp
|
|
.endm
|
|
|
|
#ifndef CONFIG_ARMV7_PSCI
|
|
/*
|
|
* Secondary CPUs start here and call the code for the core specific parts
|
|
* of the non-secure and HYP mode transition. The GIC distributor specific
|
|
* code has already been executed by a C function before.
|
|
* Then they go back to wfi and wait to be woken up by the kernel again.
|
|
*/
|
|
ENTRY(_smp_pen)
|
|
cpsid i
|
|
cpsid f
|
|
|
|
bl _nonsec_init
|
|
|
|
adr r0, _smp_pen @ do not use this address again
|
|
b smp_waitloop @ wait for IPIs, board specific
|
|
ENDPROC(_smp_pen)
|
|
#endif
|
|
|
|
/*
|
|
* Switch a core to non-secure state.
|
|
*
|
|
* 1. initialize the GIC per-core interface
|
|
* 2. allow coprocessor access in non-secure modes
|
|
*
|
|
* Called from smp_pen by secondary cores and directly by the BSP.
|
|
* Do not assume that the stack is available and only use registers
|
|
* r0-r3 and r12.
|
|
*
|
|
* PERIPHBASE is used to get the GIC address. This could be 40 bits long,
|
|
* though, but we check this in C before calling this function.
|
|
*/
|
|
ENTRY(_nonsec_init)
|
|
get_gicd_addr r3
|
|
|
|
mvn r1, #0 @ all bits to 1
|
|
str r1, [r3, #GICD_IGROUPRn] @ allow private interrupts
|
|
|
|
get_gicc_addr r3, r1
|
|
|
|
mov r1, #3 @ Enable both groups
|
|
str r1, [r3, #GICC_CTLR] @ and clear all other bits
|
|
mov r1, #0xff
|
|
str r1, [r3, #GICC_PMR] @ set priority mask register
|
|
|
|
mrc p15, 0, r0, c1, c1, 2
|
|
movw r1, #0x3fff
|
|
movt r1, #0x0004
|
|
orr r0, r0, r1
|
|
mcr p15, 0, r0, c1, c1, 2 @ NSACR = all copros to non-sec
|
|
|
|
/* The CNTFRQ register of the generic timer needs to be
|
|
* programmed in secure state. Some primary bootloaders / firmware
|
|
* omit this, so if the frequency is provided in the configuration,
|
|
* we do this here instead.
|
|
* But first check if we have the generic timer.
|
|
*/
|
|
#ifdef CONFIG_SYS_CLK_FREQ
|
|
mrc p15, 0, r0, c0, c1, 1 @ read ID_PFR1
|
|
and r0, r0, #CPUID_ARM_GENTIMER_MASK @ mask arch timer bits
|
|
cmp r0, #(1 << CPUID_ARM_GENTIMER_SHIFT)
|
|
ldreq r1, =CONFIG_SYS_CLK_FREQ
|
|
mcreq p15, 0, r1, c14, c0, 0 @ write CNTFRQ
|
|
#endif
|
|
|
|
adr r1, _monitor_vectors
|
|
mcr p15, 0, r1, c12, c0, 1 @ set MVBAR to secure vectors
|
|
isb
|
|
|
|
mov r0, r3 @ return GICC address
|
|
bx lr
|
|
ENDPROC(_nonsec_init)
|
|
|
|
#ifdef CONFIG_SMP_PEN_ADDR
|
|
/* void __weak smp_waitloop(unsigned previous_address); */
|
|
ENTRY(smp_waitloop)
|
|
wfi
|
|
ldr r1, =CONFIG_SMP_PEN_ADDR @ load start address
|
|
ldr r1, [r1]
|
|
cmp r0, r1 @ make sure we dont execute this code
|
|
beq smp_waitloop @ again (due to a spurious wakeup)
|
|
mov r0, r1
|
|
b _do_nonsec_entry
|
|
ENDPROC(smp_waitloop)
|
|
.weak smp_waitloop
|
|
#endif
|
|
|
|
.popsection
|