1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * FF-A v1.0 proxy to filter out invalid memory-sharing SMC calls issued by
4 * the host. FF-A is a slightly more palatable abbreviation of "Arm Firmware
5 * Framework for Arm A-profile", which is specified by Arm in document
6 * number DEN0077.
7 *
8 * Copyright (C) 2022 - Google LLC
9 * Author: Andrew Walbran <qwandor@google.com>
10 *
11 * This driver hooks into the SMC trapping logic for the host and intercepts
12 * all calls falling within the FF-A range. Each call is either:
13 *
14 * - Forwarded on unmodified to the SPMD at EL3
15 * - Rejected as "unsupported"
16 * - Accompanied by a host stage-2 page-table check/update and reissued
17 *
18 * Consequently, any attempts by the host to make guest memory pages
19 * accessible to the secure world using FF-A will be detected either here
20 * (in the case that the memory is already owned by the guest) or during
21 * donation to the guest (in the case that the memory was previously shared
22 * with the secure world).
23 *
24 * To allow the rolling-back of page-table updates and FF-A calls in the
25 * event of failure, operations involving the RXTX buffers are locked for
26 * the duration and are therefore serialised.
27 */
28
29 #include <linux/arm_ffa.h>
30 #include <asm/kvm_hypevents.h>
31 #include <asm/kvm_pkvm.h>
32 #include <kvm/arm_hypercalls.h>
33 #include <asm/virt.h>
34
35 #include <nvhe/arm-smccc.h>
36 #include <nvhe/alloc.h>
37 #include <nvhe/ffa.h>
38 #include <nvhe/mem_protect.h>
39 #include <nvhe/memory.h>
40 #include <nvhe/pkvm.h>
41 #include <nvhe/trap_handler.h>
42 #include <nvhe/spinlock.h>
43
44 #define VM_FFA_SUPPORTED(vcpu) ((vcpu)->kvm->arch.pkvm.ffa_support)
45 #define FFA_INVALID_SPM_HANDLE (BIT(63) - 1)
46
47 /* The maximum number of secure partitions that can register for VM availability */
48 #define FFA_MAX_VM_AVAIL_SPS (8)
49 #define FFA_VM_AVAIL_SPS_OOM (-2)
50
51 #define FFA_PART_VM_AVAIL_MASK (FFA_PARTITION_DIRECT_RECV |\
52 FFA_PARTITION_HYP_CREATE_VM |\
53 FFA_PARTITION_HYP_DESTROY_VM)
54 #define FFA_PART_SUPPORTS_VM_AVAIL (FFA_PART_VM_AVAIL_MASK)
55
56 /*
57 * A buffer to hold the maximum descriptor size we can see from the host,
58 * which is required when the SPMD returns a fragmented FFA_MEM_RETRIEVE_RESP
59 * when resolving the handle on the reclaim path.
60 */
61 struct kvm_ffa_descriptor_buffer {
62 void *buf;
63 size_t len;
64 };
65
66 static struct kvm_ffa_descriptor_buffer ffa_desc_buf;
67
68 struct ffa_translation {
69 struct list_head node;
70 u64 ipa;
71 phys_addr_t pa;
72 };
73
74 struct ffa_handle {
75 u64 handle: 63;
76 u64 is_lend: 1;
77 };
78
79 /*
80 * Note that we don't currently lock these buffers explicitly, instead
81 * relying on the locking of the hyp FFA buffers.
82 */
83 static struct kvm_ffa_buffers hyp_buffers;
84 static struct kvm_ffa_buffers host_buffers;
85 static u32 hyp_ffa_version;
86 static bool has_version_negotiated;
87 static bool has_hyp_ffa_buffer_mapped;
88 static bool has_host_signalled;
89
90 static struct ffa_handle *spm_handles, *spm_free_handle;
91 static u32 num_spm_handles;
92
93 static DEFINE_HYP_SPINLOCK(version_lock);
94 static DEFINE_HYP_SPINLOCK(kvm_ffa_hyp_lock);
95
96 /* Secure partitions that can receive VM availability messages */
97 struct kvm_ffa_vm_avail_sp {
98 u16 sp_id;
99 bool wants_create;
100 bool wants_destroy;
101 };
102
103 static struct kvm_ffa_vm_avail_sp vm_avail_sps[FFA_MAX_VM_AVAIL_SPS];
104 static int num_vm_avail_sps = -1;
105
ffa_get_buffers(struct pkvm_hyp_vcpu * hyp_vcpu)106 static struct kvm_ffa_buffers *ffa_get_buffers(struct pkvm_hyp_vcpu *hyp_vcpu)
107 {
108 if (!hyp_vcpu)
109 return &host_buffers;
110
111 return &pkvm_hyp_vcpu_to_hyp_vm(hyp_vcpu)->ffa_buf;
112 }
113
114 DECLARE_STATIC_KEY_FALSE(kvm_ffa_unmap_on_lend);
115
ffa_host_store_handle(u64 ffa_handle,bool is_lend)116 static int ffa_host_store_handle(u64 ffa_handle, bool is_lend)
117 {
118 u32 i;
119 struct ffa_handle *free_handle = NULL;
120
121 if (!static_branch_unlikely(&kvm_ffa_unmap_on_lend))
122 return 0;
123
124 if (spm_free_handle) {
125 WARN_ON(spm_free_handle < spm_handles ||
126 spm_free_handle >= (spm_handles + num_spm_handles));
127 free_handle = spm_free_handle;
128 spm_free_handle = NULL;
129 } else {
130 for (i = 0; i < num_spm_handles; i++)
131 if (spm_handles[i].handle == FFA_INVALID_SPM_HANDLE)
132 break;
133
134 if (i == num_spm_handles)
135 return -ENOSPC;
136
137 free_handle = &spm_handles[i];
138 }
139
140 free_handle->handle = ffa_handle;
141 free_handle->is_lend = is_lend;
142 return 0;
143 }
144
ffa_host_get_handle(u64 ffa_handle)145 static struct ffa_handle *ffa_host_get_handle(u64 ffa_handle)
146 {
147 u32 i;
148
149 for (i = 0; i < num_spm_handles; i++)
150 if (spm_handles[i].handle == ffa_handle)
151 return &spm_handles[i];
152 return NULL;
153 }
154
ffa_host_clear_handle(u64 ffa_handle)155 static int ffa_host_clear_handle(u64 ffa_handle)
156 {
157 struct ffa_handle *entry = ffa_host_get_handle(ffa_handle);
158
159 if (!entry)
160 return -EINVAL;
161
162 entry->handle = FFA_INVALID_SPM_HANDLE;
163 spm_free_handle = entry;
164 return 0;
165 }
166
ffa_to_smccc_error(struct arm_smccc_res * res,u64 ffa_errno)167 static void ffa_to_smccc_error(struct arm_smccc_res *res, u64 ffa_errno)
168 {
169 *res = (struct arm_smccc_res) {
170 .a0 = FFA_ERROR,
171 .a2 = ffa_errno,
172 };
173 }
174
ffa_to_smccc_res_prop(struct arm_smccc_res * res,int ret,u64 prop)175 static void ffa_to_smccc_res_prop(struct arm_smccc_res *res, int ret, u64 prop)
176 {
177 if (ret == FFA_RET_SUCCESS) {
178 *res = (struct arm_smccc_res) { .a0 = FFA_SUCCESS,
179 .a2 = prop };
180 } else {
181 ffa_to_smccc_error(res, ret);
182 }
183 }
184
ffa_to_smccc_res(struct arm_smccc_res * res,int ret)185 static void ffa_to_smccc_res(struct arm_smccc_res *res, int ret)
186 {
187 ffa_to_smccc_res_prop(res, ret, 0);
188 }
189
ffa_set_retval(struct kvm_cpu_context * ctxt,struct arm_smccc_res * res)190 static void ffa_set_retval(struct kvm_cpu_context *ctxt,
191 struct arm_smccc_res *res)
192 {
193 cpu_reg(ctxt, 0) = res->a0;
194 cpu_reg(ctxt, 1) = res->a1;
195 cpu_reg(ctxt, 2) = res->a2;
196 cpu_reg(ctxt, 3) = res->a3;
197 }
198
ffa_map_hyp_buffers(u64 ffa_page_count)199 static int ffa_map_hyp_buffers(u64 ffa_page_count)
200 {
201 struct arm_smccc_res res;
202
203 /*
204 * Ensure that the read of `has_hyp_ffa_buffer_mapped` is visible
205 * to other CPUs before proceeding.
206 */
207 if (smp_load_acquire(&has_hyp_ffa_buffer_mapped))
208 return 0;
209
210 arm_smccc_1_1_smc(FFA_FN64_RXTX_MAP,
211 hyp_virt_to_phys(hyp_buffers.tx),
212 hyp_virt_to_phys(hyp_buffers.rx),
213 ffa_page_count,
214 0, 0, 0, 0,
215 &res);
216 if (res.a0 != FFA_SUCCESS)
217 return res.a2;
218
219 /*
220 * Ensure that the write to `has_hyp_ffa_buffer_mapped` is visible
221 * to other CPUs after the previous operations.
222 */
223 smp_store_release(&has_hyp_ffa_buffer_mapped, true);
224
225 return res.a0 == FFA_SUCCESS ? FFA_RET_SUCCESS : res.a2;
226 }
227
ffa_unmap_hyp_buffers(void)228 static int ffa_unmap_hyp_buffers(void)
229 {
230 struct arm_smccc_res res;
231
232 /*
233 * Ensure that the read of `has_hyp_ffa_buffer_mapped` is visible
234 * to other CPUs before proceeding.
235 */
236 if (!smp_load_acquire(&has_hyp_ffa_buffer_mapped))
237 return 0;
238
239 arm_smccc_1_1_smc(FFA_RXTX_UNMAP,
240 HOST_FFA_ID,
241 0, 0, 0, 0, 0, 0,
242 &res);
243 if (res.a0 != FFA_SUCCESS)
244 return res.a2;
245
246 /*
247 * Ensure that the write to `has_hyp_ffa_buffer_mapped` is visible
248 * to other CPUs after the previous operations.
249 */
250 smp_store_release(&has_hyp_ffa_buffer_mapped, false);
251
252 return FFA_RET_SUCCESS;
253 }
254
ffa_mem_frag_tx(struct arm_smccc_res * res,u32 handle_lo,u32 handle_hi,u32 fraglen,u32 endpoint_id)255 static void ffa_mem_frag_tx(struct arm_smccc_res *res, u32 handle_lo,
256 u32 handle_hi, u32 fraglen, u32 endpoint_id)
257 {
258 arm_smccc_1_1_smc(FFA_MEM_FRAG_TX,
259 handle_lo, handle_hi, fraglen, endpoint_id,
260 0, 0, 0,
261 res);
262 }
263
ffa_mem_frag_rx(struct arm_smccc_res * res,u32 handle_lo,u32 handle_hi,u32 fragoff)264 static void ffa_mem_frag_rx(struct arm_smccc_res *res, u32 handle_lo,
265 u32 handle_hi, u32 fragoff)
266 {
267 arm_smccc_1_1_smc(FFA_MEM_FRAG_RX,
268 handle_lo, handle_hi, fragoff, HOST_FFA_ID,
269 0, 0, 0,
270 res);
271 }
272
ffa_mem_xfer(struct arm_smccc_res * res,u64 func_id,u32 len,u32 fraglen)273 static void ffa_mem_xfer(struct arm_smccc_res *res, u64 func_id, u32 len,
274 u32 fraglen)
275 {
276 arm_smccc_1_1_smc(func_id, len, fraglen,
277 0, 0, 0, 0, 0,
278 res);
279 }
280
ffa_mem_reclaim(struct arm_smccc_res * res,u32 handle_lo,u32 handle_hi,u32 flags)281 static void ffa_mem_reclaim(struct arm_smccc_res *res, u32 handle_lo,
282 u32 handle_hi, u32 flags)
283 {
284 arm_smccc_1_1_smc(FFA_MEM_RECLAIM,
285 handle_lo, handle_hi, flags,
286 0, 0, 0, 0,
287 res);
288 }
289
ffa_retrieve_req(struct arm_smccc_res * res,u32 len)290 static void ffa_retrieve_req(struct arm_smccc_res *res, u32 len)
291 {
292 arm_smccc_1_1_smc(FFA_FN64_MEM_RETRIEVE_REQ,
293 len, len,
294 0, 0, 0, 0, 0,
295 res);
296 }
297
ffa_rx_release(struct arm_smccc_res * res)298 static void ffa_rx_release(struct arm_smccc_res *res)
299 {
300 arm_smccc_1_1_smc(FFA_RX_RELEASE,
301 0, 0,
302 0, 0, 0, 0, 0,
303 res);
304 }
305
parse_vm_availability_resp(u32 partition_sz,u32 count)306 static int parse_vm_availability_resp(u32 partition_sz, u32 count)
307 {
308 struct ffa_partition_info *part;
309 u32 i, j, off;
310 bool supports_direct_recv, wants_create, wants_destroy;
311
312 if (num_vm_avail_sps >= 0)
313 return FFA_RET_SUCCESS;
314 if (num_vm_avail_sps == FFA_VM_AVAIL_SPS_OOM)
315 return FFA_RET_NO_MEMORY;
316
317 num_vm_avail_sps = 0;
318 for (i = 0; i < count; i++) {
319 if (check_mul_overflow(i, partition_sz, &off))
320 return FFA_RET_INVALID_PARAMETERS;
321
322 if (off >= KVM_FFA_MBOX_NR_PAGES * PAGE_SIZE)
323 return FFA_RET_INVALID_PARAMETERS;
324
325 part = hyp_buffers.rx + off;
326 supports_direct_recv = part->properties & FFA_PARTITION_DIRECT_RECV;
327 wants_create = part->properties & FFA_PARTITION_HYP_CREATE_VM;
328 wants_destroy = part->properties & FFA_PARTITION_HYP_DESTROY_VM;
329
330 if (supports_direct_recv && (wants_create || wants_destroy)) {
331 /* Check for duplicate SP IDs */
332 for (j = 0; j < num_vm_avail_sps; j++)
333 if (vm_avail_sps[j].sp_id == part->id)
334 break;
335
336 if (j == num_vm_avail_sps) {
337 if (num_vm_avail_sps >= FFA_MAX_VM_AVAIL_SPS) {
338 /* We ran out of space in the array */
339 num_vm_avail_sps = FFA_VM_AVAIL_SPS_OOM;
340 return FFA_RET_NO_MEMORY;
341 }
342
343 vm_avail_sps[num_vm_avail_sps].sp_id = part->id;
344 vm_avail_sps[num_vm_avail_sps].wants_create = wants_create;
345 vm_avail_sps[num_vm_avail_sps].wants_destroy = wants_destroy;
346 num_vm_avail_sps++;
347 }
348 }
349 }
350
351 return FFA_RET_SUCCESS;
352 }
353
kvm_notify_vm_availability(uint16_t vm_handle,struct kvm_ffa_buffers * ffa_buf,u32 availability_msg)354 static int kvm_notify_vm_availability(uint16_t vm_handle, struct kvm_ffa_buffers *ffa_buf,
355 u32 availability_msg)
356 {
357 int i;
358 struct arm_smccc_res res;
359 u64 avail_bit = availability_msg != FFA_VM_DESTRUCTION_MSG;
360
361 for (i = 0; i < num_vm_avail_sps; i++) {
362 u64 sp_mask = 1UL << i;
363 u64 avail_value = avail_bit << i;
364 uint32_t dest = ((uint32_t)vm_avail_sps[i].sp_id << 16) | hyp_smp_processor_id();
365
366 if ((ffa_buf->vm_avail_bitmap & sp_mask) == avail_value &&
367 !(ffa_buf->vm_creating_bitmap & sp_mask))
368 continue;
369
370 if (avail_bit && !vm_avail_sps[i].wants_create) {
371 /*
372 * The SP did not ask for creation messages,
373 * so just mark this VM as available and
374 * continue
375 */
376 ffa_buf->vm_avail_bitmap |= avail_value;
377 continue;
378 } else if (!avail_bit && !vm_avail_sps[i].wants_destroy) {
379 /*
380 * The SP did not ask for destruction messages,
381 * so just mark this VM as not available and
382 * continue
383 */
384 ffa_buf->vm_avail_bitmap &= ~sp_mask;
385 continue;
386 }
387
388 /*
389 * Give the SP some cycles in advance,
390 * in case it got interrupted the last time.
391 *
392 * Some TEEs return NOT_SUPPORTED instead.
393 * If that happens, ignore the error and continue.
394 */
395 arm_smccc_1_1_smc(FFA_RUN, dest, 0, 0, 0, 0, 0, 0, &res);
396 if (res.a0 == FFA_ERROR && (int)res.a2 != FFA_RET_NOT_SUPPORTED)
397 return ffa_to_linux_errno(res.a2);
398 else if (res.a0 == FFA_INTERRUPT)
399 return -EINTR;
400
401 if (availability_msg == FFA_VM_DESTRUCTION_MSG &&
402 (ffa_buf->vm_creating_bitmap & sp_mask)) {
403 /*
404 * If we sent the initial creation message for this VM
405 * but never got the success response from the TEE, we
406 * need to keep trying to create it until it works.
407 * Otherwise we cannot destroy it.
408 *
409 * TODO: this is not triggered for SPs that requested only
410 * creation messages (but not destruction). In that case,
411 * we will never retry the creation message, and the SP
412 * will probably leak its state for the pending VM.
413 */
414 arm_smccc_1_1_smc(FFA_MSG_SEND_DIRECT_REQ, vm_avail_sps[i].sp_id,
415 FFA_VM_CREATION_MSG, HANDLE_LOW(FFA_INVALID_HANDLE),
416 HANDLE_HIGH(FFA_INVALID_HANDLE), vm_handle, 0, 0,
417 &res);
418
419 if (res.a0 != FFA_MSG_SEND_DIRECT_RESP)
420 return -EINVAL;
421 if (res.a3 != FFA_RET_SUCCESS)
422 return ffa_to_linux_errno(res.a3);
423
424 /* Creation completed successfully, clear the flag */
425 ffa_buf->vm_creating_bitmap &= ~sp_mask;
426 }
427
428 arm_smccc_1_1_smc(FFA_MSG_SEND_DIRECT_REQ, vm_avail_sps[i].sp_id,
429 availability_msg, HANDLE_LOW(FFA_INVALID_HANDLE),
430 HANDLE_HIGH(FFA_INVALID_HANDLE), vm_handle, 0, 0,
431 &res);
432 if (res.a0 != FFA_MSG_SEND_DIRECT_RESP)
433 return -EINVAL;
434
435 switch ((int)res.a3) {
436 case FFA_RET_SUCCESS:
437 ffa_buf->vm_avail_bitmap &= ~sp_mask;
438 ffa_buf->vm_avail_bitmap |= avail_value;
439 ffa_buf->vm_creating_bitmap &= ~sp_mask;
440 break;
441
442 case FFA_RET_INTERRUPTED:
443 case FFA_RET_RETRY:
444 if (availability_msg == FFA_VM_CREATION_MSG)
445 ffa_buf->vm_creating_bitmap |= sp_mask;
446
447 fallthrough;
448 default:
449 return ffa_to_linux_errno(res.a3);
450 }
451 }
452
453 return 0;
454 }
455
do_ffa_rxtx_map(struct arm_smccc_res * res,struct kvm_cpu_context * ctxt,struct pkvm_hyp_vcpu * hyp_vcpu)456 static void do_ffa_rxtx_map(struct arm_smccc_res *res,
457 struct kvm_cpu_context *ctxt,
458 struct pkvm_hyp_vcpu *hyp_vcpu)
459 {
460 DECLARE_REG(phys_addr_t, tx, ctxt, 1);
461 DECLARE_REG(phys_addr_t, rx, ctxt, 2);
462 DECLARE_REG(u32, npages, ctxt, 3);
463 int ret = 0;
464 void *rx_virt, *tx_virt;
465 struct kvm_ffa_buffers *ffa_buf;
466
467 if (npages != (KVM_FFA_MBOX_NR_PAGES * PAGE_SIZE) / FFA_PAGE_SIZE) {
468 ret = FFA_RET_INVALID_PARAMETERS;
469 goto out;
470 }
471
472 if (!PAGE_ALIGNED(tx) || !PAGE_ALIGNED(rx)) {
473 ret = FFA_RET_INVALID_PARAMETERS;
474 goto out;
475 }
476
477 hyp_spin_lock(&kvm_ffa_hyp_lock);
478 ffa_buf = ffa_get_buffers(hyp_vcpu);
479 if (ffa_buf->tx) {
480 ret = FFA_RET_DENIED;
481 goto out_unlock;
482 }
483
484 /*
485 * Map our hypervisor buffers into the SPMD before mapping and
486 * pinning the host buffers in our own address space.
487 */
488 ret = ffa_map_hyp_buffers(npages);
489 if (ret)
490 goto out_unlock;
491
492 ret = __pkvm_host_share_hyp(hyp_phys_to_pfn(tx));
493 if (ret) {
494 ret = FFA_RET_INVALID_PARAMETERS;
495 goto err_unmap;
496 }
497
498 ret = __pkvm_host_share_hyp(hyp_phys_to_pfn(rx));
499 if (ret) {
500 ret = FFA_RET_INVALID_PARAMETERS;
501 goto err_unshare_tx;
502 }
503
504 tx_virt = hyp_phys_to_virt(tx);
505 ret = hyp_pin_shared_mem(tx_virt, tx_virt + 1);
506 if (ret) {
507 ret = FFA_RET_INVALID_PARAMETERS;
508 goto err_unshare_rx;
509 }
510
511 rx_virt = hyp_phys_to_virt(rx);
512 ret = hyp_pin_shared_mem(rx_virt, rx_virt + 1);
513 if (ret) {
514 ret = FFA_RET_INVALID_PARAMETERS;
515 goto err_unpin_tx;
516 }
517
518 ffa_buf->tx = tx_virt;
519 ffa_buf->rx = rx_virt;
520
521 out_unlock:
522 hyp_spin_unlock(&kvm_ffa_hyp_lock);
523 out:
524 ffa_to_smccc_res(res, ret);
525 return;
526
527 err_unpin_tx:
528 hyp_unpin_shared_mem(tx_virt, tx_virt + 1);
529 err_unshare_rx:
530 __pkvm_host_unshare_hyp(hyp_phys_to_pfn(rx));
531 err_unshare_tx:
532 __pkvm_host_unshare_hyp(hyp_phys_to_pfn(tx));
533 err_unmap:
534 ffa_unmap_hyp_buffers();
535 goto out_unlock;
536 }
537
do_ffa_rxtx_guest_map(struct kvm_cpu_context * ctxt,struct pkvm_hyp_vcpu * hyp_vcpu)538 static int do_ffa_rxtx_guest_map(struct kvm_cpu_context *ctxt, struct pkvm_hyp_vcpu *hyp_vcpu)
539 {
540 DECLARE_REG(phys_addr_t, tx, ctxt, 1);
541 DECLARE_REG(phys_addr_t, rx, ctxt, 2);
542 DECLARE_REG(u32, npages, ctxt, 3);
543 int ret = 0;
544 u64 rx_va, tx_va;
545 struct kvm_ffa_buffers *ffa_buf;
546 struct kvm_hyp_req *req;
547
548 if (npages != (KVM_FFA_MBOX_NR_PAGES * PAGE_SIZE) / FFA_PAGE_SIZE)
549 return -EINVAL;
550
551 if (!PAGE_ALIGNED(tx) || !PAGE_ALIGNED(rx))
552 return -EINVAL;
553
554 ret = __pkvm_guest_share_hyp_page(hyp_vcpu, tx, &tx_va);
555 if (ret)
556 goto out_err;
557
558 ret = __pkvm_guest_share_hyp_page(hyp_vcpu, rx, &rx_va);
559 if (ret)
560 goto out_err_with_tx;
561
562 hyp_spin_lock(&kvm_ffa_hyp_lock);
563 ffa_buf = ffa_get_buffers(hyp_vcpu);
564 if (ffa_buf->tx) {
565 ret = -EACCES;
566 goto out_unlock;
567 }
568
569 ffa_buf->tx = (void *)tx_va;
570 ffa_buf->rx = (void *)rx_va;
571 ffa_buf->tx_ipa = tx;
572 ffa_buf->rx_ipa = rx;
573 out_unlock:
574 hyp_spin_unlock(&kvm_ffa_hyp_lock);
575 return ret;
576 out_err_with_tx:
577 WARN_ON(__pkvm_guest_unshare_hyp_page(hyp_vcpu, tx));
578 out_err:
579 if (ret == -EFAULT) {
580 req = pkvm_hyp_req_reserve(hyp_vcpu, KVM_HYP_REQ_TYPE_MAP);
581 if (!req || !pkvm_hyp_req_reserve(hyp_vcpu, KVM_HYP_REQ_TYPE_MAP))
582 return -ENOSPC;
583
584 req->map.guest_ipa = tx;
585 req->map.size = PAGE_SIZE;
586
587 req++;
588
589 req->map.guest_ipa = rx;
590 req->map.size = PAGE_SIZE;
591 }
592
593 return ret;
594 }
595
do_ffa_rxtx_unmap(struct arm_smccc_res * res,struct kvm_cpu_context * ctxt,struct pkvm_hyp_vcpu * hyp_vcpu)596 static void do_ffa_rxtx_unmap(struct arm_smccc_res *res,
597 struct kvm_cpu_context *ctxt,
598 struct pkvm_hyp_vcpu *hyp_vcpu)
599 {
600 DECLARE_REG(u32, id, ctxt, 1);
601 int ret = 0;
602 struct kvm_ffa_buffers *ffa_buf;
603
604 if (hyp_vcpu_to_ffa_handle(hyp_vcpu) != id) {
605 ret = FFA_RET_INVALID_PARAMETERS;
606 goto out;
607 }
608
609 hyp_spin_lock(&kvm_ffa_hyp_lock);
610 ffa_buf = ffa_get_buffers(hyp_vcpu);
611 if (!ffa_buf->tx) {
612 ret = FFA_RET_INVALID_PARAMETERS;
613 goto out_unlock;
614 }
615
616 if (!hyp_vcpu) {
617 hyp_unpin_shared_mem(ffa_buf->tx, ffa_buf->tx + 1);
618 WARN_ON(__pkvm_host_unshare_hyp(hyp_virt_to_pfn(ffa_buf->tx)));
619
620 hyp_unpin_shared_mem(ffa_buf->rx, ffa_buf->rx + 1);
621 WARN_ON(__pkvm_host_unshare_hyp(hyp_virt_to_pfn(ffa_buf->rx)));
622
623 ffa_unmap_hyp_buffers();
624 } else {
625 WARN_ON(__pkvm_guest_unshare_hyp_page(hyp_vcpu, ffa_buf->tx_ipa));
626 WARN_ON(__pkvm_guest_unshare_hyp_page(hyp_vcpu, ffa_buf->rx_ipa));
627 }
628
629 ffa_buf->rx = NULL;
630 ffa_buf->tx = NULL;
631
632 out_unlock:
633 hyp_spin_unlock(&kvm_ffa_hyp_lock);
634 out:
635 ffa_to_smccc_res(res, ret);
636 }
637
__ffa_host_share_ranges(struct ffa_mem_region_addr_range * ranges,u32 nranges,bool is_lend)638 static u32 __ffa_host_share_ranges(struct ffa_mem_region_addr_range *ranges,
639 u32 nranges, bool is_lend)
640 {
641 u32 i;
642 int ret;
643
644 for (i = 0; i < nranges; ++i) {
645 struct ffa_mem_region_addr_range *range = &ranges[i];
646 u64 sz = (u64)range->pg_cnt * FFA_PAGE_SIZE;
647 u64 pfn = hyp_phys_to_pfn(range->address);
648
649 if (!PAGE_ALIGNED(sz))
650 break;
651
652 if (static_branch_unlikely(&kvm_ffa_unmap_on_lend) && is_lend)
653 ret = __pkvm_host_donate_ffa(pfn, sz / PAGE_SIZE);
654 else
655 ret = __pkvm_host_share_ffa(pfn, sz / PAGE_SIZE);
656 if (ret)
657 break;
658 }
659
660 return i;
661 }
662
663 /*
664 * Verify if the page is lent on shared and unshare it with FF-A.
665 * On success, return the number of *unshared* pages and store in the
666 * is_lend argument whether the range was shared or lent.
667 */
__ffa_host_unshare_ranges(struct ffa_mem_region_addr_range * ranges,u32 nranges,bool is_lend)668 static u32 __ffa_host_unshare_ranges(struct ffa_mem_region_addr_range *ranges,
669 u32 nranges, bool is_lend)
670 {
671 u32 i;
672 int ret;
673
674 for (i = 0; i < nranges; ++i) {
675 struct ffa_mem_region_addr_range *range = &ranges[i];
676 u64 sz = (u64)range->pg_cnt * FFA_PAGE_SIZE;
677 u64 pfn = hyp_phys_to_pfn(range->address);
678
679 if (!PAGE_ALIGNED(sz))
680 break;
681
682 if (static_branch_unlikely(&kvm_ffa_unmap_on_lend) && is_lend)
683 ret = __pkvm_host_reclaim_ffa(pfn, sz / PAGE_SIZE);
684 else
685
686 ret = __pkvm_host_unshare_ffa(pfn, sz / PAGE_SIZE);
687 if (ret)
688 break;
689 }
690
691 return i;
692 }
693
ffa_store_translation(struct ffa_mem_transfer * transfer,u64 ipa,phys_addr_t pa)694 static int ffa_store_translation(struct ffa_mem_transfer *transfer, u64 ipa, phys_addr_t pa)
695 {
696 struct ffa_translation *tr;
697
698 tr = hyp_alloc(sizeof(struct ffa_translation));
699 if (!tr)
700 return -ENOMEM;
701
702 tr->ipa = ipa;
703 tr->pa = pa;
704 list_add(&tr->node, &transfer->translations);
705
706 return 0;
707 }
708
ffa_guest_unshare_ranges(struct pkvm_hyp_vcpu * vcpu,struct ffa_mem_transfer * transfer)709 static void ffa_guest_unshare_ranges(struct pkvm_hyp_vcpu *vcpu,
710 struct ffa_mem_transfer *transfer)
711 {
712 struct ffa_translation *translation, *tmp;
713
714 list_for_each_entry_safe(translation, tmp, &transfer->translations, node) {
715 WARN_ON(__pkvm_guest_unshare_ffa_page(vcpu, translation->ipa));
716 list_del(&translation->node);
717 hyp_free(translation);
718 }
719 }
720
ffa_guest_share_ranges(struct ffa_mem_region_addr_range * ranges,u32 nranges,struct pkvm_hyp_vcpu * vcpu,struct ffa_composite_mem_region * out_region,size_t reg_len,struct ffa_mem_transfer * transfer)721 static int ffa_guest_share_ranges(struct ffa_mem_region_addr_range *ranges,
722 u32 nranges, struct pkvm_hyp_vcpu *vcpu,
723 struct ffa_composite_mem_region *out_region,
724 size_t reg_len,
725 struct ffa_mem_transfer *transfer)
726 {
727 struct ffa_mem_region_addr_range *range;
728 struct ffa_mem_region_addr_range *buf = out_region->constituents;
729 int i, j, ret;
730 u32 mem_region_idx = 0;
731 u64 ipa, pa, offset;
732
733 for (i = 0; i < nranges; i++) {
734 range = &ranges[i];
735 for (j = 0; j < range->pg_cnt; j++) {
736 if (mem_region_idx * sizeof(struct ffa_mem_region_addr_range) >= reg_len) {
737 ret = -EINVAL;
738 goto unshare;
739 }
740
741 if (check_mul_overflow(j, PAGE_SIZE, &offset) ||
742 check_add_overflow(range->address, offset, &ipa)) {
743 ret = -EINVAL;
744 goto unshare;
745 }
746
747 ret = __pkvm_guest_share_ffa_page(vcpu, ipa, &pa);
748 if (ret)
749 goto unshare;
750
751 ret = ffa_store_translation(transfer, ipa, pa);
752 if (ret) {
753 WARN_ON(__pkvm_guest_unshare_ffa_page(vcpu, ipa));
754 goto unshare;
755 }
756
757 buf[mem_region_idx].address = pa;
758 buf[mem_region_idx].pg_cnt = 1;
759
760 if (mem_region_idx + 1 < mem_region_idx) {
761 ret = -EINVAL;
762 goto unshare;
763 }
764
765 mem_region_idx++;
766 }
767 }
768
769 out_region->addr_range_cnt = mem_region_idx;
770 return 0;
771 unshare:
772 ffa_guest_unshare_ranges(vcpu, transfer);
773 return ret;
774 }
775
ffa_host_share_ranges(struct ffa_mem_region_addr_range * ranges,u32 nranges,bool is_lend)776 static int ffa_host_share_ranges(struct ffa_mem_region_addr_range *ranges,
777 u32 nranges, bool is_lend)
778 {
779 u32 nshared = __ffa_host_share_ranges(ranges, nranges, is_lend);
780 int ret = 0;
781
782 if (nshared != nranges) {
783 WARN_ON(__ffa_host_unshare_ranges(ranges, nshared, is_lend) != nshared);
784 ret = -EACCES;
785 }
786
787 return ret;
788 }
789
ffa_host_unshare_ranges(struct ffa_mem_region_addr_range * ranges,u32 nranges,bool is_lend)790 static int ffa_host_unshare_ranges(struct ffa_mem_region_addr_range *ranges,
791 u32 nranges, bool is_lend)
792 {
793 int ret = 0;
794 u32 nunshared = __ffa_host_unshare_ranges(ranges, nranges, is_lend);
795
796 if (nunshared != nranges) {
797 WARN_ON(__ffa_host_share_ranges(ranges, nunshared, is_lend) != nunshared);
798 ret = -EACCES;
799 }
800
801 return ret;
802 }
803
do_ffa_mem_frag_tx(struct arm_smccc_res * res,struct kvm_cpu_context * ctxt,struct pkvm_hyp_vcpu * hyp_vcpu)804 static void do_ffa_mem_frag_tx(struct arm_smccc_res *res,
805 struct kvm_cpu_context *ctxt,
806 struct pkvm_hyp_vcpu *hyp_vcpu)
807 {
808 DECLARE_REG(u32, handle_lo, ctxt, 1);
809 DECLARE_REG(u32, handle_hi, ctxt, 2);
810 DECLARE_REG(u32, fraglen, ctxt, 3);
811 DECLARE_REG(u32, endpoint_id, ctxt, 4);
812 struct ffa_mem_region_addr_range *buf;
813 int ret = FFA_RET_INVALID_PARAMETERS;
814 u32 nr_ranges;
815 struct kvm_ffa_buffers *ffa_buf;
816 bool is_lend = false;
817 u64 host_handle = PACK_HANDLE(handle_lo, handle_hi);
818 struct ffa_handle *entry;
819
820 if (fraglen > KVM_FFA_MBOX_NR_PAGES * PAGE_SIZE)
821 goto out;
822
823 if (fraglen % sizeof(*buf))
824 goto out;
825
826 hyp_spin_lock(&kvm_ffa_hyp_lock);
827 ffa_buf = ffa_get_buffers(hyp_vcpu);
828 if (!ffa_buf->tx)
829 goto out_unlock;
830
831 buf = hyp_buffers.tx;
832 memcpy(buf, ffa_buf->tx, fraglen);
833 nr_ranges = fraglen / sizeof(*buf);
834
835 if (static_branch_unlikely(&kvm_ffa_unmap_on_lend)) {
836 entry = ffa_host_get_handle(host_handle);
837 if (!entry) {
838 ffa_to_smccc_error(res, FFA_RET_INVALID_PARAMETERS);
839 goto out_unlock;
840 }
841
842 is_lend = entry->is_lend;
843 }
844
845 ret = ffa_host_share_ranges(buf, nr_ranges, is_lend);
846 if (ret) {
847 /*
848 * We're effectively aborting the transaction, so we need
849 * to restore the global state back to what it was prior to
850 * transmission of the first fragment.
851 */
852 ffa_mem_reclaim(res, handle_lo, handle_hi, 0);
853 WARN_ON(res->a0 != FFA_SUCCESS);
854 goto out_unlock;
855 }
856
857 ffa_mem_frag_tx(res, handle_lo, handle_hi, fraglen, endpoint_id);
858 if (res->a0 != FFA_SUCCESS && res->a0 != FFA_MEM_FRAG_RX)
859 WARN_ON(ffa_host_unshare_ranges(buf, nr_ranges, is_lend));
860
861 out_unlock:
862 hyp_spin_unlock(&kvm_ffa_hyp_lock);
863 out:
864 if (ret)
865 ffa_to_smccc_res(res, ret);
866
867 /*
868 * If for any reason this did not succeed, we're in trouble as we have
869 * now lost the content of the previous fragments and we can't rollback
870 * the host stage-2 changes. The pages previously marked as shared will
871 * remain stuck in that state forever, hence preventing the host from
872 * sharing/donating them again and may possibly lead to subsequent
873 * failures, but this will not compromise confidentiality.
874 */
875 return;
876 }
877
is_page_count_valid(struct ffa_composite_mem_region * reg,u32 nranges)878 static bool is_page_count_valid(struct ffa_composite_mem_region *reg,
879 u32 nranges)
880 {
881 u32 i, pg_cnt = 0, new_pg_cnt;
882
883 for (i = 0; i < nranges; i++) {
884 new_pg_cnt = pg_cnt + reg->constituents[i].pg_cnt;
885 if (new_pg_cnt < pg_cnt)
886 return false;
887
888 pg_cnt = new_pg_cnt;
889 }
890
891 return pg_cnt == reg->total_pg_cnt;
892 }
893
__do_ffa_mem_xfer(const u64 func_id,struct arm_smccc_res * res,struct kvm_cpu_context * ctxt,struct pkvm_hyp_vcpu * hyp_vcpu)894 static int __do_ffa_mem_xfer(const u64 func_id,
895 struct arm_smccc_res *res,
896 struct kvm_cpu_context *ctxt,
897 struct pkvm_hyp_vcpu *hyp_vcpu)
898 {
899 DECLARE_REG(u32, len, ctxt, 1);
900 DECLARE_REG(u32, fraglen, ctxt, 2);
901 DECLARE_REG(u64, addr_mbz, ctxt, 3);
902 DECLARE_REG(u32, npages_mbz, ctxt, 4);
903 struct ffa_mem_region_attributes *ep_mem_access;
904 struct ffa_composite_mem_region *reg, *temp_reg;
905 struct ffa_mem_region *buf;
906 struct kvm_ffa_buffers *ffa_buf;
907 u32 offset, nr_ranges;
908 int ret = 0;
909 struct ffa_mem_transfer *transfer = NULL;
910 u64 ffa_handle;
911 bool is_lend = func_id == FFA_FN64_MEM_LEND;
912
913 if (addr_mbz || npages_mbz || fraglen > len ||
914 fraglen > KVM_FFA_MBOX_NR_PAGES * PAGE_SIZE) {
915 ffa_to_smccc_error(res, FFA_RET_INVALID_PARAMETERS);
916 return 0;
917 }
918
919 if (fraglen < sizeof(struct ffa_mem_region) +
920 sizeof(struct ffa_mem_region_attributes)) {
921 ffa_to_smccc_error(res, FFA_RET_INVALID_PARAMETERS);
922 return 0;
923 }
924
925 if (hyp_vcpu) {
926 /* Reject the fragmentation API for the guest */
927 if (len != fraglen) {
928 ffa_to_smccc_error(res, FFA_RET_INVALID_PARAMETERS);
929 return 0;
930 }
931
932 transfer = hyp_alloc(sizeof(struct ffa_mem_transfer));
933 if (!transfer)
934 return -ENOMEM;
935
936 INIT_LIST_HEAD(&transfer->translations);
937 }
938
939 hyp_spin_lock(&kvm_ffa_hyp_lock);
940 ffa_buf = ffa_get_buffers(hyp_vcpu);
941 if (!ffa_buf->tx) {
942 ffa_to_smccc_error(res, FFA_RET_INVALID_PARAMETERS);
943 goto out_unlock;
944 }
945
946 if (len > ffa_desc_buf.len) {
947 ffa_to_smccc_error(res, FFA_RET_NO_MEMORY);
948 goto out_unlock;
949 }
950
951 buf = hyp_buffers.tx;
952 memcpy(buf, ffa_buf->tx, fraglen);
953
954 ep_mem_access = (void *)buf +
955 ffa_mem_desc_offset(buf, 0, hyp_ffa_version);
956 offset = ep_mem_access->composite_off;
957 if (!offset || buf->ep_count != 1 || buf->sender_id != hyp_vcpu_to_ffa_handle(hyp_vcpu)) {
958 ffa_to_smccc_error(res, FFA_RET_INVALID_PARAMETERS);
959 goto out_unlock;
960 }
961
962 if (fraglen < offset + sizeof(struct ffa_composite_mem_region)) {
963 ffa_to_smccc_error(res, FFA_RET_INVALID_PARAMETERS);
964 goto out_unlock;
965 }
966
967 reg = (void *)buf + offset;
968 nr_ranges = ((void *)buf + fraglen) - (void *)reg->constituents;
969 if (nr_ranges % sizeof(reg->constituents[0])) {
970 ffa_to_smccc_error(res, FFA_RET_INVALID_PARAMETERS);
971 goto out_unlock;
972 }
973
974 nr_ranges /= sizeof(reg->constituents[0]);
975 if (hyp_vcpu) {
976 if (!is_page_count_valid(reg, nr_ranges)) {
977 ffa_to_smccc_error(res, FFA_RET_INVALID_PARAMETERS);
978 goto out_unlock;
979 }
980
981 size_t translated_sz = reg->total_pg_cnt * sizeof(struct ffa_mem_region_addr_range)
982 + offset;
983 if (translated_sz > PAGE_SIZE) {
984 ffa_to_smccc_error(res, FFA_RET_INVALID_PARAMETERS);
985 goto out_unlock;
986 }
987
988 memcpy(ffa_desc_buf.buf, buf, offset);
989 temp_reg = ffa_desc_buf.buf + offset;
990 ret = ffa_guest_share_ranges(reg->constituents, nr_ranges, hyp_vcpu,
991 temp_reg, ffa_desc_buf.len - offset,
992 transfer);
993 if (!ret) {
994 /* Re-adjust the size of the transfer after painting with PAs */
995 if (temp_reg->addr_range_cnt > reg->addr_range_cnt) {
996 u32 extra_sz = (temp_reg->addr_range_cnt - reg->addr_range_cnt) *
997 sizeof(struct ffa_mem_region_addr_range);
998 fraglen += extra_sz;
999 len += extra_sz;
1000
1001 nr_ranges = reg->addr_range_cnt = temp_reg->addr_range_cnt;
1002 }
1003
1004 memcpy(reg->constituents, temp_reg->constituents,
1005 temp_reg->addr_range_cnt * sizeof(struct ffa_mem_region_addr_range));
1006 }
1007 } else
1008 ret = ffa_host_share_ranges(reg->constituents, nr_ranges, is_lend);
1009 if (ret)
1010 goto out_unlock;
1011
1012 ffa_mem_xfer(res, func_id, len, fraglen);
1013 if (fraglen != len) {
1014 if (res->a0 != FFA_MEM_FRAG_RX)
1015 goto err_unshare;
1016
1017 if (res->a3 != fraglen)
1018 goto err_unshare;
1019
1020 ffa_handle = PACK_HANDLE(res->a1, res->a2);
1021 } else if (res->a0 == FFA_SUCCESS) {
1022 ffa_handle = PACK_HANDLE(res->a2, res->a3);
1023 } else {
1024 goto err_unshare;
1025 }
1026
1027 if (hyp_vcpu && transfer) {
1028 transfer->ffa_handle = ffa_handle;
1029 list_add(&transfer->node, &ffa_buf->xfer_list);
1030 } else if (!hyp_vcpu) {
1031 ret = ffa_host_store_handle(ffa_handle, is_lend);
1032 if (ret)
1033 goto err_unshare;
1034 }
1035 hyp_spin_unlock(&kvm_ffa_hyp_lock);
1036 return 0;
1037 out_unlock:
1038 hyp_spin_unlock(&kvm_ffa_hyp_lock);
1039 if (transfer)
1040 hyp_free(transfer);
1041 if (ret)
1042 ffa_to_smccc_res(res, linux_errno_to_ffa(ret));
1043 return ret;
1044 err_unshare:
1045 if (hyp_vcpu)
1046 ffa_guest_unshare_ranges(hyp_vcpu, transfer);
1047 else
1048 WARN_ON(ffa_host_unshare_ranges(reg->constituents, nr_ranges, is_lend));
1049 goto out_unlock;
1050 }
1051
1052 #define do_ffa_mem_xfer(fid, res, ctxt, hyp_vcpu) ({\
1053 BUILD_BUG_ON((fid) != FFA_FN64_MEM_SHARE && \
1054 (fid) != FFA_FN64_MEM_LEND); \
1055 __do_ffa_mem_xfer((fid), (res), (ctxt), (hyp_vcpu));\
1056 })
1057
find_transfer_by_handle(u64 ffa_handle,struct kvm_ffa_buffers * buf)1058 struct ffa_mem_transfer *find_transfer_by_handle(u64 ffa_handle, struct kvm_ffa_buffers *buf)
1059 {
1060 struct ffa_mem_transfer *transfer;
1061
1062 list_for_each_entry(transfer, &buf->xfer_list, node)
1063 if (transfer->ffa_handle == ffa_handle)
1064 return transfer;
1065 return NULL;
1066 }
1067
do_ffa_mem_reclaim(struct arm_smccc_res * res,struct kvm_cpu_context * ctxt,struct pkvm_hyp_vcpu * hyp_vcpu)1068 static void do_ffa_mem_reclaim(struct arm_smccc_res *res,
1069 struct kvm_cpu_context *ctxt,
1070 struct pkvm_hyp_vcpu *hyp_vcpu)
1071 {
1072 DECLARE_REG(u32, handle_lo, ctxt, 1);
1073 DECLARE_REG(u32, handle_hi, ctxt, 2);
1074 DECLARE_REG(u32, flags, ctxt, 3);
1075 struct ffa_mem_region_attributes *ep_mem_access;
1076 struct ffa_composite_mem_region *reg;
1077 u32 offset, len, fraglen, fragoff;
1078 struct ffa_mem_region *buf;
1079 int ret = 0;
1080 u64 handle;
1081 struct ffa_mem_transfer *transfer = NULL;
1082 struct kvm_ffa_buffers *ffa_buf;
1083 struct ffa_handle *entry;
1084 bool is_lend = false;
1085
1086 handle = PACK_HANDLE(handle_lo, handle_hi);
1087
1088 hyp_spin_lock(&kvm_ffa_hyp_lock);
1089 ffa_buf = ffa_get_buffers(hyp_vcpu);
1090 if (hyp_vcpu) {
1091 transfer = find_transfer_by_handle(handle, ffa_buf);
1092 if (!transfer) {
1093 ret = FFA_RET_INVALID_PARAMETERS;
1094 goto out_unlock;
1095 }
1096
1097 goto out_reclaim;
1098 } else {
1099 transfer = __pkvm_get_vm_ffa_transfer(handle);
1100
1101 /* Prevent the host from replicating a transfer handle used by the guest */
1102 WARN_ON(transfer);
1103
1104 if (static_branch_unlikely(&kvm_ffa_unmap_on_lend)) {
1105 entry = ffa_host_get_handle(handle);
1106 if (!entry) {
1107 ret = FFA_RET_INVALID_PARAMETERS;
1108 goto out_unlock;
1109 }
1110
1111 is_lend = entry->is_lend;
1112 }
1113 }
1114
1115 buf = hyp_buffers.tx;
1116 *buf = (struct ffa_mem_region) {
1117 .handle = handle,
1118 };
1119
1120 ffa_retrieve_req(res, sizeof(*buf));
1121 buf = hyp_buffers.rx;
1122 if (res->a0 != FFA_MEM_RETRIEVE_RESP)
1123 goto out_unlock;
1124
1125 len = res->a1;
1126 fraglen = res->a2;
1127
1128 ep_mem_access = (void *)buf +
1129 ffa_mem_desc_offset(buf, 0, hyp_ffa_version);
1130 offset = ep_mem_access->composite_off;
1131 /*
1132 * We can trust the SPMD to get this right, but let's at least
1133 * check that we end up with something that doesn't look _completely_
1134 * bogus.
1135 */
1136 if (WARN_ON(offset > len ||
1137 fraglen > KVM_FFA_MBOX_NR_PAGES * PAGE_SIZE)) {
1138 ret = FFA_RET_ABORTED;
1139 ffa_rx_release(res);
1140 goto out_unlock;
1141 }
1142
1143 if (len > ffa_desc_buf.len) {
1144 ret = FFA_RET_NO_MEMORY;
1145 ffa_rx_release(res);
1146 goto out_unlock;
1147 }
1148
1149 buf = ffa_desc_buf.buf;
1150 memcpy(buf, hyp_buffers.rx, fraglen);
1151 ffa_rx_release(res);
1152
1153 for (fragoff = fraglen; fragoff < len; fragoff += fraglen) {
1154 ffa_mem_frag_rx(res, handle_lo, handle_hi, fragoff);
1155 if (res->a0 != FFA_MEM_FRAG_TX) {
1156 ret = FFA_RET_INVALID_PARAMETERS;
1157 goto out_unlock;
1158 }
1159
1160 fraglen = res->a3;
1161 memcpy((void *)buf + fragoff, hyp_buffers.rx, fraglen);
1162 ffa_rx_release(res);
1163 }
1164
1165 out_reclaim:
1166 ffa_mem_reclaim(res, handle_lo, handle_hi, flags);
1167 if (res->a0 != FFA_SUCCESS)
1168 goto out_unlock;
1169
1170 /* If the SPMD was happy, then we should be too. */
1171 if (hyp_vcpu)
1172 ffa_guest_unshare_ranges(hyp_vcpu, transfer);
1173 else {
1174 reg = (void *)buf + offset;
1175 WARN_ON(ffa_host_unshare_ranges(reg->constituents,
1176 reg->addr_range_cnt, is_lend));
1177 if (static_branch_unlikely(&kvm_ffa_unmap_on_lend))
1178 ffa_host_clear_handle(handle);
1179 }
1180
1181 if (transfer) {
1182 list_del(&transfer->node);
1183 hyp_free(transfer);
1184 }
1185 out_unlock:
1186 hyp_spin_unlock(&kvm_ffa_hyp_lock);
1187
1188 if (ret)
1189 ffa_to_smccc_res(res, ret);
1190 }
1191
1192 /*
1193 * Is a given FFA function supported, either by forwarding on directly
1194 * or by handling at EL2?
1195 */
ffa_call_supported(u64 func_id)1196 static bool ffa_call_supported(u64 func_id)
1197 {
1198 switch (func_id) {
1199 /* Unsupported memory management calls */
1200 case FFA_FN64_MEM_RETRIEVE_REQ:
1201 case FFA_MEM_RETRIEVE_RESP:
1202 case FFA_MEM_RELINQUISH:
1203 case FFA_MEM_OP_PAUSE:
1204 case FFA_MEM_OP_RESUME:
1205 case FFA_MEM_FRAG_RX:
1206 case FFA_FN64_MEM_DONATE:
1207 /* Indirect message passing via RX/TX buffers */
1208 case FFA_MSG_SEND:
1209 case FFA_MSG_POLL:
1210 case FFA_MSG_WAIT:
1211 /* 32-bit variants of 64-bit calls */
1212 case FFA_MSG_SEND_DIRECT_RESP:
1213 case FFA_RXTX_MAP:
1214 case FFA_MEM_DONATE:
1215 case FFA_MEM_RETRIEVE_REQ:
1216 return false;
1217 }
1218
1219 return true;
1220 }
1221
do_ffa_features(struct arm_smccc_res * res,struct kvm_cpu_context * ctxt)1222 static bool do_ffa_features(struct arm_smccc_res *res,
1223 struct kvm_cpu_context *ctxt)
1224 {
1225 DECLARE_REG(u32, id, ctxt, 1);
1226 u64 prop = 0;
1227 int ret = 0;
1228
1229 if (!ffa_call_supported(id)) {
1230 ret = FFA_RET_NOT_SUPPORTED;
1231 goto out_handled;
1232 }
1233
1234 switch (id) {
1235 case FFA_MEM_SHARE:
1236 case FFA_FN64_MEM_SHARE:
1237 case FFA_MEM_LEND:
1238 case FFA_FN64_MEM_LEND:
1239 ret = FFA_RET_SUCCESS;
1240 prop = 0; /* No support for dynamic buffers */
1241 goto out_handled;
1242 default:
1243 return false;
1244 }
1245
1246 out_handled:
1247 ffa_to_smccc_res_prop(res, ret, prop);
1248 return true;
1249 }
1250
do_ffa_guest_features(struct arm_smccc_res * res,struct kvm_cpu_context * ctxt)1251 static void do_ffa_guest_features(struct arm_smccc_res *res, struct kvm_cpu_context *ctxt)
1252 {
1253 DECLARE_REG(u32, id, ctxt, 1);
1254 u64 prop = 0;
1255 int ret;
1256
1257 switch (id) {
1258 case FFA_MEM_SHARE:
1259 case FFA_FN64_MEM_SHARE:
1260 case FFA_MEM_LEND:
1261 case FFA_FN64_MEM_LEND:
1262 case FFA_RX_RELEASE:
1263 ret = FFA_RET_SUCCESS;
1264 goto out_handled;
1265 case FFA_RXTX_MAP:
1266 case FFA_FN64_RXTX_MAP:
1267 ret = FFA_RET_SUCCESS;
1268 if (PAGE_SIZE == SZ_4K)
1269 prop = FFA_FEAT_RXTX_MIN_SZ_4K;
1270 else if (PAGE_SIZE == SZ_64K)
1271 prop = FFA_FEAT_RXTX_MIN_SZ_64K;
1272 else if (PAGE_SIZE == SZ_16K)
1273 prop = FFA_FEAT_RXTX_MIN_SZ_16K;
1274 else /* prop == b'11 is reserved per DEN0077A v1.3 ALP1 */
1275 ret = FFA_RET_NOT_SUPPORTED;
1276 goto out_handled;
1277 default:
1278 ret = FFA_RET_NOT_SUPPORTED;
1279 goto out_handled;
1280 }
1281
1282 out_handled:
1283 ffa_to_smccc_res_prop(res, ret, prop);
1284 }
1285
do_ffa_part_get_response(struct arm_smccc_res * res,u32 uuid0,u32 uuid1,u32 uuid2,u32 uuid3,u32 flags,struct kvm_ffa_buffers * ffa_buf)1286 static void do_ffa_part_get_response(struct arm_smccc_res *res,
1287 u32 uuid0, u32 uuid1, u32 uuid2,
1288 u32 uuid3, u32 flags, struct kvm_ffa_buffers *ffa_buf)
1289 {
1290 int ret;
1291 u32 count, partition_sz, copy_sz;
1292
1293 arm_smccc_1_1_smc(FFA_PARTITION_INFO_GET, uuid0, uuid1,
1294 uuid2, uuid3, flags, 0, 0,
1295 res);
1296
1297 if (res->a0 != FFA_SUCCESS)
1298 return;
1299
1300 count = res->a2;
1301 if (!count)
1302 return;
1303
1304 if (hyp_ffa_version > FFA_VERSION_1_0) {
1305 /* Get the number of partitions deployed in the system */
1306 if (flags & 0x1)
1307 return;
1308
1309 partition_sz = res->a3;
1310 } else
1311 /* FFA_VERSION_1_0 lacks the size in the response */
1312 partition_sz = FFA_1_0_PARTITON_INFO_SZ;
1313
1314 copy_sz = partition_sz * count;
1315 if (copy_sz > KVM_FFA_MBOX_NR_PAGES * PAGE_SIZE) {
1316 ffa_to_smccc_res(res, FFA_RET_ABORTED);
1317 return;
1318 }
1319
1320 ret = parse_vm_availability_resp(partition_sz, count);
1321 if (ret)
1322 ffa_to_smccc_res(res, ret);
1323
1324 if (ffa_buf)
1325 memcpy(ffa_buf->rx, hyp_buffers.rx, copy_sz);
1326 }
1327
hyp_ffa_post_init(void)1328 static int hyp_ffa_post_init(void)
1329 {
1330 size_t min_rxtx_sz;
1331 struct arm_smccc_res res;
1332
1333 arm_smccc_1_1_smc(FFA_ID_GET, 0, 0, 0, 0, 0, 0, 0, &res);
1334 if (res.a0 != FFA_SUCCESS)
1335 return -EOPNOTSUPP;
1336
1337 if (res.a2 != HOST_FFA_ID)
1338 return -EINVAL;
1339
1340 arm_smccc_1_1_smc(FFA_FEATURES, FFA_FN64_RXTX_MAP,
1341 0, 0, 0, 0, 0, 0, &res);
1342 if (res.a0 != FFA_SUCCESS)
1343 return -EOPNOTSUPP;
1344
1345 switch (res.a2) {
1346 case FFA_FEAT_RXTX_MIN_SZ_4K:
1347 min_rxtx_sz = SZ_4K;
1348 break;
1349 case FFA_FEAT_RXTX_MIN_SZ_16K:
1350 min_rxtx_sz = SZ_16K;
1351 break;
1352 case FFA_FEAT_RXTX_MIN_SZ_64K:
1353 min_rxtx_sz = SZ_64K;
1354 break;
1355 default:
1356 return -EINVAL;
1357 }
1358
1359 if (min_rxtx_sz > PAGE_SIZE)
1360 return -EOPNOTSUPP;
1361
1362 return 0;
1363 }
1364
do_ffa_version(struct arm_smccc_res * res,struct kvm_cpu_context * ctxt)1365 static void do_ffa_version(struct arm_smccc_res *res,
1366 struct kvm_cpu_context *ctxt)
1367 {
1368 DECLARE_REG(u32, ffa_req_version, ctxt, 1);
1369
1370 if (FFA_MAJOR_VERSION(ffa_req_version) != 1) {
1371 res->a0 = FFA_RET_NOT_SUPPORTED;
1372 return;
1373 }
1374
1375 hyp_spin_lock(&version_lock);
1376 if (has_version_negotiated) {
1377 if (FFA_MINOR_VERSION(ffa_req_version) < FFA_MINOR_VERSION(hyp_ffa_version))
1378 res->a0 = FFA_RET_NOT_SUPPORTED;
1379 else
1380 res->a0 = hyp_ffa_version;
1381 goto unlock;
1382 }
1383
1384 /*
1385 * If the client driver tries to downgrade the version, we need to ask
1386 * first if TEE supports it.
1387 */
1388 if (FFA_MINOR_VERSION(ffa_req_version) < FFA_MINOR_VERSION(hyp_ffa_version)) {
1389 arm_smccc_1_1_smc(FFA_VERSION, ffa_req_version, 0,
1390 0, 0, 0, 0, 0,
1391 res);
1392 if (res->a0 == FFA_RET_NOT_SUPPORTED)
1393 goto unlock;
1394
1395 hyp_ffa_version = ffa_req_version;
1396 }
1397
1398 if (hyp_ffa_post_init()) {
1399 res->a0 = FFA_RET_NOT_SUPPORTED;
1400 } else {
1401 /*
1402 * Ensure that the write to `has_version_negotiated` is visible
1403 * to other CPUs after the previous operations.
1404 */
1405 smp_store_release(&has_version_negotiated, true);
1406 res->a0 = hyp_ffa_version;
1407 }
1408 unlock:
1409 hyp_spin_unlock(&version_lock);
1410 }
1411
do_ffa_guest_version(struct arm_smccc_res * res,struct kvm_cpu_context * ctxt,struct pkvm_hyp_vcpu * hyp_vcpu)1412 static void do_ffa_guest_version(struct arm_smccc_res *res, struct kvm_cpu_context *ctxt,
1413 struct pkvm_hyp_vcpu *hyp_vcpu)
1414 {
1415 DECLARE_REG(u32, ffa_req_version, ctxt, 1);
1416
1417 if (FFA_MAJOR_VERSION(ffa_req_version) != 1) {
1418 res->a0 = FFA_RET_NOT_SUPPORTED;
1419 return;
1420 }
1421
1422 hyp_spin_lock(&version_lock);
1423 if (has_version_negotiated)
1424 res->a0 = hyp_ffa_version;
1425 else
1426 res->a0 = FFA_RET_NOT_SUPPORTED;
1427 hyp_spin_unlock(&version_lock);
1428 }
1429
do_ffa_part_get(struct arm_smccc_res * res,struct kvm_cpu_context * ctxt,struct pkvm_hyp_vcpu * hyp_vcpu)1430 static void do_ffa_part_get(struct arm_smccc_res *res,
1431 struct kvm_cpu_context *ctxt,
1432 struct pkvm_hyp_vcpu *hyp_vcpu)
1433 {
1434 DECLARE_REG(u32, uuid0, ctxt, 1);
1435 DECLARE_REG(u32, uuid1, ctxt, 2);
1436 DECLARE_REG(u32, uuid2, ctxt, 3);
1437 DECLARE_REG(u32, uuid3, ctxt, 4);
1438 DECLARE_REG(u32, flags, ctxt, 5);
1439 struct kvm_ffa_buffers *ffa_buf;
1440
1441 hyp_spin_lock(&kvm_ffa_hyp_lock);
1442 ffa_buf = ffa_get_buffers(hyp_vcpu);
1443 if (!ffa_buf->rx) {
1444 ffa_to_smccc_res(res, FFA_RET_BUSY);
1445 goto out_unlock;
1446 }
1447
1448 do_ffa_part_get_response(res, uuid0, uuid1, uuid2, uuid3, flags, ffa_buf);
1449 out_unlock:
1450 hyp_spin_unlock(&kvm_ffa_hyp_lock);
1451 }
1452
do_ffa_direct_msg(struct kvm_cpu_context * ctxt,u64 vm_handle)1453 static void do_ffa_direct_msg(struct kvm_cpu_context *ctxt,
1454 u64 vm_handle)
1455 {
1456 DECLARE_REG(u32, endp, ctxt, 1);
1457
1458 struct arm_smccc_1_2_regs *reg = (void *)&ctxt->regs.regs[0];
1459
1460 if (FIELD_GET(FFA_SRC_ENDPOINT_MASK, endp) != vm_handle) {
1461 struct arm_smccc_res res;
1462
1463 ffa_to_smccc_error(&res, FFA_RET_INVALID_PARAMETERS);
1464 ffa_set_retval(ctxt, &res);
1465 return;
1466 }
1467
1468 __hyp_exit();
1469 arm_smccc_1_2_smc(reg, reg);
1470 __hyp_enter();
1471 }
1472
kvm_host_ffa_signal_availability(void)1473 static int kvm_host_ffa_signal_availability(void)
1474 {
1475 int ret;
1476 struct arm_smccc_res res;
1477
1478 /*
1479 * Map our hypervisor buffers into the SPMD before mapping and
1480 * pinning the host buffers in our own address space.
1481 */
1482 ret = ffa_map_hyp_buffers((KVM_FFA_MBOX_NR_PAGES * PAGE_SIZE) / FFA_PAGE_SIZE);
1483 if (ret)
1484 return ffa_to_linux_errno(ret);
1485
1486 do_ffa_part_get_response(&res, 0, 0, 0, 0, 0, NULL);
1487 if (res.a0 != FFA_SUCCESS)
1488 return ffa_to_linux_errno(ret);
1489
1490 ffa_rx_release(&res);
1491
1492 return kvm_notify_vm_availability(HOST_FFA_ID, &host_buffers, FFA_VM_CREATION_MSG);
1493 }
1494
kvm_host_ffa_handler(struct kvm_cpu_context * host_ctxt,u32 func_id)1495 bool kvm_host_ffa_handler(struct kvm_cpu_context *host_ctxt, u32 func_id)
1496 {
1497 struct arm_smccc_res res;
1498 int ret;
1499
1500 /*
1501 * There's no way we can tell what a non-standard SMC call might
1502 * be up to. Ideally, we would terminate these here and return
1503 * an error to the host, but sadly devices make use of custom
1504 * firmware calls for things like power management, debugging,
1505 * RNG access and crash reporting.
1506 *
1507 * Given that the architecture requires us to trust EL3 anyway,
1508 * we forward unrecognised calls on under the assumption that
1509 * the firmware doesn't expose a mechanism to access arbitrary
1510 * non-secure memory. Short of a per-device table of SMCs, this
1511 * is the best we can do.
1512 */
1513 if (!is_ffa_call(func_id))
1514 return false;
1515
1516 if (func_id != FFA_VERSION &&
1517 !smp_load_acquire(&has_version_negotiated)) {
1518 ffa_to_smccc_error(&res, FFA_RET_INVALID_PARAMETERS);
1519 goto out_handled;
1520 }
1521
1522 /*
1523 * Notify TZ of host VM creation immediately
1524 * before handling the first non-version SMC/HVC
1525 */
1526 if (func_id != FFA_VERSION && !has_host_signalled) {
1527 ret = kvm_host_ffa_signal_availability();
1528 if (!ret)
1529 /*
1530 * Ensure that the write to `has_host_signalled` is visible
1531 * to other CPUs after the previous operations.
1532 */
1533 has_host_signalled = true;
1534 else if (ret == -EAGAIN || ret == -EINTR) {
1535 /*
1536 * Don't retry with interrupts masked as we will spin
1537 * forever.
1538 */
1539 if (host_ctxt->regs.pstate & PSR_I_BIT) {
1540 ffa_to_smccc_error(&res, FFA_RET_DENIED);
1541 goto out_handled;
1542 }
1543
1544 /* Go back to the host and replay the last instruction */
1545 write_sysreg_el2(read_sysreg_el2(SYS_ELR) - 4, SYS_ELR);
1546 return true;
1547 }
1548 }
1549
1550 switch (func_id) {
1551 case FFA_FEATURES:
1552 if (!do_ffa_features(&res, host_ctxt))
1553 return false;
1554 goto out_handled;
1555 /* Memory management */
1556 case FFA_FN64_RXTX_MAP:
1557 do_ffa_rxtx_map(&res, host_ctxt, NULL);
1558 goto out_handled;
1559 case FFA_RXTX_UNMAP:
1560 do_ffa_rxtx_unmap(&res, host_ctxt, NULL);
1561 goto out_handled;
1562 case FFA_MEM_SHARE:
1563 case FFA_FN64_MEM_SHARE:
1564 do_ffa_mem_xfer(FFA_FN64_MEM_SHARE, &res, host_ctxt, NULL);
1565 goto out_handled;
1566 case FFA_MEM_RECLAIM:
1567 do_ffa_mem_reclaim(&res, host_ctxt, NULL);
1568 goto out_handled;
1569 case FFA_MEM_LEND:
1570 case FFA_FN64_MEM_LEND:
1571 do_ffa_mem_xfer(FFA_FN64_MEM_LEND, &res, host_ctxt, NULL);
1572 goto out_handled;
1573 case FFA_MEM_FRAG_TX:
1574 do_ffa_mem_frag_tx(&res, host_ctxt, NULL);
1575 goto out_handled;
1576 case FFA_VERSION:
1577 do_ffa_version(&res, host_ctxt);
1578 goto out_handled;
1579 case FFA_PARTITION_INFO_GET:
1580 do_ffa_part_get(&res, host_ctxt, NULL);
1581 goto out_handled;
1582 case FFA_RX_RELEASE:
1583 hyp_spin_lock(&kvm_ffa_hyp_lock);
1584 ffa_rx_release(&res);
1585 hyp_spin_unlock(&kvm_ffa_hyp_lock);
1586 goto out_handled;
1587 case FFA_ID_GET:
1588 ffa_to_smccc_res_prop(&res, FFA_RET_SUCCESS, HOST_FFA_ID);
1589 goto out_handled;
1590 case FFA_MSG_SEND_DIRECT_REQ:
1591 case FFA_FN64_MSG_SEND_DIRECT_REQ:
1592 do_ffa_direct_msg(host_ctxt, HOST_FFA_ID);
1593 return true;
1594 }
1595
1596 if (ffa_call_supported(func_id))
1597 return false; /* Pass through */
1598
1599 ffa_to_smccc_error(&res, FFA_RET_NOT_SUPPORTED);
1600 out_handled:
1601 ffa_set_retval(host_ctxt, &res);
1602 return true;
1603 }
1604
kvm_guest_ffa_handler(struct pkvm_hyp_vcpu * hyp_vcpu,u64 * exit_code)1605 bool kvm_guest_ffa_handler(struct pkvm_hyp_vcpu *hyp_vcpu, u64 *exit_code)
1606 {
1607 struct kvm_vcpu *vcpu = &hyp_vcpu->vcpu;
1608 struct kvm_cpu_context *ctxt = &vcpu->arch.ctxt;
1609 struct arm_smccc_res res;
1610 int ret, hyp_alloc_ret;
1611 struct kvm_hyp_req *req;
1612
1613 DECLARE_REG(u64, func_id, ctxt, 0);
1614
1615 if (!is_ffa_call(func_id)) {
1616 smccc_set_retval(vcpu, SMCCC_RET_NOT_SUPPORTED, 0, 0, 0);
1617 return true;
1618 }
1619
1620 if (!VM_FFA_SUPPORTED(vcpu)) {
1621 ffa_to_smccc_error(&res, FFA_RET_NOT_SUPPORTED);
1622 ffa_set_retval(ctxt, &res);
1623 return true;
1624 }
1625
1626 switch (func_id) {
1627 case FFA_FEATURES:
1628 do_ffa_guest_features(&res, ctxt);
1629 goto out_guest;
1630 case FFA_VERSION:
1631 do_ffa_guest_version(&res, ctxt, hyp_vcpu);
1632 goto out_guest;
1633 case FFA_FN64_RXTX_MAP:
1634 ret = do_ffa_rxtx_guest_map(ctxt, hyp_vcpu);
1635 break;
1636 case FFA_RXTX_UNMAP:
1637 do_ffa_rxtx_unmap(&res, ctxt, hyp_vcpu);
1638 goto out_guest;
1639 case FFA_MEM_RECLAIM:
1640 do_ffa_mem_reclaim(&res, ctxt, hyp_vcpu);
1641 goto out_guest;
1642 case FFA_MEM_SHARE:
1643 case FFA_FN64_MEM_SHARE:
1644 ret = do_ffa_mem_xfer(FFA_FN64_MEM_SHARE, &res, ctxt, hyp_vcpu);
1645 if (!ret)
1646 goto out_guest;
1647 break;
1648 case FFA_MEM_LEND:
1649 case FFA_FN64_MEM_LEND:
1650 ret = do_ffa_mem_xfer(FFA_FN64_MEM_LEND, &res, ctxt, hyp_vcpu);
1651 if (!ret)
1652 goto out_guest;
1653 break;
1654 case FFA_ID_GET:
1655 ffa_to_smccc_res_prop(&res, FFA_RET_SUCCESS, hyp_vcpu_to_ffa_handle(hyp_vcpu));
1656 goto out_guest;
1657 case FFA_PARTITION_INFO_GET:
1658 do_ffa_part_get(&res, ctxt, hyp_vcpu);
1659 goto out_guest;
1660 case FFA_RX_RELEASE:
1661 hyp_spin_lock(&kvm_ffa_hyp_lock);
1662 ffa_rx_release(&res);
1663 hyp_spin_unlock(&kvm_ffa_hyp_lock);
1664 goto out_guest;
1665 case FFA_MSG_SEND_DIRECT_REQ:
1666 case FFA_FN64_MSG_SEND_DIRECT_REQ:
1667 do_ffa_direct_msg(ctxt, hyp_vcpu_to_ffa_handle(hyp_vcpu));
1668 return true;
1669 default:
1670 ret = -EOPNOTSUPP;
1671 break;
1672 }
1673
1674 if (ret == -EFAULT || ret == -ENOMEM) {
1675 hyp_alloc_ret = hyp_alloc_errno();
1676 if (hyp_alloc_ret == -ENOMEM) {
1677 req = pkvm_hyp_req_reserve(hyp_vcpu, KVM_HYP_REQ_TYPE_MEM);
1678 if (!req)
1679 goto out_guest_with_ret;
1680
1681 req->mem.dest = REQ_MEM_DEST_HYP_ALLOC;
1682 req->mem.nr_pages = hyp_alloc_missing_donations();
1683 } else if (hyp_alloc_ret) {
1684 /* Nothing the host can do for us, let the HVC fail */
1685 ret = hyp_alloc_ret;
1686 goto out_guest_with_ret;
1687 }
1688
1689 req = pkvm_hyp_req_reserve(hyp_vcpu, KVM_HYP_REQ_TYPE_MEM);
1690 if (!req)
1691 goto out_guest_with_ret;
1692
1693 req->mem.dest = REQ_MEM_DEST_VCPU_MEMCACHE;
1694 req->mem.nr_pages = kvm_mmu_cache_min_pages(&hyp_vcpu->vcpu.kvm->arch.mmu);
1695
1696 /* Go back to the host and replay the last guest instruction */
1697 write_sysreg_el2(read_sysreg_el2(SYS_ELR) - 4, SYS_ELR);
1698 *exit_code = ARM_EXCEPTION_HYP_REQ;
1699 return false;
1700 }
1701
1702 out_guest_with_ret:
1703 ffa_to_smccc_res(&res, linux_errno_to_ffa(ret));
1704 out_guest:
1705 ffa_set_retval(ctxt, &res);
1706 return true;
1707 }
1708
kvm_guest_try_reclaim_transfer(struct ffa_mem_transfer * transfer,struct pkvm_hyp_vm * vm)1709 static void kvm_guest_try_reclaim_transfer(struct ffa_mem_transfer *transfer,
1710 struct pkvm_hyp_vm *vm)
1711 {
1712 struct ffa_translation *translation, *tmp;
1713 struct arm_smccc_res res;
1714
1715 ffa_mem_reclaim(&res, HANDLE_LOW(transfer->ffa_handle),
1716 HANDLE_HIGH(transfer->ffa_handle), 0);
1717 if (res.a0 != FFA_SUCCESS)
1718 return;
1719
1720 list_for_each_entry_safe(translation, tmp, &transfer->translations, node) {
1721 WARN_ON(__pkvm_guest_unshare_ffa_page(vm->vcpus[0], translation->ipa));
1722 list_del(&translation->node);
1723 hyp_free(translation);
1724 }
1725
1726 list_del(&transfer->node);
1727 hyp_free(transfer);
1728 }
1729
kvm_dying_guest_reclaim_ffa_resources(struct pkvm_hyp_vm * vm)1730 int kvm_dying_guest_reclaim_ffa_resources(struct pkvm_hyp_vm *vm)
1731 {
1732 struct kvm_ffa_buffers *ffa_buf = &vm->ffa_buf;
1733 struct ffa_mem_transfer *transfer;
1734 int ret = 0;
1735
1736 if (!vm->kvm.arch.pkvm.ffa_support)
1737 return 0;
1738
1739 hyp_spin_lock(&kvm_ffa_hyp_lock);
1740 if (!ffa_buf->tx && !ffa_buf->rx)
1741 goto unlock;
1742
1743 if (list_empty(&ffa_buf->xfer_list)) {
1744 /* XXX - needs an explicit rxtx unmap call ? */
1745 if (ffa_buf->tx) {
1746 WARN_ON(__pkvm_guest_unshare_hyp_page(vm->vcpus[0], ffa_buf->tx_ipa));
1747 ffa_buf->tx = NULL;
1748 }
1749 if (ffa_buf->rx) {
1750 WARN_ON(__pkvm_guest_unshare_hyp_page(vm->vcpus[0], ffa_buf->rx_ipa));
1751 ffa_buf->rx = NULL;
1752 }
1753 goto unlock;
1754 }
1755
1756 transfer = list_first_entry(&ffa_buf->xfer_list, typeof(*transfer), node);
1757 kvm_guest_try_reclaim_transfer(transfer, vm);
1758 ret = -EAGAIN;
1759
1760 unlock:
1761 hyp_spin_unlock(&kvm_ffa_hyp_lock);
1762
1763 return ret;
1764 }
1765
kvm_guest_notify_availability(u32 ffa_handle,struct kvm_ffa_buffers * ffa_buf,bool is_dying)1766 int kvm_guest_notify_availability(u32 ffa_handle, struct kvm_ffa_buffers *ffa_buf, bool is_dying)
1767 {
1768 int ret;
1769
1770 hyp_spin_lock(&kvm_ffa_hyp_lock);
1771 ret = kvm_notify_vm_availability(ffa_handle, ffa_buf,
1772 is_dying ? FFA_VM_DESTRUCTION_MSG : FFA_VM_CREATION_MSG);
1773 hyp_spin_unlock(&kvm_ffa_hyp_lock);
1774
1775 return ret;
1776 }
1777
ffa_get_hypervisor_version(void)1778 u32 ffa_get_hypervisor_version(void)
1779 {
1780 u32 version = 0;
1781
1782 hyp_spin_lock(&version_lock);
1783 if (has_version_negotiated)
1784 version = hyp_ffa_version;
1785 hyp_spin_unlock(&version_lock);
1786
1787 return version;
1788 }
1789
hyp_ffa_init(void * pages)1790 int hyp_ffa_init(void *pages)
1791 {
1792 struct arm_smccc_res res;
1793 void *tx, *rx;
1794
1795 if (kvm_host_psci_config.smccc_version < ARM_SMCCC_VERSION_1_1)
1796 return 0;
1797
1798 arm_smccc_1_1_smc(FFA_VERSION, FFA_VERSION_1_1, 0, 0, 0, 0, 0, 0, &res);
1799 if (res.a0 == FFA_RET_NOT_SUPPORTED)
1800 return 0;
1801
1802 /*
1803 * Firmware returns the maximum supported version of the FF-A
1804 * implementation. Check that the returned version is
1805 * backwards-compatible with the hyp according to the rules in DEN0077A
1806 * v1.1 REL0 13.2.1.
1807 *
1808 * Of course, things are never simple when dealing with firmware. v1.1
1809 * broke ABI with v1.0 on several structures, which is itself
1810 * incompatible with the aforementioned versioning scheme. The
1811 * expectation is that v1.x implementations that do not support the v1.0
1812 * ABI return NOT_SUPPORTED rather than a version number, according to
1813 * DEN0077A v1.1 REL0 18.6.4.
1814 */
1815 if (FFA_MAJOR_VERSION(res.a0) != 1)
1816 return -EOPNOTSUPP;
1817
1818 if (FFA_MINOR_VERSION(res.a0) < FFA_MINOR_VERSION(FFA_VERSION_1_1))
1819 hyp_ffa_version = res.a0;
1820 else
1821 hyp_ffa_version = FFA_VERSION_1_1;
1822
1823 tx = pages;
1824 pages += KVM_FFA_MBOX_NR_PAGES * PAGE_SIZE;
1825 rx = pages;
1826 pages += KVM_FFA_MBOX_NR_PAGES * PAGE_SIZE;
1827
1828 if (static_branch_unlikely(&kvm_ffa_unmap_on_lend)) {
1829 spm_handles = pages;
1830 pages += KVM_FFA_SPM_HANDLE_NR_PAGES * PAGE_SIZE;
1831 num_spm_handles = KVM_FFA_SPM_HANDLE_NR_PAGES * PAGE_SIZE /
1832 sizeof(struct ffa_handle);
1833 memset(spm_handles, -1, KVM_FFA_SPM_HANDLE_NR_PAGES * PAGE_SIZE);
1834 }
1835
1836 ffa_desc_buf = (struct kvm_ffa_descriptor_buffer) {
1837 .buf = pages,
1838 .len = PAGE_SIZE *
1839 (hyp_ffa_proxy_pages() - (2 * KVM_FFA_MBOX_NR_PAGES)),
1840 };
1841
1842 hyp_buffers = (struct kvm_ffa_buffers) {
1843 .tx = tx,
1844 .rx = rx,
1845 };
1846
1847 version_lock = __HYP_SPIN_LOCK_UNLOCKED;
1848 INIT_LIST_HEAD(&host_buffers.xfer_list);
1849
1850 return 0;
1851 }
1852