tftf/tests/misc_tests/test_invalid_access.c

/*
 * Copyright (c) 2022, Arm Limited. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */

#include <plat/common/platform.h>

#include <arch.h>
#include <arch_helpers.h>
#include <arch_features.h>
#include <debug.h>
#ifdef __aarch64__
#include <sync.h>
#endif
#include <test_helpers.h>
#include <lib/aarch64/arch_features.h>
#include <runtime_services/realm_payload/realm_payload_test.h>
#include <tftf_lib.h>
#include <xlat_tables_v2.h>

#include <platform_def.h>

/*
 * Using "__aarch64__" here looks weird but its unavoidable because of following reason
 * This test is part of standard test which runs on all platforms but pre-requisite
 * to run this test (custom sync exception handler) is only implemented for aarch64.
 * TODO:  Write a framework so that tests kept in standard list can be selectively
 * run on a given architecture
 */
#ifdef __aarch64__

static volatile bool sync_exception_triggered;
static volatile bool data_abort_triggered;

static __aligned(PAGE_SIZE) uint64_t share_page[PAGE_SIZE / sizeof(uint64_t)];

static bool data_abort_handler(void)
{
	uint64_t esr_elx = IS_IN_EL2() ? read_esr_el2() : read_esr_el1();
	unsigned int rme_supported = get_armv9_2_feat_rme_support();

	sync_exception_triggered = true;

	VERBOSE("%s esr_elx %llx\n", __func__, esr_elx);

	if (EC_BITS(esr_elx) == EC_DABORT_CUR_EL) {
		if (rme_supported == 0) {
			/* Synchronous external data abort triggered by trustzone controller */
			if ((ISS_BITS(esr_elx) & ISS_DFSC_MASK) == DFSC_EXT_DABORT) {
				VERBOSE("%s TZC Data Abort caught\n", __func__);
				data_abort_triggered = true;
				return true;
			}
		} else {
			/* Synchronous data abort triggered by Granule protection */
			if ((ISS_BITS(esr_elx) & ISS_DFSC_MASK) == DFSC_GPF_DABORT) {
				VERBOSE("%s GPF Data Abort caught\n", __func__);
				data_abort_triggered = true;
				return true;
			}
		}
	}

	return false;
}

test_result_t el3_memory_cannot_be_accessed_in_ns(void)
{
	const uintptr_t test_address = EL3_MEMORY_ACCESS_ADDR;

	VERBOSE("Attempt to access el3 memory (0x%lx)\n", test_address);

	sync_exception_triggered = false;
	data_abort_triggered = false;

	int rc = mmap_add_dynamic_region(test_address, test_address, PAGE_SIZE,
					MT_MEMORY | MT_RW | MT_NS);
	if (rc != 0) {
		tftf_testcase_printf("%d: mmap_add_dynamic_region() = %d\n", __LINE__, rc);
		return TEST_RESULT_FAIL;
	}

	register_custom_sync_exception_handler(data_abort_handler);
	*((volatile uint64_t *)test_address);
	unregister_custom_sync_exception_handler();

	rc = mmap_remove_dynamic_region(test_address, PAGE_SIZE);
	if (rc != 0) {
		tftf_testcase_printf("%d: mmap_remove_dynamic_region() = %d\n", __LINE__, rc);
		return TEST_RESULT_FAIL;
	}

	if (sync_exception_triggered == false) {
		tftf_testcase_printf("No sync exception while accessing (0x%lx)\n", test_address);
		return TEST_RESULT_SKIPPED;
	}

	if (data_abort_triggered == false) {
		tftf_testcase_printf("Sync exception is not data abort\n");
		return TEST_RESULT_FAIL;
	}

	return TEST_RESULT_SUCCESS;
}

/**
 * @Test_Aim@ Check a realm region cannot be accessed from normal world.
 *
 * This test delegates a TFTF allocated buffer to Realm. It then attempts
 * a read access to the region from normal world. This results in the PE
 * triggering a GPF caught by a custom synchronous abort handler.
 *
 */
test_result_t rl_memory_cannot_be_accessed_in_ns(void)
{
	test_result_t result = TEST_RESULT_FAIL;
	u_register_t retmm;

	if (get_armv9_2_feat_rme_support() == 0U) {
		return TEST_RESULT_SKIPPED;
	}

	sync_exception_triggered = false;
	data_abort_triggered = false;
	register_custom_sync_exception_handler(data_abort_handler);

	/* First read access to the test region must not fail. */
	*((volatile uint64_t *)share_page);

	if ((sync_exception_triggered != false) ||
	    (data_abort_triggered != false)) {
		goto out_unregister;
	}

	/* Delegate the shared page to Realm. */
	retmm = realm_granule_delegate((u_register_t)&share_page);
	if (retmm != 0UL) {
		ERROR("Granule delegate failed!\n");
		goto out_unregister;
	}

	/* This access shall trigger a GPF. */
	*((volatile uint64_t *)share_page);

	if ((sync_exception_triggered != true) ||
	    (data_abort_triggered != true)) {
		goto out_undelegate;
	}

	result = TEST_RESULT_SUCCESS;

out_undelegate:
	/* Undelegate the shared page. */
	retmm = realm_granule_undelegate((u_register_t)&share_page);
	if (retmm != 0UL) {
		ERROR("Granule undelegate failed!\n");
	}

out_unregister:
	unregister_custom_sync_exception_handler();

	return result;
}

/**
 * @Test_Aim@ Check a secure region cannot be accessed from normal world.
 *
 * Following test intends to run on RME enabled platforms when EL3
 * is Root world. In a non RME platform, EL3 is secure.
 * Access to secure memory from NS world is already covered
 * by el3_memory_cannot_be_accessed_in_ns.
 */
test_result_t s_memory_cannot_be_accessed_in_ns(void)
{
	const uintptr_t test_address = SECURE_MEMORY_ACCESS_ADDR;

	/* skipp non RME platforms */
	if (get_armv9_2_feat_rme_support() == 0U) {
		return TEST_RESULT_SKIPPED;
	}

	VERBOSE("Attempt to access secure memory (0x%lx)\n", test_address);

	data_abort_triggered = false;
	sync_exception_triggered = false;
	register_custom_sync_exception_handler(data_abort_handler);
	dsbsy();

	int rc = mmap_add_dynamic_region(test_address, test_address, PAGE_SIZE,
					MT_MEMORY | MT_RW | MT_NS);

	if (rc != 0) {
		tftf_testcase_printf("%d: mmap_add_dynamic_region() = %d\n", __LINE__, rc);
		return TEST_RESULT_FAIL;
	}

	*((volatile uint64_t *)test_address);

	mmap_remove_dynamic_region(test_address, PAGE_SIZE);

	dsbsy();
	unregister_custom_sync_exception_handler();

	if (sync_exception_triggered == false) {
		tftf_testcase_printf("No sync exception while accessing (0x%lx)\n", test_address);
		return TEST_RESULT_SKIPPED;
	}

	if (data_abort_triggered == false) {
		tftf_testcase_printf("Sync exception is not data abort\n");
		return TEST_RESULT_FAIL;
	}

	return TEST_RESULT_SUCCESS;
}

static test_result_t memory_cannot_be_accessed_in_rl(u_register_t params)
{
	u_register_t retrmm;
	static char rd[GRANULE_SIZE] __aligned(GRANULE_SIZE);

	if (get_armv9_2_feat_rme_support() == 0U) {
		return TEST_RESULT_SKIPPED;
	}

	retrmm = realm_version();

	VERBOSE("RMM version is: %lu.%lu\n",
			RMI_ABI_VERSION_GET_MAJOR(retrmm),
			RMI_ABI_VERSION_GET_MINOR(retrmm));

	/*
	 * TODO: Remove this once SMC_RMM_REALM_CREATE is implemented in TRP
	 * For the moment skip the test if RMM is TRP, TRP version is always null.
	 */
	if (retrmm == 0U) {
		return TEST_RESULT_SKIPPED;
	}

	retrmm = realm_granule_delegate((u_register_t)&rd[0]);
	if (retrmm != 0UL) {
		ERROR("Delegate operation returns fail, %lx\n", retrmm);
		return TEST_RESULT_FAIL;
	}

	/* Create a realm using a parameter in a secure physical address space should fail. */
	retrmm = realm_create((u_register_t)&rd[0], params);
	if (retrmm == 0UL) {
		ERROR("Realm create operation should fail, %lx\n", retrmm);
		retrmm = realm_destroy((u_register_t)&rd[0]);
		if (retrmm != 0UL) {
			ERROR("Realm destroy operation returns fail, %lx\n", retrmm);
			return TEST_RESULT_FAIL;
		}
		return TEST_RESULT_FAIL;
	} else if (retrmm != RMM_STATUS_ERROR_INPUT) {
		ERROR("Realm create operation should fail with code:%ld retrmm:%ld\n",
		RMM_STATUS_ERROR_INPUT, retrmm);
		return TEST_RESULT_FAIL;
	}

	retrmm = realm_granule_undelegate((u_register_t)&rd[0]);
	if (retrmm != 0UL) {
		INFO("Undelegate operation returns fail, %lx\n", retrmm);
		return TEST_RESULT_FAIL;
	}

	return TEST_RESULT_SUCCESS;
}

test_result_t s_memory_cannot_be_accessed_in_rl(void)
{
	u_register_t params = (u_register_t)SECURE_MEMORY_ACCESS_ADDR;
	return memory_cannot_be_accessed_in_rl(params);
}

#else

test_result_t el3_memory_cannot_be_accessed_in_ns(void)
{
	tftf_testcase_printf("Test not ported to AArch32\n");
	return TEST_RESULT_SKIPPED;
}

test_result_t rl_memory_cannot_be_accessed_in_ns(void)
{
	tftf_testcase_printf("Test not ported to AArch32\n");
	return TEST_RESULT_SKIPPED;
}

test_result_t s_memory_cannot_be_accessed_in_ns(void)
{
	tftf_testcase_printf("Test not ported to AArch32\n");
	return TEST_RESULT_SKIPPED;
}

test_result_t s_memory_cannot_be_accessed_in_rl(void)
{
	tftf_testcase_printf("Test not ported to AArch32\n");
	return TEST_RESULT_SKIPPED;
}

#endif /* __aarch64__ */