commit 788b44922d578aee9b03e33c77a766484365dae9
author J-Alves <joao.alves@arm.com> Tue Apr 18 14:01:23 2023 +0100
committer J-Alves <joao.alves@arm.com> Fri Oct 13 14:06:15 2023 +0100
tree c0ccf56b4578dfa8cc5b30ca09f937dafc7f187e
parent f57948d73d76e412156825778f39df748fd13865

fix(memory share): SP to VM is not allowed

The FF-A v1.1 Rel0 doesn't allow for any memory to sent from the SWd to
the NWd, according to table 10.7.
Hafnium allowed for memory to be donated from SP to the NWd.

As of this patch, SPs can not share/lend/donate memory to the NWd.

Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: I69a9f6b05b81729f01342ef2c00b6e62c4bd3aa8

src/arch/aarch64/plat/ffa/spmc.c

diff --git a/src/arch/aarch64/plat/ffa/spmc.c b/src/arch/aarch64/plat/ffa/spmc.c
index 4496d91..20abef1 100644
--- a/src/arch/aarch64/plat/ffa/spmc.c
+++ b/src/arch/aarch64/plat/ffa/spmc.c
@@ -257,24 +257,18 @@
 	bool result = false;
 
 	/*
-	 * Currently SP to NS-endpoint memory donation is limited:
-	 * In it's current implementation SPMC is not aware of the memory type
-	 * being donated and can not ensure that the memory type is marked as
-	 * non-secure when SP is donating to NS-endpoint.
+	 * SPs can only share/lend/donate to another SP.
 	 */
 	switch (share_func) {
 	case FFA_MEM_DONATE_32:
-		result = true;
-		break;
 	case FFA_MEM_LEND_32:
 	case FFA_MEM_SHARE_32:
 		/* SP to VM not allowed, VM to VM should not end up here */
 		result = vm_id_is_current_world(receiver_vm_id);
 		if (!result) {
 			dlog_verbose(
-				"SP to NS-endpoint memory sharing/lending is "
-				"not "
-				"permitted.\n");
+				"SPMC only supports memory sharing operations "
+				"for SPs as the receiver(s).\n");
 		}
 		break;
 	default:

src/ffa_memory.c

diff --git a/src/ffa_memory.c b/src/ffa_memory.c
index 5c8b5be..cafc17d 100644
--- a/src/ffa_memory.c
+++ b/src/ffa_memory.c
@@ -456,7 +456,7 @@
 	}
 
 	/* Ensure the address range is normal memory and not a device. */
-	if (*orig_from_mode & MM_MODE_D) {
+	if ((*orig_from_mode & MM_MODE_D) != 0U) {
 		dlog_verbose("Can't share device memory (mode is %#x).\n",
 			     *orig_from_mode);
 		return ffa_error(FFA_DENIED);
@@ -478,12 +478,22 @@
 		uint32_t required_from_mode = ffa_memory_permissions_to_mode(
 			permissions, *orig_from_mode);
 
+		/*
+		 * The assumption is that at this point, the operation from
+		 * SP to a receiver VM, should have returned an FFA_ERROR
+		 * already.
+		 */
+		if (!ffa_is_vm_id(from.vm->id)) {
+			assert(!ffa_is_vm_id(
+				receivers[i].receiver_permissions.receiver));
+		}
+
 		if ((*orig_from_mode & required_from_mode) !=
 		    required_from_mode) {
 			dlog_verbose(
 				"Sender tried to send memory with permissions "
-				"which "
-				"required mode %#x but only had %#x itself.\n",
+				"which required mode %#x but only had %#x "
+				"itself.\n",
 				required_from_mode, *orig_from_mode);
 			return ffa_error(FFA_DENIED);
 		}