test(fuzz): add FF-A fuzzing

Add necessary components for FF-A calls to be used in fuzzing framework
including bias tree, `run_ffa_fuzz` helper function, makefile additions,
and initial SMC description file with FF-A smc calls.

Can use ffa_smc_calls.txt to generate necessary header files.

Signed-off-by: Kathleen Capella <kathleen.capella@arm.com>
Change-Id: Ib19714342d31cacd818471686a7e4c8910fed5c3
diff --git a/include/runtime_services/spm_common.h b/include/runtime_services/spm_common.h
index 4dd5e5c..fa755b9 100644
--- a/include/runtime_services/spm_common.h
+++ b/include/runtime_services/spm_common.h
@@ -101,6 +101,9 @@
 				 uint32_t arg);
 void dump_ffa_value(struct ffa_value ret);
 
+uint64_t ffa_get_uuid_lo(const struct ffa_uuid uuid);
+uint64_t ffa_get_uuid_hi(const struct ffa_uuid uuid);
+
 bool check_spmc_execution_level(void);
 
 unsigned int get_ffa_feature_test_target(
@@ -152,6 +155,9 @@
 bool enable_trusted_wdog_interrupt(ffa_id_t source, ffa_id_t dest);
 bool disable_trusted_wdog_interrupt(ffa_id_t source, ffa_id_t dest);
 
+bool ffa_partition_info_regs_get_part_info(
+	struct ffa_value *args, uint8_t idx,
+	struct ffa_partition_info *partition_info);
 bool ffa_partition_info_regs_helper(const struct ffa_uuid uuid,
 		       const struct ffa_partition_info *expected,
 		       const uint16_t expected_size);
diff --git a/smc_fuzz/all_smc_calls.txt b/smc_fuzz/all_smc_calls.txt
new file mode 100644
index 0000000..0374e57
--- /dev/null
+++ b/smc_fuzz/all_smc_calls.txt
@@ -0,0 +1,209 @@
+#
+# Copyright (c) 2025 Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+smc: SDEI_EVENT_STATUS_CALL
+        arg1:bev
+                field:bev:[0,31] = 0
+smc: SDEI_INTERRUPT_BIND_CALL
+        arg1:interruptnum
+                field:inum:[0,31] = 1
+smc: SDEI_VERSION_CALL
+        arg1-arg17 = 0
+smc: SDEI_EVENT_REGISTER_CALL
+        arg1:eventnum
+                field:enum:[0,31] = 0
+        arg2:entryaddr
+                field:addr:[0,63] = 0
+        arg3:eparg
+                field:arg:[0,63] = 0
+        arg4:flags
+                field:routing:[0,0] = 0
+                field:relative:[1,1] = 0
+                field:reserved:[2,63] = 0
+        arg5:affinity
+                field:aff:[0,63] = 0
+smc: SDEI_EVENT_ENABLE_CALL
+        arg1:eventnum
+                field:enum:[0,31] = 0
+smc: SDEI_FEATURES_CALL
+        arg1:feature
+                field:feat:[0,31] = 0
+smc: SDEI_EVENT_DISABLE_CALL
+        arg1:eventnum
+                field:enum:[0,31] = 0
+smc: SDEI_EVENT_CONTEXT_CALL
+        arg1:paramid
+                field:param:[0,31] = 0
+smc: SDEI_EVENT_COMPLETE_CALL
+        arg1:status
+                field:stat:[0,31] = 0
+smc: SDEI_EVENT_COMPLETE_AND_RESUME_CALL
+        arg1:resumeaddr
+                field:addr:[0,63] = 0
+smc: SDEI_EVENT_UNREGISTER_CALL
+        arg1:event
+                field:enum:[0,31] = 0
+smc: SDEI_EVENT_GET_INFO_CALL
+        arg1:event
+                field:enum:[0,31] = 0
+        arg2:info
+                field:info:[0,31] = 0
+smc: SDEI_EVENT_ROUTING_SET_CALL
+        arg1:event
+                field:enum:[0,31] = 0
+        arg2:routingmode
+                field:routing:[0,0] = 0
+                field:constant:[1,63] = 0
+        arg3:affinity
+                field:aff:[0,63] = 0
+smc: SDEI_PE_MASK_CALL
+        arg1 = 0
+smc: SDEI_PE_UNMASK_CALL
+        arg1 = 0
+smc:  SDEI_INTERRUPT_RELEASE_CALL
+        arg1:event
+                field:enum:[0,31] = 0
+smc: SDEI_EVENT_SIGNAL_CALL
+        arg1:event
+                field:enum:[0,31] = 0
+        arg2:targetpe
+                field:pe:[0,31] = 0
+smc: SDEI_PRIVATE_RESET_CALL
+        arg1 = 0
+smc: SDEI_SHARED_RESET_CALL
+        arg1 = 0
+smc: VEN_EL3_SVC_UUID_CALL
+        arg1=0
+smc: VEN_EL3_SVC_COUNT_CALL
+        arg1=0
+smc: VEN_EL3_SVC_VERSION_CALL
+        arg1=0
+smc: FFA_PARTITION_INFO_GET_REGS_CALL
+        arg1:uuid_lo
+		field:uuid_lo:[0,63] = 0
+        arg2:uuid_hi
+		field:uuid_hi:[0,63] = 0
+        arg3:start_idx_and_tag
+                field:start:[0,15] = 0
+		field:tag:[16,31] = 0
+	arg4-arg17 = 0
+smc: FFA_VERSION_CALL
+	arg1:input_version_number
+		field:mbz:[31,31] = 0
+		field:major:[16,30] = 1
+		field:minor:[0,15] = 2
+	arg2-arg17 = 0
+smc: FFA_MSG_SEND_DIRECT_REQ_64_CALL
+	arg1:sender_reciever
+		field:sender_id:[16,31] = 0
+		field:receiver_id:[0,15] = 0
+	arg2:flags
+		field:message_type:[31,31] = 0
+		field:frmwk_msg_type:[0,7] = 0
+	arg3:msg_0
+		field:msg_0:[0,63] = 0x12121212
+	arg4:msg_1
+		field:msg_1:[0,63] = 0x34343434
+	arg5:msg_2
+		field:msg_2:[0,63] = 0x56565656
+	arg6:msg_3
+		field:msg_3:[0,63] = 0x78787878
+	arg7:msg_4
+		field:msg_4:[0,63] = 0x9a9a9a9a
+	arg8-arg17 = 0
+smc: FFA_MSG_SEND_DIRECT_RESP_64_CALL
+	arg1:sender_reciever
+		field:sender_id:[16,31] = 0
+		field:receiver_id:[0,15] = 0
+	arg2:flags
+		field:message_type:[31,31] = 0
+		field:frmwk_msg_type:[0,7] = 0
+	arg3:msg_0
+		field:msg_0:[0,63] = 0x12121212
+	arg4:msg_1
+		field:msg_1:[0,63] = 0x34343434
+	arg5:msg_2
+		field:msg_2:[0,63] = 0x56565656
+	arg6:msg_3
+		field:msg_3:[0,63] = 0x78787878
+	arg7:msg_4
+		field:msg_4:[0,63] = 0x9a9a9a9a
+	arg8-arg17 = 0
+smc: FFA_MSG_SEND_DIRECT_REQ_32_CALL
+	arg1:sender_reciever
+		field:sender_id:[16,31] = 0
+		field:receiver_id:[0,15] = 0
+	arg2:flags
+		field:message_type:[31,31] = 0
+		field:frmwk_msg_type:[0,7] = 0
+	arg3:msg_0
+		field:msg_0:[0,31] = 0x1212
+	arg4:msg_1
+		field:msg_1:[0,31] = 0x3434
+	arg5:msg_2
+		field:msg_2:[0,31] = 0x5656
+	arg6:msg_3
+		field:msg_3:[0,31] = 0x7878
+	arg7:msg_4
+		field:msg_4:[0,31] = 0x9a9a
+	arg8-arg17 = 0
+smc: FFA_MSG_SEND_DIRECT_RESP_32_CALL
+	arg1:sender_reciever
+		field:sender_id:[16,31] = 0
+		field:receiver_id:[0,15] = 0
+	arg2:flags
+		field:message_type:[31,31] = 0
+		field:frmwk_msg_type:[0,7] = 0
+	arg3:msg_0
+		field:msg_0:[0,31] = 0x1212
+	arg4:msg_1
+		field:msg_1:[0,31] = 0x3434
+	arg5:msg_2
+		field:msg_2:[0,31] = 0x5656
+	arg6:msg_3
+		field:msg_3:[0,31] = 0x7878
+	arg7:msg_4
+		field:msg_4:[0,31] = 0x9a9a
+	arg8-arg17 = 0
+smc: FFA_FEATURES_FEAT_ID_CALL
+	arg1:ffa_func_or_feat_id
+		field:w1_is_ffa_func_id:[31,31] = 0
+		field:feat_id:[0,7] = 0x1
+	arg2:input_properties
+		field:input_properties:[0,63] = 0
+	arg3-arg17 = 0
+smc: FFA_FEATURES_FUNC_ID_CALL
+	arg1:ffa_func_or_feat_id
+		field:func_id:[0,31] = 0x84000064
+	arg2:input_properties
+		field:input_properties:[0,63] = 0x0
+	arg3-arg17 = 0
+smc: FFA_RUN_CALL
+	arg1:target_information
+		field:target_vm_id:[16,31] = 0
+		field:target_vcpu_id:[0,15] = 0
+	arg2-arg17 = 0
+smc: FFA_NOTIFICATION_BITMAP_CREATE_CALL
+	arg1:vm_id
+		field:vm_id:[0,15] = 1
+	arg2:n_vcpus
+		field:n_vcpus:[0,63] = 1
+	arg3-arg17 = 0
+smc: FFA_NOTIFICATION_BIND_CALL
+	arg1:sender_reciever
+		field:sender_id:[16,31] = 0
+		field:receiver_id:[0,15] = 0
+	arg2:flags
+		field:per_vcpu_notifications:[0,0] = 0
+	arg3:notification_bitmap_lo
+		field:bitmap:[0,31] = 0xAAAA
+	arg4:notification_bitmap_hi
+		field:bitmap:[0,31] = 0x5555
+	arg5-arg17 = 0
+smc: FFA_NOTIFICATION_BITMAP_DESTROY_CALL
+	arg1:vm_id
+		field:vm_id:[0,15] = 1
+	arg2-arg17 = 0
diff --git a/smc_fuzz/dts/ffa.dts b/smc_fuzz/dts/ffa.dts
new file mode 100644
index 0000000..83c8d3c
--- /dev/null
+++ b/smc_fuzz/dts/ffa.dts
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2025, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+/dts-v1/;
+
+/ {
+
+	ffa {
+		bias = <30>;
+		ffa_id_get {
+			bias = <30>;
+			functionname = "ffa_id_get_funcid";
+		};
+		ffa_partition_info_get_regs {
+			bias = <30>;
+			functionname = "ffa_partition_info_get_regs_funcid";
+		};
+		ffa_version {
+			bias = <30>;
+			functionname = "ffa_version_funcid";
+		};
+		ffa_msg_send_direct_req_64 {
+			bias = <30>;
+			functionname = "ffa_msg_send_direct_req_64_funcid";
+		};
+		ffa_msg_send_direct_resp_64 {
+			bias = <30>;
+			functionname = "ffa_msg_send_direct_resp_64_funcid";
+		};
+		ffa_msg_send_direct_req_32 {
+			bias = <30>;
+			functionname = "ffa_msg_send_direct_req_32_funcid";
+		};
+		ffa_msg_send_direct_resp_32 {
+			bias = <30>;
+			functionname = "ffa_msg_send_direct_resp_32_funcid";
+		};
+		ffa_features_feat_id {
+			bias = <15>;
+			functionname = "ffa_features_feat_id_funcid";
+		};
+		ffa_features_func_id {
+			bias = <15>;
+			functionname = "ffa_features_func_id_funcid";
+		};
+		ffa_run {
+			bias = <30>;
+			functionname = "ffa_run_funcid";
+		};
+		ffa_notification_bitmap_create {
+			bias = <30>;
+			functionname = "ffa_notification_bitmap_create_funcid";
+		};
+		ffa_notification_bind {
+			bias = <30>;
+			functionname = "ffa_notification_bind_funcid";
+		};
+		ffa_notification_bitmap_destroy {
+			bias = <30>;
+			functionname = "ffa_notification_bitmap_destroy_funcid";
+		};
+	};
+
+};
diff --git a/smc_fuzz/ffa_smc_calls.txt b/smc_fuzz/ffa_smc_calls.txt
new file mode 100644
index 0000000..c96e19a
--- /dev/null
+++ b/smc_fuzz/ffa_smc_calls.txt
@@ -0,0 +1,132 @@
+#
+# Copyright (c) 2025 Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+smc: FFA_PARTITION_INFO_GET_REGS_CALL
+        arg1:uuid_lo
+		field:uuid_lo:[0,63] = 0
+        arg2:uuid_hi
+		field:uuid_hi:[0,63] = 0
+        arg3:start_idx_and_tag
+                field:start:[0,15] = 0
+		field:tag:[16,31] = 0
+	arg4-arg17 = 0
+smc: FFA_VERSION_CALL
+	arg1:input_version_number
+		field:mbz:[31,31] = 0
+		field:major:[16,30] = 1
+		field:minor:[0,15] = 2
+	arg2-arg17 = 0
+smc: FFA_MSG_SEND_DIRECT_REQ_64_CALL
+	arg1:sender_reciever
+		field:sender_id:[16,31] = 0
+		field:receiver_id:[0,15] = 0
+	arg2:flags
+		field:message_type:[31,31] = 0
+		field:frmwk_msg_type:[0,7] = 0
+	arg3:msg_0
+		field:msg_0:[0,63] = 0x12121212
+	arg4:msg_1
+		field:msg_1:[0,63] = 0x34343434
+	arg5:msg_2
+		field:msg_2:[0,63] = 0x56565656
+	arg6:msg_3
+		field:msg_3:[0,63] = 0x78787878
+	arg7:msg_4
+		field:msg_4:[0,63] = 0x9a9a9a9a
+	arg8-arg17 = 0
+smc: FFA_MSG_SEND_DIRECT_RESP_64_CALL
+	arg1:sender_reciever
+		field:sender_id:[16,31] = 0
+		field:receiver_id:[0,15] = 0
+	arg2:flags
+		field:message_type:[31,31] = 0
+		field:frmwk_msg_type:[0,7] = 0
+	arg3:msg_0
+		field:msg_0:[0,63] = 0x12121212
+	arg4:msg_1
+		field:msg_1:[0,63] = 0x34343434
+	arg5:msg_2
+		field:msg_2:[0,63] = 0x56565656
+	arg6:msg_3
+		field:msg_3:[0,63] = 0x78787878
+	arg7:msg_4
+		field:msg_4:[0,63] = 0x9a9a9a9a
+	arg8-arg17 = 0
+smc: FFA_MSG_SEND_DIRECT_REQ_32_CALL
+	arg1:sender_reciever
+		field:sender_id:[16,31] = 0
+		field:receiver_id:[0,15] = 0
+	arg2:flags
+		field:message_type:[31,31] = 0
+		field:frmwk_msg_type:[0,7] = 0
+	arg3:msg_0
+		field:msg_0:[0,31] = 0x1212
+	arg4:msg_1
+		field:msg_1:[0,31] = 0x3434
+	arg5:msg_2
+		field:msg_2:[0,31] = 0x5656
+	arg6:msg_3
+		field:msg_3:[0,31] = 0x7878
+	arg7:msg_4
+		field:msg_4:[0,31] = 0x9a9a
+	arg8-arg17 = 0
+smc: FFA_MSG_SEND_DIRECT_RESP_32_CALL
+	arg1:sender_reciever
+		field:sender_id:[16,31] = 0
+		field:receiver_id:[0,15] = 0
+	arg2:flags
+		field:message_type:[31,31] = 0
+		field:frmwk_msg_type:[0,7] = 0
+	arg3:msg_0
+		field:msg_0:[0,31] = 0x1212
+	arg4:msg_1
+		field:msg_1:[0,31] = 0x3434
+	arg5:msg_2
+		field:msg_2:[0,31] = 0x5656
+	arg6:msg_3
+		field:msg_3:[0,31] = 0x7878
+	arg7:msg_4
+		field:msg_4:[0,31] = 0x9a9a
+	arg8-arg17 = 0
+smc: FFA_FEATURES_FEAT_ID_CALL
+	arg1:ffa_func_or_feat_id
+		field:w1_is_ffa_func_id:[31,31] = 0
+		field:feat_id:[0,7] = 0x1
+	arg2:input_properties
+		field:input_properties:[0,63] = 0
+	arg3-arg17 = 0
+smc: FFA_FEATURES_FUNC_ID_CALL
+	arg1:ffa_func_or_feat_id
+		field:func_id:[0,31] = 0x84000064
+	arg2:input_properties
+		field:input_properties:[0,63] = 0x0
+	arg3-arg17 = 0
+smc: FFA_RUN_CALL
+	arg1:target_information
+		field:target_vm_id:[16,31] = 0
+		field:target_vcpu_id:[0,15] = 0
+	arg2-arg17 = 0
+smc: FFA_NOTIFICATION_BITMAP_CREATE_CALL
+	arg1:vm_id
+		field:vm_id:[0,15] = 1
+	arg2:n_vcpus
+		field:n_vcpus:[0,63] = 1
+	arg3-arg17 = 0
+smc: FFA_NOTIFICATION_BIND_CALL
+	arg1:sender_reciever
+		field:sender_id:[16,31] = 0
+		field:receiver_id:[0,15] = 0
+	arg2:flags
+		field:per_vcpu_notifications:[0,0] = 0
+	arg3:notification_bitmap_lo
+		field:bitmap:[0,31] = 0xAAAA
+	arg4:notification_bitmap_hi
+		field:bitmap:[0,31] = 0x5555
+	arg5-arg17 = 0
+smc: FFA_NOTIFICATION_BITMAP_DESTROY_CALL
+	arg1:vm_id
+		field:vm_id:[0,15] = 1
+	arg2-arg17 = 0
diff --git a/smc_fuzz/include/ffa_fuzz_helper.h b/smc_fuzz/include/ffa_fuzz_helper.h
new file mode 100644
index 0000000..2a10397
--- /dev/null
+++ b/smc_fuzz/include/ffa_fuzz_helper.h
@@ -0,0 +1,10 @@
+/*
+ * Copyright (c) 2025, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <fuzz_helper.h>
+#include "smcmalloc.h"
+
+void run_ffa_fuzz(int funcid, struct memmod *mmod);
diff --git a/smc_fuzz/src/ffa_fuzz_helper.c b/smc_fuzz/src/ffa_fuzz_helper.c
new file mode 100644
index 0000000..95cfa0c
--- /dev/null
+++ b/smc_fuzz/src/ffa_fuzz_helper.c
@@ -0,0 +1,485 @@
+/*
+ * Copyright (c) 2025, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <arg_struct_def.h>
+#include "constraint.h"
+#include <ffa_fuzz_helper.h>
+#include <fuzz_names.h>
+#include <runtime_services/cactus_test_cmds.h>
+#include <runtime_services/ffa_endpoints.h>
+#include <runtime_services/spm_common.h>
+#include <stdint.h>
+
+#ifdef FFA_INCLUDE
+
+#define PRIMARY_LO ffa_get_uuid_lo((struct ffa_uuid){PRIMARY_UUID})
+#define PRIMARY_HI ffa_get_uuid_hi((struct ffa_uuid){PRIMARY_UUID})
+#define SECONDARY_LO ffa_get_uuid_lo((struct ffa_uuid){SECONDARY_UUID})
+#define SECONDARY_HI ffa_get_uuid_hi((struct ffa_uuid){SECONDARY_UUID})
+#define TERTIARY_LO ffa_get_uuid_lo((struct ffa_uuid){TERTIARY_UUID})
+#define TERTIARY_HI ffa_get_uuid_hi((struct ffa_uuid){TERTIARY_UUID})
+
+#define FFA_FUNC_ID_MIN 0x84000060
+#define FFA_FUNC_ID_MAX 0x8400008C
+#define MAX_VM_ID ((UINT64_C(1) << 16) - 1)
+#define FFA_FEAT_ID_MIN 0x0
+#define FFA_FEAT_ID_MAX 0xFF
+#define MAX_NUM_VCPUS 8
+#define MIN_VCPU_ID 0
+#define MAX_VCPU_ID (MAX_NUM_VCPUS - 1)
+
+void inputparameters_to_ffa_value(struct inputparameters ip,
+				  struct ffa_value *args)
+{
+	args->arg1 = ip.x1;
+	args->arg2 = ip.x2;
+	args->arg3 = ip.x3;
+	args->arg4 = ip.x4;
+	args->arg5 = ip.x5;
+	args->arg6 = ip.x6;
+	args->arg7 = ip.x7;
+	args->arg8 = ip.x8;
+	args->arg9 = ip.x9;
+	args->arg10 = ip.x10;
+	args->arg11 = ip.x12;
+	args->arg12 = ip.x12;
+	args->arg13 = ip.x13;
+	args->arg14 = ip.x14;
+	args->arg15 = ip.x15;
+	args->arg16 = ip.x16;
+	args->arg17 = ip.x17;
+}
+
+static struct ffa_value ffa_call_with_params(struct inputparameters ip,
+					     uint64_t ffa_function_id)
+{
+	struct ffa_value args = {.fid = ffa_function_id};
+
+	inputparameters_to_ffa_value(ip, &args);
+
+	return ffa_service_call(&args);
+}
+
+static bool is_info_get_regs_valid(struct inputparameters ip)
+{
+	uint64_t uuid_lo = ip.x1;
+	uint64_t uuid_hi = ip.x2;
+	uint64_t start = get_generated_value(
+		FFA_PARTITION_INFO_GET_REGS_CALL_ARG3_START, ip);
+	uint64_t tag = get_generated_value(
+		FFA_PARTITION_INFO_GET_REGS_CALL_ARG3_TAG, ip);
+
+	if ((uuid_lo == PRIMARY_LO && uuid_hi == PRIMARY_HI) ||
+	    (uuid_lo == SECONDARY_LO && uuid_hi == SECONDARY_HI) ||
+	    (uuid_lo == TERTIARY_LO && uuid_hi == TERTIARY_HI)) {
+		return (start == 0 && tag == 0);
+	} else if (uuid_lo == 0 && uuid_hi == 0) {
+		if (start == 0) {
+			return (tag == 0);
+		}
+		return (start < 4);
+	}
+	return false;
+}
+
+void run_ffa_fuzz(int funcid, struct memmod *mmod)
+{
+	/*
+	 * For the SMC function id, apply constraints and generate input
+	 * arguments based on sanity level, call the SMC, and do basic analysis
+	 * and reporting of return results.
+	 *
+	 * An error return may not be a failure if the inputs are invalid,
+	 * therefore failures are marked explicitly.
+	 */
+	switch (funcid) {
+	case ffa_id_get_funcid: {
+		struct ffa_value args;
+		struct ffa_value ret;
+
+		args = (struct ffa_value){.fid = FFA_ID_GET};
+		ret = ffa_service_call(&args);
+
+		if (ret.fid == FFA_ERROR) {
+			printf("FAIL error code %d\n", ffa_error_code(ret));
+		}
+		break;
+	}
+	case ffa_partition_info_get_regs_funcid: {
+		uint64_t uuid_lo_values[] = {0, PRIMARY_LO, SECONDARY_LO,
+					     TERTIARY_LO};
+		uint64_t uuid_hi_values[] = {0, PRIMARY_HI, SECONDARY_HI,
+					     TERTIARY_HI};
+		struct inputparameters ip;
+		struct ffa_value args;
+		struct ffa_value ret;
+
+		setconstraint(FUZZER_CONSTRAINT_VECTOR, uuid_lo_values, 2,
+			      FFA_PARTITION_INFO_GET_REGS_CALL_ARG1_UUID_LO,
+			      mmod, FUZZER_CONSTRAINT_EXCMODE);
+		setconstraint(FUZZER_CONSTRAINT_VECTOR, uuid_hi_values, 2,
+			      FFA_PARTITION_INFO_GET_REGS_CALL_ARG2_UUID_HI,
+			      mmod, FUZZER_CONSTRAINT_EXCMODE);
+
+		ip = generate_args(FFA_PARTITION_INFO_GET_REGS_CALL,
+				   SMC_FUZZ_SANITY_LEVEL);
+		inputparameters_to_ffa_value(ip, &args);
+		args.fid = FFA_PARTITION_INFO_GET_REGS_SMC64;
+
+		ret = ffa_service_call(&args);
+
+		if (is_info_get_regs_valid(ip) && ret.fid == FFA_ERROR) {
+			printf("FAIL error code %d\n", ffa_error_code(ret));
+		}
+		break;
+	}
+	case ffa_version_funcid: {
+		struct inputparameters ip;
+		struct ffa_value ret;
+		uint32_t version;
+
+		ip = generate_args(FFA_VERSION_CALL, SMC_FUZZ_SANITY_LEVEL);
+		ret = ffa_call_with_params(ip, FFA_VERSION);
+		version = ret.fid;
+
+		if (version == FFA_ERROR_NOT_SUPPORTED) {
+			printf("FFA_VERSION_NOT_SUPPORTED\n");
+		}
+		break;
+	}
+	case ffa_msg_send_direct_req_32_funcid:
+	case ffa_msg_send_direct_req_64_funcid: {
+		uint64_t receiver_ids[] = {SP_ID(1), SP_ID(2), SP_ID(3)};
+		uint64_t sender_id[] = {HYP_ID};
+		uint64_t message_type[] = {0, 1};
+		uint64_t frmwrk_msg_type[] = {0, 1};
+		uint64_t msg_0_input[] = {CACTUS_ECHO_CMD,
+					  CACTUS_REQ_ECHO_CMD}; /* Cactus cmd */
+		uint64_t msg_1_input[] = {100,
+					  200}; /* for echo cmds, echo_val */
+		struct inputparameters ip;
+		struct ffa_value ret;
+		uint64_t req_function_id;
+		uint64_t call_id;
+		uint64_t sender_arg;
+		uint64_t receiver_arg;
+		uint64_t msg_type_arg;
+		uint64_t frmwk_msg_type_arg;
+		uint64_t msg_0_arg;
+		uint64_t msg_1_arg;
+
+		if (funcid == ffa_msg_send_direct_req_32_funcid) {
+			req_function_id = FFA_MSG_SEND_DIRECT_REQ_SMC32;
+			call_id = FFA_MSG_SEND_DIRECT_REQ_32_CALL;
+			sender_arg =
+				FFA_MSG_SEND_DIRECT_REQ_32_CALL_ARG1_SENDER_ID;
+			receiver_arg =
+				FFA_MSG_SEND_DIRECT_REQ_32_CALL_ARG1_RECEIVER_ID;
+			msg_type_arg =
+				FFA_MSG_SEND_DIRECT_REQ_32_CALL_ARG2_MESSAGE_TYPE;
+			frmwk_msg_type_arg =
+				FFA_MSG_SEND_DIRECT_REQ_32_CALL_ARG2_FRMWK_MSG_TYPE;
+			msg_0_arg = FFA_MSG_SEND_DIRECT_REQ_32_CALL_ARG3_MSG_0;
+			msg_1_arg = FFA_MSG_SEND_DIRECT_REQ_32_CALL_ARG4_MSG_1;
+		} else {
+			req_function_id = FFA_MSG_SEND_DIRECT_REQ_SMC64;
+			call_id = FFA_MSG_SEND_DIRECT_REQ_64_CALL;
+			sender_arg =
+				FFA_MSG_SEND_DIRECT_REQ_64_CALL_ARG1_SENDER_ID;
+			receiver_arg =
+				FFA_MSG_SEND_DIRECT_REQ_64_CALL_ARG1_RECEIVER_ID;
+			msg_type_arg =
+				FFA_MSG_SEND_DIRECT_REQ_64_CALL_ARG2_MESSAGE_TYPE;
+			frmwk_msg_type_arg =
+				FFA_MSG_SEND_DIRECT_REQ_64_CALL_ARG2_FRMWK_MSG_TYPE;
+			msg_0_arg = FFA_MSG_SEND_DIRECT_REQ_64_CALL_ARG3_MSG_0;
+			msg_1_arg = FFA_MSG_SEND_DIRECT_REQ_64_CALL_ARG4_MSG_1;
+		}
+
+		setconstraint(FUZZER_CONSTRAINT_SVALUE, sender_id, 1,
+			      sender_arg, mmod, FUZZER_CONSTRAINT_EXCMODE);
+		setconstraint(FUZZER_CONSTRAINT_VECTOR, receiver_ids, 3,
+			      receiver_arg, mmod, FUZZER_CONSTRAINT_EXCMODE);
+		setconstraint(FUZZER_CONSTRAINT_VECTOR, message_type, 2,
+			      msg_type_arg, mmod, FUZZER_CONSTRAINT_EXCMODE);
+		setconstraint(FUZZER_CONSTRAINT_VECTOR, frmwrk_msg_type, 2,
+			      frmwk_msg_type_arg, mmod,
+			      FUZZER_CONSTRAINT_EXCMODE);
+		setconstraint(FUZZER_CONSTRAINT_VECTOR, msg_0_input, 2,
+			      msg_0_arg, mmod, FUZZER_CONSTRAINT_EXCMODE);
+		setconstraint(FUZZER_CONSTRAINT_RANGE, msg_1_input, 2,
+			      msg_1_arg, mmod, FUZZER_CONSTRAINT_EXCMODE);
+
+		ip = generate_args(call_id, SMC_FUZZ_SANITY_LEVEL);
+		ret = ffa_call_with_params(ip, req_function_id);
+
+		switch (ret.fid) {
+		case FFA_MSG_SEND_DIRECT_RESP_SMC64:
+		case FFA_MSG_SEND_DIRECT_RESP_SMC32:
+			printf("Received direct response, ret.arg4 = %ld\n",
+			       ret.arg4);
+			break;
+		case FFA_ERROR:
+			printf("Direct request returned with FFA_ERROR code %d\n",
+			       ffa_error_code(ret));
+			break;
+		case FFA_MSG_YIELD:
+			printf("FFA_MSG_SEND_DIRECT_REQ returned with FFA_MSG_YIELD\n");
+			break;
+		case FFA_INTERRUPT:
+			printf("FFA_MSG_SEND_DIRECT_REQ returned with FFA_INTERRUPT\n");
+			break;
+		default:
+			printf("FAIL FFA_MSG_SEND_DIRECT_REQ returned with 0x%lx\n",
+			       ret.fid);
+			break;
+		}
+		break;
+	}
+	case ffa_msg_send_direct_resp_32_funcid:
+	case ffa_msg_send_direct_resp_64_funcid: {
+		uint64_t receiver_ids[] = {SP_ID(1), SP_ID(2), SP_ID(3)};
+		uint64_t sender_id[] = {HYP_ID};
+		struct inputparameters ip;
+		struct ffa_value ret;
+		uint64_t resp_function_id;
+		uint64_t call_id;
+		uint64_t sender_arg;
+		uint64_t receiver_arg;
+		if (funcid == ffa_msg_send_direct_resp_32_funcid) {
+			resp_function_id = FFA_MSG_SEND_DIRECT_RESP_SMC32;
+			call_id = FFA_MSG_SEND_DIRECT_RESP_32_CALL;
+			sender_arg =
+				FFA_MSG_SEND_DIRECT_RESP_32_CALL_ARG1_SENDER_ID;
+			receiver_arg =
+				FFA_MSG_SEND_DIRECT_RESP_32_CALL_ARG1_RECEIVER_ID;
+		} else {
+			resp_function_id = FFA_MSG_SEND_DIRECT_RESP_SMC64;
+			call_id = FFA_MSG_SEND_DIRECT_RESP_64_CALL;
+			sender_arg =
+				FFA_MSG_SEND_DIRECT_RESP_64_CALL_ARG1_SENDER_ID;
+			receiver_arg =
+				FFA_MSG_SEND_DIRECT_RESP_64_CALL_ARG1_RECEIVER_ID;
+		}
+
+		setconstraint(FUZZER_CONSTRAINT_SVALUE, sender_id, 1,
+			      sender_arg, mmod, FUZZER_CONSTRAINT_EXCMODE);
+		setconstraint(FUZZER_CONSTRAINT_VECTOR, receiver_ids, 3,
+			      receiver_arg, mmod, FUZZER_CONSTRAINT_EXCMODE);
+
+		ip = generate_args(call_id, SMC_FUZZ_SANITY_LEVEL);
+		ret = ffa_call_with_params(ip, resp_function_id);
+
+		/* NWd cannot send a direct response. */
+		if (ret.fid == FFA_ERROR) {
+			printf("Direct response returned with FFA_ERROR code %d\n",
+			       ffa_error_code(ret));
+		} else {
+			printf("FAIL FFA_MSG_SEND_DIRECT_RESP returned with 0x%lx\n",
+			       ret.fid);
+		}
+		break;
+	}
+	case ffa_features_feat_id_funcid: {
+		/* Allow feature_ids in range of 8bits */
+		uint64_t feat_ids_range[] = {FFA_FEAT_ID_MIN, FFA_FEAT_ID_MAX};
+		struct inputparameters ip;
+		struct ffa_value ret;
+
+		setconstraint(FUZZER_CONSTRAINT_RANGE, feat_ids_range, 2,
+			      FFA_FEATURES_FEAT_ID_CALL_ARG1_FEAT_ID, mmod,
+			      FUZZER_CONSTRAINT_EXCMODE);
+
+		ip = generate_args(FFA_FEATURES_FEAT_ID_CALL,
+				   SMC_FUZZ_SANITY_LEVEL);
+		ret = ffa_call_with_params(ip, FFA_FEATURES);
+		printf("ret.fid: { 0x%lx\n", ret.fid);
+		break;
+	}
+	case ffa_features_func_id_funcid: {
+		uint64_t ffa_funcid_range[] = {FFA_FUNC_ID_MIN,
+					       FFA_FUNC_ID_MAX};
+		struct inputparameters ip;
+		struct ffa_value ret;
+		uint64_t funcid_gen_input;
+
+		setconstraint(FUZZER_CONSTRAINT_RANGE, ffa_funcid_range, 2,
+			      FFA_FEATURES_FUNC_ID_CALL_ARG1_FUNC_ID, mmod,
+			      FUZZER_CONSTRAINT_EXCMODE);
+
+		ip = generate_args(FFA_FEATURES_FUNC_ID_CALL,
+				   SMC_FUZZ_SANITY_LEVEL);
+
+		/*
+		 * TODO: Would be a good use case for future fuzzing
+		 * functionality having one field constraint dependent
+		 * on value of another generated field.
+		 */
+		funcid_gen_input = get_generated_value(
+			FFA_FEATURES_FUNC_ID_CALL_ARG1_FUNC_ID, ip);
+		if (SMC_FUZZ_SANITY_LEVEL == SANITY_LEVEL_3 &&
+		    funcid_gen_input == FFA_MEM_RETRIEVE_REQ_SMC32) {
+			// Set arg2 to a certain value
+			ip.x2 = 0x10;
+		}
+
+		ret = ffa_call_with_params(ip, FFA_FEATURES);
+		printf("ret.fid: { 0x%lx\n", ret.fid);
+		break;
+	}
+	case ffa_run_funcid: {
+		uint64_t target_ids[] = {SP_ID(1), SP_ID(2), SP_ID(3)};
+		uint64_t target_vcpu_ids[] = {MIN_VCPU_ID, MAX_VCPU_ID};
+		struct inputparameters ip;
+		struct ffa_value ret;
+
+		setconstraint(FUZZER_CONSTRAINT_VECTOR, target_ids, 3,
+			      FFA_RUN_CALL_ARG1_TARGET_VM_ID, mmod,
+			      FUZZER_CONSTRAINT_EXCMODE);
+		setconstraint(FUZZER_CONSTRAINT_RANGE, target_vcpu_ids, 2,
+			      FFA_RUN_CALL_ARG1_TARGET_VCPU_ID, mmod,
+			      FUZZER_CONSTRAINT_EXCMODE);
+		ip = generate_args(FFA_RUN_CALL, SMC_FUZZ_SANITY_LEVEL);
+		ret = ffa_call_with_params(ip, FFA_RUN);
+
+		switch (ret.fid) {
+		case FFA_ERROR:
+			printf("FFA_RUN returned with FFA_ERROR code %d\n",
+			       ffa_error_code(ret));
+			break;
+
+		case FFA_INTERRUPT:
+		case FFA_MSG_WAIT:
+		case FFA_MSG_YIELD:
+		case FFA_MSG_SEND_DIRECT_RESP_SMC64:
+		case FFA_MSG_SEND_DIRECT_RESP_SMC32:
+			printf("FFA_RUN successfully returned with 0x%lx\n",
+			       ret.fid);
+			break;
+		default:
+			printf("FAIL FFA_RUN returned with 0x%lx\n", ret.fid);
+			break;
+		}
+		break;
+	}
+	case ffa_notification_bitmap_create_funcid: {
+		uint64_t vm_id[] = {0, MAX_VM_ID};
+		uint64_t n_vcpus[] = {0, MAX_NUM_VCPUS};
+		struct inputparameters ip;
+		struct ffa_value ret;
+		uint64_t gen_vm_id;
+		uint64_t gen_n_vcpus;
+
+		setconstraint(FUZZER_CONSTRAINT_RANGE, n_vcpus, 2,
+			      FFA_NOTIFICATION_BITMAP_CREATE_CALL_ARG2_N_VCPUS,
+			      mmod, FUZZER_CONSTRAINT_EXCMODE);
+		setconstraint(FUZZER_CONSTRAINT_RANGE, vm_id, 2,
+			      FFA_NOTIFICATION_BITMAP_CREATE_CALL_ARG1_VM_ID,
+			      mmod, FUZZER_CONSTRAINT_EXCMODE);
+
+		ip = generate_args(FFA_NOTIFICATION_BITMAP_CREATE_CALL,
+				   SMC_FUZZ_SANITY_LEVEL);
+		ret = ffa_call_with_params(ip, FFA_NOTIFICATION_BITMAP_CREATE);
+
+		gen_vm_id = get_generated_value(
+			FFA_NOTIFICATION_BITMAP_CREATE_CALL_ARG1_VM_ID, ip);
+		gen_n_vcpus = get_generated_value(
+			FFA_NOTIFICATION_BITMAP_CREATE_CALL_ARG2_N_VCPUS, ip);
+
+		if (ret.fid == FFA_SUCCESS_SMC32 ||
+		    ret.fid == FFA_SUCCESS_SMC64) {
+			printf("FFA_NOTIFICATION_BITMAP_CREATE succeeded for "
+			       "VM %lld with vCPU count %lld\n",
+			       gen_vm_id, gen_n_vcpus);
+		} else if (ret.fid == FFA_ERROR) {
+			printf("FFA_NOTIFICATION_BITMAP_CREATE returned with "
+			       "FFA_ERROR code %d\n",
+			       ffa_error_code(ret));
+		} else {
+			printf("FAIL FFA_NOTIFICATION_BITMAP_CREATE returned with 0x%lx\n",
+			       ret.fid);
+		}
+		break;
+	}
+	case ffa_notification_bind_funcid: {
+		uint64_t sps[] = {SP_ID(1), SP_ID(2), SP_ID(3)};
+		uint64_t vm_ids[] = {0, MAX_VM_ID};
+		uint64_t max_bitmap_value = 0xFFFFFFFF;
+		uint64_t bitmap_range[] = {0, max_bitmap_value};
+		struct inputparameters ip;
+		struct ffa_value ret;
+
+		setconstraint(FUZZER_CONSTRAINT_RANGE, vm_ids, 2,
+			      FFA_NOTIFICATION_BIND_CALL_ARG1_RECEIVER_ID, mmod,
+			      FUZZER_CONSTRAINT_ACCMODE);
+		setconstraint(FUZZER_CONSTRAINT_RANGE, vm_ids, 2,
+			      FFA_NOTIFICATION_BIND_CALL_ARG1_SENDER_ID, mmod,
+			      FUZZER_CONSTRAINT_ACCMODE);
+		setconstraint(FUZZER_CONSTRAINT_VECTOR, sps, 3,
+			      FFA_NOTIFICATION_BIND_CALL_ARG1_RECEIVER_ID, mmod,
+			      FUZZER_CONSTRAINT_ACCMODE);
+		setconstraint(FUZZER_CONSTRAINT_VECTOR, sps, 3,
+			      FFA_NOTIFICATION_BIND_CALL_ARG1_SENDER_ID, mmod,
+			      FUZZER_CONSTRAINT_ACCMODE);
+		setconstraint(FUZZER_CONSTRAINT_RANGE, bitmap_range, 2,
+			      FFA_NOTIFICATION_BIND_CALL_ARG3_BITMAP, mmod,
+			      FUZZER_CONSTRAINT_EXCMODE);
+		setconstraint(FUZZER_CONSTRAINT_RANGE, bitmap_range, 2,
+			      FFA_NOTIFICATION_BIND_CALL_ARG4_BITMAP, mmod,
+			      FUZZER_CONSTRAINT_EXCMODE);
+		ip = generate_args(FFA_NOTIFICATION_BIND_CALL,
+				   SMC_FUZZ_SANITY_LEVEL);
+		ret = ffa_call_with_params(ip, FFA_NOTIFICATION_BIND);
+
+		if (ret.fid == FFA_SUCCESS_SMC32 ||
+		    ret.fid == FFA_SUCCESS_SMC64) {
+			printf("FFA_NOTIFICATION_BIND succeeded\n");
+		} else if (ret.fid == FFA_ERROR) {
+			printf("FFA_NOTIFICATION_BIND returned with FFA_ERROR code %d\n",
+			       ffa_error_code(ret));
+		} else {
+			printf("FAIL FFA_NOTIFICATION_BIND returned with 0x%lx\n",
+			       ret.fid);
+		}
+		break;
+	}
+	case ffa_notification_bitmap_destroy_funcid: {
+		uint64_t vm_id[] = {0, MAX_VM_ID};
+		struct inputparameters ip;
+		struct ffa_value ret;
+		uint64_t gen_vm_id;
+
+		gen_vm_id = get_generated_value(
+			FFA_NOTIFICATION_BITMAP_DESTROY_CALL_ARG1_VM_ID, ip);
+
+		setconstraint(FUZZER_CONSTRAINT_RANGE, vm_id, 2,
+			      FFA_NOTIFICATION_BITMAP_DESTROY_CALL_ARG1_VM_ID,
+			      mmod, FUZZER_CONSTRAINT_EXCMODE);
+		ip = generate_args(FFA_NOTIFICATION_BITMAP_DESTROY_CALL,
+				   SMC_FUZZ_SANITY_LEVEL);
+		ret = ffa_call_with_params(ip, FFA_NOTIFICATION_BITMAP_DESTROY);
+
+		gen_vm_id = get_generated_value(
+			FFA_NOTIFICATION_BITMAP_DESTROY_CALL_ARG1_VM_ID, ip);
+
+		if (ret.fid == FFA_SUCCESS_SMC32 ||
+		    ret.fid == FFA_SUCCESS_SMC64) {
+			printf("FFA_NOTIFICATION_BITMAP_DESTROY succeeded for VM %lld\n",
+			       gen_vm_id);
+		} else if (ret.fid == FFA_ERROR) {
+			printf("FFA_NOTIFICATION_BITMAP_CREATE returned with FFA_ERROR code %d\n",
+			       ffa_error_code(ret));
+		} else {
+			printf("FAIL FFA_NOTIFICATION_BITMAP_CREATE returned with 0x%lx\n",
+			       ret.fid);
+		}
+		break;
+	}
+	default:
+		break;
+	}
+}
+#endif
diff --git a/smc_fuzz/src/runtestfunction_helpers.c b/smc_fuzz/src/runtestfunction_helpers.c
index fbee707..7ef55e8 100644
--- a/smc_fuzz/src/runtestfunction_helpers.c
+++ b/smc_fuzz/src/runtestfunction_helpers.c
@@ -5,12 +5,12 @@
  */
 
 #include <arg_struct_def.h>
+#include <ffa_fuzz_helper.h>
 #include <sdei_fuzz_helper.h>
 #include "smcmalloc.h"
 #include <tsp_fuzz_helper.h>
 
 int cntid = 0;
-
 #include <vendor_fuzz_helper.h>
 
 /*
@@ -23,6 +23,9 @@
 #ifdef SDEI_INCLUDE
 	run_sdei_fuzz(funcid, mmod, inrange, cntid);
 #endif
+#ifdef FFA_INCLUDE
+	run_ffa_fuzz(funcid, mmod);
+#endif
 	run_tsp_fuzz(funcid);
 #ifdef VEN_INCLUDE
 	run_ven_el3_fuzz(funcid, mmod);
diff --git a/tftf/tests/runtime_services/secure_service/spm_common.c b/tftf/tests/runtime_services/secure_service/spm_common.c
index 753d491..4405c50 100644
--- a/tftf/tests/runtime_services/secure_service/spm_common.c
+++ b/tftf/tests/runtime_services/secure_service/spm_common.c
@@ -687,7 +687,17 @@
 	       (uuid1.uuid[3] == uuid2.uuid[3]);
 }
 
-static bool ffa_partition_info_regs_get_part_info(
+uint64_t ffa_get_uuid_lo(const struct ffa_uuid uuid)
+{
+	return (uint64_t)uuid.uuid[1] << 32 | uuid.uuid[0];
+}
+
+uint64_t ffa_get_uuid_hi(const struct ffa_uuid uuid)
+{
+	return (uint64_t)uuid.uuid[3] << 32 | uuid.uuid[2];
+}
+
+bool ffa_partition_info_regs_get_part_info(
 	struct ffa_value *args, uint8_t idx,
 	struct ffa_partition_info *partition_info)
 {
diff --git a/tftf/tests/tests-smcfuzzing.mk b/tftf/tests/tests-smcfuzzing.mk
index 9218da1..ca93469 100644
--- a/tftf/tests/tests-smcfuzzing.mk
+++ b/tftf/tests/tests-smcfuzzing.mk
@@ -80,12 +80,19 @@
 	)
 
 TESTS_SOURCES	+=							\
+	$(addprefix tftf/tests/runtime_services/secure_service/,	\
+		${ARCH}/ffa_arch_helpers.S				\
+		ffa_helpers.c			\
+		spm_common.c			\
+	)
+TESTS_SOURCES	+=							\
 	$(addprefix smc_fuzz/src/,					\
 		randsmcmod.c						\
 		smcmalloc.c						\
 		fifo3d.c						\
 		runtestfunction_helpers.c				\
 		sdei_fuzz_helper.c					\
+		ffa_fuzz_helper.c					\
 		tsp_fuzz_helper.c					\
 		nfifo.c							\
 		constraint.c						\