test(fuzz): add FF-A fuzzing
Add necessary components for FF-A calls to be used in fuzzing framework
including bias tree, `run_ffa_fuzz` helper function, makefile additions,
and initial SMC description file with FF-A smc calls.
Can use ffa_smc_calls.txt to generate necessary header files.
Signed-off-by: Kathleen Capella <kathleen.capella@arm.com>
Change-Id: Ib19714342d31cacd818471686a7e4c8910fed5c3
diff --git a/include/runtime_services/spm_common.h b/include/runtime_services/spm_common.h
index 4dd5e5c..fa755b9 100644
--- a/include/runtime_services/spm_common.h
+++ b/include/runtime_services/spm_common.h
@@ -101,6 +101,9 @@
uint32_t arg);
void dump_ffa_value(struct ffa_value ret);
+uint64_t ffa_get_uuid_lo(const struct ffa_uuid uuid);
+uint64_t ffa_get_uuid_hi(const struct ffa_uuid uuid);
+
bool check_spmc_execution_level(void);
unsigned int get_ffa_feature_test_target(
@@ -152,6 +155,9 @@
bool enable_trusted_wdog_interrupt(ffa_id_t source, ffa_id_t dest);
bool disable_trusted_wdog_interrupt(ffa_id_t source, ffa_id_t dest);
+bool ffa_partition_info_regs_get_part_info(
+ struct ffa_value *args, uint8_t idx,
+ struct ffa_partition_info *partition_info);
bool ffa_partition_info_regs_helper(const struct ffa_uuid uuid,
const struct ffa_partition_info *expected,
const uint16_t expected_size);
diff --git a/smc_fuzz/all_smc_calls.txt b/smc_fuzz/all_smc_calls.txt
new file mode 100644
index 0000000..0374e57
--- /dev/null
+++ b/smc_fuzz/all_smc_calls.txt
@@ -0,0 +1,209 @@
+#
+# Copyright (c) 2025 Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+smc: SDEI_EVENT_STATUS_CALL
+ arg1:bev
+ field:bev:[0,31] = 0
+smc: SDEI_INTERRUPT_BIND_CALL
+ arg1:interruptnum
+ field:inum:[0,31] = 1
+smc: SDEI_VERSION_CALL
+ arg1-arg17 = 0
+smc: SDEI_EVENT_REGISTER_CALL
+ arg1:eventnum
+ field:enum:[0,31] = 0
+ arg2:entryaddr
+ field:addr:[0,63] = 0
+ arg3:eparg
+ field:arg:[0,63] = 0
+ arg4:flags
+ field:routing:[0,0] = 0
+ field:relative:[1,1] = 0
+ field:reserved:[2,63] = 0
+ arg5:affinity
+ field:aff:[0,63] = 0
+smc: SDEI_EVENT_ENABLE_CALL
+ arg1:eventnum
+ field:enum:[0,31] = 0
+smc: SDEI_FEATURES_CALL
+ arg1:feature
+ field:feat:[0,31] = 0
+smc: SDEI_EVENT_DISABLE_CALL
+ arg1:eventnum
+ field:enum:[0,31] = 0
+smc: SDEI_EVENT_CONTEXT_CALL
+ arg1:paramid
+ field:param:[0,31] = 0
+smc: SDEI_EVENT_COMPLETE_CALL
+ arg1:status
+ field:stat:[0,31] = 0
+smc: SDEI_EVENT_COMPLETE_AND_RESUME_CALL
+ arg1:resumeaddr
+ field:addr:[0,63] = 0
+smc: SDEI_EVENT_UNREGISTER_CALL
+ arg1:event
+ field:enum:[0,31] = 0
+smc: SDEI_EVENT_GET_INFO_CALL
+ arg1:event
+ field:enum:[0,31] = 0
+ arg2:info
+ field:info:[0,31] = 0
+smc: SDEI_EVENT_ROUTING_SET_CALL
+ arg1:event
+ field:enum:[0,31] = 0
+ arg2:routingmode
+ field:routing:[0,0] = 0
+ field:constant:[1,63] = 0
+ arg3:affinity
+ field:aff:[0,63] = 0
+smc: SDEI_PE_MASK_CALL
+ arg1 = 0
+smc: SDEI_PE_UNMASK_CALL
+ arg1 = 0
+smc: SDEI_INTERRUPT_RELEASE_CALL
+ arg1:event
+ field:enum:[0,31] = 0
+smc: SDEI_EVENT_SIGNAL_CALL
+ arg1:event
+ field:enum:[0,31] = 0
+ arg2:targetpe
+ field:pe:[0,31] = 0
+smc: SDEI_PRIVATE_RESET_CALL
+ arg1 = 0
+smc: SDEI_SHARED_RESET_CALL
+ arg1 = 0
+smc: VEN_EL3_SVC_UUID_CALL
+ arg1=0
+smc: VEN_EL3_SVC_COUNT_CALL
+ arg1=0
+smc: VEN_EL3_SVC_VERSION_CALL
+ arg1=0
+smc: FFA_PARTITION_INFO_GET_REGS_CALL
+ arg1:uuid_lo
+ field:uuid_lo:[0,63] = 0
+ arg2:uuid_hi
+ field:uuid_hi:[0,63] = 0
+ arg3:start_idx_and_tag
+ field:start:[0,15] = 0
+ field:tag:[16,31] = 0
+ arg4-arg17 = 0
+smc: FFA_VERSION_CALL
+ arg1:input_version_number
+ field:mbz:[31,31] = 0
+ field:major:[16,30] = 1
+ field:minor:[0,15] = 2
+ arg2-arg17 = 0
+smc: FFA_MSG_SEND_DIRECT_REQ_64_CALL
+ arg1:sender_reciever
+ field:sender_id:[16,31] = 0
+ field:receiver_id:[0,15] = 0
+ arg2:flags
+ field:message_type:[31,31] = 0
+ field:frmwk_msg_type:[0,7] = 0
+ arg3:msg_0
+ field:msg_0:[0,63] = 0x12121212
+ arg4:msg_1
+ field:msg_1:[0,63] = 0x34343434
+ arg5:msg_2
+ field:msg_2:[0,63] = 0x56565656
+ arg6:msg_3
+ field:msg_3:[0,63] = 0x78787878
+ arg7:msg_4
+ field:msg_4:[0,63] = 0x9a9a9a9a
+ arg8-arg17 = 0
+smc: FFA_MSG_SEND_DIRECT_RESP_64_CALL
+ arg1:sender_reciever
+ field:sender_id:[16,31] = 0
+ field:receiver_id:[0,15] = 0
+ arg2:flags
+ field:message_type:[31,31] = 0
+ field:frmwk_msg_type:[0,7] = 0
+ arg3:msg_0
+ field:msg_0:[0,63] = 0x12121212
+ arg4:msg_1
+ field:msg_1:[0,63] = 0x34343434
+ arg5:msg_2
+ field:msg_2:[0,63] = 0x56565656
+ arg6:msg_3
+ field:msg_3:[0,63] = 0x78787878
+ arg7:msg_4
+ field:msg_4:[0,63] = 0x9a9a9a9a
+ arg8-arg17 = 0
+smc: FFA_MSG_SEND_DIRECT_REQ_32_CALL
+ arg1:sender_reciever
+ field:sender_id:[16,31] = 0
+ field:receiver_id:[0,15] = 0
+ arg2:flags
+ field:message_type:[31,31] = 0
+ field:frmwk_msg_type:[0,7] = 0
+ arg3:msg_0
+ field:msg_0:[0,31] = 0x1212
+ arg4:msg_1
+ field:msg_1:[0,31] = 0x3434
+ arg5:msg_2
+ field:msg_2:[0,31] = 0x5656
+ arg6:msg_3
+ field:msg_3:[0,31] = 0x7878
+ arg7:msg_4
+ field:msg_4:[0,31] = 0x9a9a
+ arg8-arg17 = 0
+smc: FFA_MSG_SEND_DIRECT_RESP_32_CALL
+ arg1:sender_reciever
+ field:sender_id:[16,31] = 0
+ field:receiver_id:[0,15] = 0
+ arg2:flags
+ field:message_type:[31,31] = 0
+ field:frmwk_msg_type:[0,7] = 0
+ arg3:msg_0
+ field:msg_0:[0,31] = 0x1212
+ arg4:msg_1
+ field:msg_1:[0,31] = 0x3434
+ arg5:msg_2
+ field:msg_2:[0,31] = 0x5656
+ arg6:msg_3
+ field:msg_3:[0,31] = 0x7878
+ arg7:msg_4
+ field:msg_4:[0,31] = 0x9a9a
+ arg8-arg17 = 0
+smc: FFA_FEATURES_FEAT_ID_CALL
+ arg1:ffa_func_or_feat_id
+ field:w1_is_ffa_func_id:[31,31] = 0
+ field:feat_id:[0,7] = 0x1
+ arg2:input_properties
+ field:input_properties:[0,63] = 0
+ arg3-arg17 = 0
+smc: FFA_FEATURES_FUNC_ID_CALL
+ arg1:ffa_func_or_feat_id
+ field:func_id:[0,31] = 0x84000064
+ arg2:input_properties
+ field:input_properties:[0,63] = 0x0
+ arg3-arg17 = 0
+smc: FFA_RUN_CALL
+ arg1:target_information
+ field:target_vm_id:[16,31] = 0
+ field:target_vcpu_id:[0,15] = 0
+ arg2-arg17 = 0
+smc: FFA_NOTIFICATION_BITMAP_CREATE_CALL
+ arg1:vm_id
+ field:vm_id:[0,15] = 1
+ arg2:n_vcpus
+ field:n_vcpus:[0,63] = 1
+ arg3-arg17 = 0
+smc: FFA_NOTIFICATION_BIND_CALL
+ arg1:sender_reciever
+ field:sender_id:[16,31] = 0
+ field:receiver_id:[0,15] = 0
+ arg2:flags
+ field:per_vcpu_notifications:[0,0] = 0
+ arg3:notification_bitmap_lo
+ field:bitmap:[0,31] = 0xAAAA
+ arg4:notification_bitmap_hi
+ field:bitmap:[0,31] = 0x5555
+ arg5-arg17 = 0
+smc: FFA_NOTIFICATION_BITMAP_DESTROY_CALL
+ arg1:vm_id
+ field:vm_id:[0,15] = 1
+ arg2-arg17 = 0
diff --git a/smc_fuzz/dts/ffa.dts b/smc_fuzz/dts/ffa.dts
new file mode 100644
index 0000000..83c8d3c
--- /dev/null
+++ b/smc_fuzz/dts/ffa.dts
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2025, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+/dts-v1/;
+
+/ {
+
+ ffa {
+ bias = <30>;
+ ffa_id_get {
+ bias = <30>;
+ functionname = "ffa_id_get_funcid";
+ };
+ ffa_partition_info_get_regs {
+ bias = <30>;
+ functionname = "ffa_partition_info_get_regs_funcid";
+ };
+ ffa_version {
+ bias = <30>;
+ functionname = "ffa_version_funcid";
+ };
+ ffa_msg_send_direct_req_64 {
+ bias = <30>;
+ functionname = "ffa_msg_send_direct_req_64_funcid";
+ };
+ ffa_msg_send_direct_resp_64 {
+ bias = <30>;
+ functionname = "ffa_msg_send_direct_resp_64_funcid";
+ };
+ ffa_msg_send_direct_req_32 {
+ bias = <30>;
+ functionname = "ffa_msg_send_direct_req_32_funcid";
+ };
+ ffa_msg_send_direct_resp_32 {
+ bias = <30>;
+ functionname = "ffa_msg_send_direct_resp_32_funcid";
+ };
+ ffa_features_feat_id {
+ bias = <15>;
+ functionname = "ffa_features_feat_id_funcid";
+ };
+ ffa_features_func_id {
+ bias = <15>;
+ functionname = "ffa_features_func_id_funcid";
+ };
+ ffa_run {
+ bias = <30>;
+ functionname = "ffa_run_funcid";
+ };
+ ffa_notification_bitmap_create {
+ bias = <30>;
+ functionname = "ffa_notification_bitmap_create_funcid";
+ };
+ ffa_notification_bind {
+ bias = <30>;
+ functionname = "ffa_notification_bind_funcid";
+ };
+ ffa_notification_bitmap_destroy {
+ bias = <30>;
+ functionname = "ffa_notification_bitmap_destroy_funcid";
+ };
+ };
+
+};
diff --git a/smc_fuzz/ffa_smc_calls.txt b/smc_fuzz/ffa_smc_calls.txt
new file mode 100644
index 0000000..c96e19a
--- /dev/null
+++ b/smc_fuzz/ffa_smc_calls.txt
@@ -0,0 +1,132 @@
+#
+# Copyright (c) 2025 Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+smc: FFA_PARTITION_INFO_GET_REGS_CALL
+ arg1:uuid_lo
+ field:uuid_lo:[0,63] = 0
+ arg2:uuid_hi
+ field:uuid_hi:[0,63] = 0
+ arg3:start_idx_and_tag
+ field:start:[0,15] = 0
+ field:tag:[16,31] = 0
+ arg4-arg17 = 0
+smc: FFA_VERSION_CALL
+ arg1:input_version_number
+ field:mbz:[31,31] = 0
+ field:major:[16,30] = 1
+ field:minor:[0,15] = 2
+ arg2-arg17 = 0
+smc: FFA_MSG_SEND_DIRECT_REQ_64_CALL
+ arg1:sender_reciever
+ field:sender_id:[16,31] = 0
+ field:receiver_id:[0,15] = 0
+ arg2:flags
+ field:message_type:[31,31] = 0
+ field:frmwk_msg_type:[0,7] = 0
+ arg3:msg_0
+ field:msg_0:[0,63] = 0x12121212
+ arg4:msg_1
+ field:msg_1:[0,63] = 0x34343434
+ arg5:msg_2
+ field:msg_2:[0,63] = 0x56565656
+ arg6:msg_3
+ field:msg_3:[0,63] = 0x78787878
+ arg7:msg_4
+ field:msg_4:[0,63] = 0x9a9a9a9a
+ arg8-arg17 = 0
+smc: FFA_MSG_SEND_DIRECT_RESP_64_CALL
+ arg1:sender_reciever
+ field:sender_id:[16,31] = 0
+ field:receiver_id:[0,15] = 0
+ arg2:flags
+ field:message_type:[31,31] = 0
+ field:frmwk_msg_type:[0,7] = 0
+ arg3:msg_0
+ field:msg_0:[0,63] = 0x12121212
+ arg4:msg_1
+ field:msg_1:[0,63] = 0x34343434
+ arg5:msg_2
+ field:msg_2:[0,63] = 0x56565656
+ arg6:msg_3
+ field:msg_3:[0,63] = 0x78787878
+ arg7:msg_4
+ field:msg_4:[0,63] = 0x9a9a9a9a
+ arg8-arg17 = 0
+smc: FFA_MSG_SEND_DIRECT_REQ_32_CALL
+ arg1:sender_reciever
+ field:sender_id:[16,31] = 0
+ field:receiver_id:[0,15] = 0
+ arg2:flags
+ field:message_type:[31,31] = 0
+ field:frmwk_msg_type:[0,7] = 0
+ arg3:msg_0
+ field:msg_0:[0,31] = 0x1212
+ arg4:msg_1
+ field:msg_1:[0,31] = 0x3434
+ arg5:msg_2
+ field:msg_2:[0,31] = 0x5656
+ arg6:msg_3
+ field:msg_3:[0,31] = 0x7878
+ arg7:msg_4
+ field:msg_4:[0,31] = 0x9a9a
+ arg8-arg17 = 0
+smc: FFA_MSG_SEND_DIRECT_RESP_32_CALL
+ arg1:sender_reciever
+ field:sender_id:[16,31] = 0
+ field:receiver_id:[0,15] = 0
+ arg2:flags
+ field:message_type:[31,31] = 0
+ field:frmwk_msg_type:[0,7] = 0
+ arg3:msg_0
+ field:msg_0:[0,31] = 0x1212
+ arg4:msg_1
+ field:msg_1:[0,31] = 0x3434
+ arg5:msg_2
+ field:msg_2:[0,31] = 0x5656
+ arg6:msg_3
+ field:msg_3:[0,31] = 0x7878
+ arg7:msg_4
+ field:msg_4:[0,31] = 0x9a9a
+ arg8-arg17 = 0
+smc: FFA_FEATURES_FEAT_ID_CALL
+ arg1:ffa_func_or_feat_id
+ field:w1_is_ffa_func_id:[31,31] = 0
+ field:feat_id:[0,7] = 0x1
+ arg2:input_properties
+ field:input_properties:[0,63] = 0
+ arg3-arg17 = 0
+smc: FFA_FEATURES_FUNC_ID_CALL
+ arg1:ffa_func_or_feat_id
+ field:func_id:[0,31] = 0x84000064
+ arg2:input_properties
+ field:input_properties:[0,63] = 0x0
+ arg3-arg17 = 0
+smc: FFA_RUN_CALL
+ arg1:target_information
+ field:target_vm_id:[16,31] = 0
+ field:target_vcpu_id:[0,15] = 0
+ arg2-arg17 = 0
+smc: FFA_NOTIFICATION_BITMAP_CREATE_CALL
+ arg1:vm_id
+ field:vm_id:[0,15] = 1
+ arg2:n_vcpus
+ field:n_vcpus:[0,63] = 1
+ arg3-arg17 = 0
+smc: FFA_NOTIFICATION_BIND_CALL
+ arg1:sender_reciever
+ field:sender_id:[16,31] = 0
+ field:receiver_id:[0,15] = 0
+ arg2:flags
+ field:per_vcpu_notifications:[0,0] = 0
+ arg3:notification_bitmap_lo
+ field:bitmap:[0,31] = 0xAAAA
+ arg4:notification_bitmap_hi
+ field:bitmap:[0,31] = 0x5555
+ arg5-arg17 = 0
+smc: FFA_NOTIFICATION_BITMAP_DESTROY_CALL
+ arg1:vm_id
+ field:vm_id:[0,15] = 1
+ arg2-arg17 = 0
diff --git a/smc_fuzz/include/ffa_fuzz_helper.h b/smc_fuzz/include/ffa_fuzz_helper.h
new file mode 100644
index 0000000..2a10397
--- /dev/null
+++ b/smc_fuzz/include/ffa_fuzz_helper.h
@@ -0,0 +1,10 @@
+/*
+ * Copyright (c) 2025, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <fuzz_helper.h>
+#include "smcmalloc.h"
+
+void run_ffa_fuzz(int funcid, struct memmod *mmod);
diff --git a/smc_fuzz/src/ffa_fuzz_helper.c b/smc_fuzz/src/ffa_fuzz_helper.c
new file mode 100644
index 0000000..95cfa0c
--- /dev/null
+++ b/smc_fuzz/src/ffa_fuzz_helper.c
@@ -0,0 +1,485 @@
+/*
+ * Copyright (c) 2025, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <arg_struct_def.h>
+#include "constraint.h"
+#include <ffa_fuzz_helper.h>
+#include <fuzz_names.h>
+#include <runtime_services/cactus_test_cmds.h>
+#include <runtime_services/ffa_endpoints.h>
+#include <runtime_services/spm_common.h>
+#include <stdint.h>
+
+#ifdef FFA_INCLUDE
+
+#define PRIMARY_LO ffa_get_uuid_lo((struct ffa_uuid){PRIMARY_UUID})
+#define PRIMARY_HI ffa_get_uuid_hi((struct ffa_uuid){PRIMARY_UUID})
+#define SECONDARY_LO ffa_get_uuid_lo((struct ffa_uuid){SECONDARY_UUID})
+#define SECONDARY_HI ffa_get_uuid_hi((struct ffa_uuid){SECONDARY_UUID})
+#define TERTIARY_LO ffa_get_uuid_lo((struct ffa_uuid){TERTIARY_UUID})
+#define TERTIARY_HI ffa_get_uuid_hi((struct ffa_uuid){TERTIARY_UUID})
+
+#define FFA_FUNC_ID_MIN 0x84000060
+#define FFA_FUNC_ID_MAX 0x8400008C
+#define MAX_VM_ID ((UINT64_C(1) << 16) - 1)
+#define FFA_FEAT_ID_MIN 0x0
+#define FFA_FEAT_ID_MAX 0xFF
+#define MAX_NUM_VCPUS 8
+#define MIN_VCPU_ID 0
+#define MAX_VCPU_ID (MAX_NUM_VCPUS - 1)
+
+void inputparameters_to_ffa_value(struct inputparameters ip,
+ struct ffa_value *args)
+{
+ args->arg1 = ip.x1;
+ args->arg2 = ip.x2;
+ args->arg3 = ip.x3;
+ args->arg4 = ip.x4;
+ args->arg5 = ip.x5;
+ args->arg6 = ip.x6;
+ args->arg7 = ip.x7;
+ args->arg8 = ip.x8;
+ args->arg9 = ip.x9;
+ args->arg10 = ip.x10;
+ args->arg11 = ip.x12;
+ args->arg12 = ip.x12;
+ args->arg13 = ip.x13;
+ args->arg14 = ip.x14;
+ args->arg15 = ip.x15;
+ args->arg16 = ip.x16;
+ args->arg17 = ip.x17;
+}
+
+static struct ffa_value ffa_call_with_params(struct inputparameters ip,
+ uint64_t ffa_function_id)
+{
+ struct ffa_value args = {.fid = ffa_function_id};
+
+ inputparameters_to_ffa_value(ip, &args);
+
+ return ffa_service_call(&args);
+}
+
+static bool is_info_get_regs_valid(struct inputparameters ip)
+{
+ uint64_t uuid_lo = ip.x1;
+ uint64_t uuid_hi = ip.x2;
+ uint64_t start = get_generated_value(
+ FFA_PARTITION_INFO_GET_REGS_CALL_ARG3_START, ip);
+ uint64_t tag = get_generated_value(
+ FFA_PARTITION_INFO_GET_REGS_CALL_ARG3_TAG, ip);
+
+ if ((uuid_lo == PRIMARY_LO && uuid_hi == PRIMARY_HI) ||
+ (uuid_lo == SECONDARY_LO && uuid_hi == SECONDARY_HI) ||
+ (uuid_lo == TERTIARY_LO && uuid_hi == TERTIARY_HI)) {
+ return (start == 0 && tag == 0);
+ } else if (uuid_lo == 0 && uuid_hi == 0) {
+ if (start == 0) {
+ return (tag == 0);
+ }
+ return (start < 4);
+ }
+ return false;
+}
+
+void run_ffa_fuzz(int funcid, struct memmod *mmod)
+{
+ /*
+ * For the SMC function id, apply constraints and generate input
+ * arguments based on sanity level, call the SMC, and do basic analysis
+ * and reporting of return results.
+ *
+ * An error return may not be a failure if the inputs are invalid,
+ * therefore failures are marked explicitly.
+ */
+ switch (funcid) {
+ case ffa_id_get_funcid: {
+ struct ffa_value args;
+ struct ffa_value ret;
+
+ args = (struct ffa_value){.fid = FFA_ID_GET};
+ ret = ffa_service_call(&args);
+
+ if (ret.fid == FFA_ERROR) {
+ printf("FAIL error code %d\n", ffa_error_code(ret));
+ }
+ break;
+ }
+ case ffa_partition_info_get_regs_funcid: {
+ uint64_t uuid_lo_values[] = {0, PRIMARY_LO, SECONDARY_LO,
+ TERTIARY_LO};
+ uint64_t uuid_hi_values[] = {0, PRIMARY_HI, SECONDARY_HI,
+ TERTIARY_HI};
+ struct inputparameters ip;
+ struct ffa_value args;
+ struct ffa_value ret;
+
+ setconstraint(FUZZER_CONSTRAINT_VECTOR, uuid_lo_values, 2,
+ FFA_PARTITION_INFO_GET_REGS_CALL_ARG1_UUID_LO,
+ mmod, FUZZER_CONSTRAINT_EXCMODE);
+ setconstraint(FUZZER_CONSTRAINT_VECTOR, uuid_hi_values, 2,
+ FFA_PARTITION_INFO_GET_REGS_CALL_ARG2_UUID_HI,
+ mmod, FUZZER_CONSTRAINT_EXCMODE);
+
+ ip = generate_args(FFA_PARTITION_INFO_GET_REGS_CALL,
+ SMC_FUZZ_SANITY_LEVEL);
+ inputparameters_to_ffa_value(ip, &args);
+ args.fid = FFA_PARTITION_INFO_GET_REGS_SMC64;
+
+ ret = ffa_service_call(&args);
+
+ if (is_info_get_regs_valid(ip) && ret.fid == FFA_ERROR) {
+ printf("FAIL error code %d\n", ffa_error_code(ret));
+ }
+ break;
+ }
+ case ffa_version_funcid: {
+ struct inputparameters ip;
+ struct ffa_value ret;
+ uint32_t version;
+
+ ip = generate_args(FFA_VERSION_CALL, SMC_FUZZ_SANITY_LEVEL);
+ ret = ffa_call_with_params(ip, FFA_VERSION);
+ version = ret.fid;
+
+ if (version == FFA_ERROR_NOT_SUPPORTED) {
+ printf("FFA_VERSION_NOT_SUPPORTED\n");
+ }
+ break;
+ }
+ case ffa_msg_send_direct_req_32_funcid:
+ case ffa_msg_send_direct_req_64_funcid: {
+ uint64_t receiver_ids[] = {SP_ID(1), SP_ID(2), SP_ID(3)};
+ uint64_t sender_id[] = {HYP_ID};
+ uint64_t message_type[] = {0, 1};
+ uint64_t frmwrk_msg_type[] = {0, 1};
+ uint64_t msg_0_input[] = {CACTUS_ECHO_CMD,
+ CACTUS_REQ_ECHO_CMD}; /* Cactus cmd */
+ uint64_t msg_1_input[] = {100,
+ 200}; /* for echo cmds, echo_val */
+ struct inputparameters ip;
+ struct ffa_value ret;
+ uint64_t req_function_id;
+ uint64_t call_id;
+ uint64_t sender_arg;
+ uint64_t receiver_arg;
+ uint64_t msg_type_arg;
+ uint64_t frmwk_msg_type_arg;
+ uint64_t msg_0_arg;
+ uint64_t msg_1_arg;
+
+ if (funcid == ffa_msg_send_direct_req_32_funcid) {
+ req_function_id = FFA_MSG_SEND_DIRECT_REQ_SMC32;
+ call_id = FFA_MSG_SEND_DIRECT_REQ_32_CALL;
+ sender_arg =
+ FFA_MSG_SEND_DIRECT_REQ_32_CALL_ARG1_SENDER_ID;
+ receiver_arg =
+ FFA_MSG_SEND_DIRECT_REQ_32_CALL_ARG1_RECEIVER_ID;
+ msg_type_arg =
+ FFA_MSG_SEND_DIRECT_REQ_32_CALL_ARG2_MESSAGE_TYPE;
+ frmwk_msg_type_arg =
+ FFA_MSG_SEND_DIRECT_REQ_32_CALL_ARG2_FRMWK_MSG_TYPE;
+ msg_0_arg = FFA_MSG_SEND_DIRECT_REQ_32_CALL_ARG3_MSG_0;
+ msg_1_arg = FFA_MSG_SEND_DIRECT_REQ_32_CALL_ARG4_MSG_1;
+ } else {
+ req_function_id = FFA_MSG_SEND_DIRECT_REQ_SMC64;
+ call_id = FFA_MSG_SEND_DIRECT_REQ_64_CALL;
+ sender_arg =
+ FFA_MSG_SEND_DIRECT_REQ_64_CALL_ARG1_SENDER_ID;
+ receiver_arg =
+ FFA_MSG_SEND_DIRECT_REQ_64_CALL_ARG1_RECEIVER_ID;
+ msg_type_arg =
+ FFA_MSG_SEND_DIRECT_REQ_64_CALL_ARG2_MESSAGE_TYPE;
+ frmwk_msg_type_arg =
+ FFA_MSG_SEND_DIRECT_REQ_64_CALL_ARG2_FRMWK_MSG_TYPE;
+ msg_0_arg = FFA_MSG_SEND_DIRECT_REQ_64_CALL_ARG3_MSG_0;
+ msg_1_arg = FFA_MSG_SEND_DIRECT_REQ_64_CALL_ARG4_MSG_1;
+ }
+
+ setconstraint(FUZZER_CONSTRAINT_SVALUE, sender_id, 1,
+ sender_arg, mmod, FUZZER_CONSTRAINT_EXCMODE);
+ setconstraint(FUZZER_CONSTRAINT_VECTOR, receiver_ids, 3,
+ receiver_arg, mmod, FUZZER_CONSTRAINT_EXCMODE);
+ setconstraint(FUZZER_CONSTRAINT_VECTOR, message_type, 2,
+ msg_type_arg, mmod, FUZZER_CONSTRAINT_EXCMODE);
+ setconstraint(FUZZER_CONSTRAINT_VECTOR, frmwrk_msg_type, 2,
+ frmwk_msg_type_arg, mmod,
+ FUZZER_CONSTRAINT_EXCMODE);
+ setconstraint(FUZZER_CONSTRAINT_VECTOR, msg_0_input, 2,
+ msg_0_arg, mmod, FUZZER_CONSTRAINT_EXCMODE);
+ setconstraint(FUZZER_CONSTRAINT_RANGE, msg_1_input, 2,
+ msg_1_arg, mmod, FUZZER_CONSTRAINT_EXCMODE);
+
+ ip = generate_args(call_id, SMC_FUZZ_SANITY_LEVEL);
+ ret = ffa_call_with_params(ip, req_function_id);
+
+ switch (ret.fid) {
+ case FFA_MSG_SEND_DIRECT_RESP_SMC64:
+ case FFA_MSG_SEND_DIRECT_RESP_SMC32:
+ printf("Received direct response, ret.arg4 = %ld\n",
+ ret.arg4);
+ break;
+ case FFA_ERROR:
+ printf("Direct request returned with FFA_ERROR code %d\n",
+ ffa_error_code(ret));
+ break;
+ case FFA_MSG_YIELD:
+ printf("FFA_MSG_SEND_DIRECT_REQ returned with FFA_MSG_YIELD\n");
+ break;
+ case FFA_INTERRUPT:
+ printf("FFA_MSG_SEND_DIRECT_REQ returned with FFA_INTERRUPT\n");
+ break;
+ default:
+ printf("FAIL FFA_MSG_SEND_DIRECT_REQ returned with 0x%lx\n",
+ ret.fid);
+ break;
+ }
+ break;
+ }
+ case ffa_msg_send_direct_resp_32_funcid:
+ case ffa_msg_send_direct_resp_64_funcid: {
+ uint64_t receiver_ids[] = {SP_ID(1), SP_ID(2), SP_ID(3)};
+ uint64_t sender_id[] = {HYP_ID};
+ struct inputparameters ip;
+ struct ffa_value ret;
+ uint64_t resp_function_id;
+ uint64_t call_id;
+ uint64_t sender_arg;
+ uint64_t receiver_arg;
+ if (funcid == ffa_msg_send_direct_resp_32_funcid) {
+ resp_function_id = FFA_MSG_SEND_DIRECT_RESP_SMC32;
+ call_id = FFA_MSG_SEND_DIRECT_RESP_32_CALL;
+ sender_arg =
+ FFA_MSG_SEND_DIRECT_RESP_32_CALL_ARG1_SENDER_ID;
+ receiver_arg =
+ FFA_MSG_SEND_DIRECT_RESP_32_CALL_ARG1_RECEIVER_ID;
+ } else {
+ resp_function_id = FFA_MSG_SEND_DIRECT_RESP_SMC64;
+ call_id = FFA_MSG_SEND_DIRECT_RESP_64_CALL;
+ sender_arg =
+ FFA_MSG_SEND_DIRECT_RESP_64_CALL_ARG1_SENDER_ID;
+ receiver_arg =
+ FFA_MSG_SEND_DIRECT_RESP_64_CALL_ARG1_RECEIVER_ID;
+ }
+
+ setconstraint(FUZZER_CONSTRAINT_SVALUE, sender_id, 1,
+ sender_arg, mmod, FUZZER_CONSTRAINT_EXCMODE);
+ setconstraint(FUZZER_CONSTRAINT_VECTOR, receiver_ids, 3,
+ receiver_arg, mmod, FUZZER_CONSTRAINT_EXCMODE);
+
+ ip = generate_args(call_id, SMC_FUZZ_SANITY_LEVEL);
+ ret = ffa_call_with_params(ip, resp_function_id);
+
+ /* NWd cannot send a direct response. */
+ if (ret.fid == FFA_ERROR) {
+ printf("Direct response returned with FFA_ERROR code %d\n",
+ ffa_error_code(ret));
+ } else {
+ printf("FAIL FFA_MSG_SEND_DIRECT_RESP returned with 0x%lx\n",
+ ret.fid);
+ }
+ break;
+ }
+ case ffa_features_feat_id_funcid: {
+ /* Allow feature_ids in range of 8bits */
+ uint64_t feat_ids_range[] = {FFA_FEAT_ID_MIN, FFA_FEAT_ID_MAX};
+ struct inputparameters ip;
+ struct ffa_value ret;
+
+ setconstraint(FUZZER_CONSTRAINT_RANGE, feat_ids_range, 2,
+ FFA_FEATURES_FEAT_ID_CALL_ARG1_FEAT_ID, mmod,
+ FUZZER_CONSTRAINT_EXCMODE);
+
+ ip = generate_args(FFA_FEATURES_FEAT_ID_CALL,
+ SMC_FUZZ_SANITY_LEVEL);
+ ret = ffa_call_with_params(ip, FFA_FEATURES);
+ printf("ret.fid: { 0x%lx\n", ret.fid);
+ break;
+ }
+ case ffa_features_func_id_funcid: {
+ uint64_t ffa_funcid_range[] = {FFA_FUNC_ID_MIN,
+ FFA_FUNC_ID_MAX};
+ struct inputparameters ip;
+ struct ffa_value ret;
+ uint64_t funcid_gen_input;
+
+ setconstraint(FUZZER_CONSTRAINT_RANGE, ffa_funcid_range, 2,
+ FFA_FEATURES_FUNC_ID_CALL_ARG1_FUNC_ID, mmod,
+ FUZZER_CONSTRAINT_EXCMODE);
+
+ ip = generate_args(FFA_FEATURES_FUNC_ID_CALL,
+ SMC_FUZZ_SANITY_LEVEL);
+
+ /*
+ * TODO: Would be a good use case for future fuzzing
+ * functionality having one field constraint dependent
+ * on value of another generated field.
+ */
+ funcid_gen_input = get_generated_value(
+ FFA_FEATURES_FUNC_ID_CALL_ARG1_FUNC_ID, ip);
+ if (SMC_FUZZ_SANITY_LEVEL == SANITY_LEVEL_3 &&
+ funcid_gen_input == FFA_MEM_RETRIEVE_REQ_SMC32) {
+ // Set arg2 to a certain value
+ ip.x2 = 0x10;
+ }
+
+ ret = ffa_call_with_params(ip, FFA_FEATURES);
+ printf("ret.fid: { 0x%lx\n", ret.fid);
+ break;
+ }
+ case ffa_run_funcid: {
+ uint64_t target_ids[] = {SP_ID(1), SP_ID(2), SP_ID(3)};
+ uint64_t target_vcpu_ids[] = {MIN_VCPU_ID, MAX_VCPU_ID};
+ struct inputparameters ip;
+ struct ffa_value ret;
+
+ setconstraint(FUZZER_CONSTRAINT_VECTOR, target_ids, 3,
+ FFA_RUN_CALL_ARG1_TARGET_VM_ID, mmod,
+ FUZZER_CONSTRAINT_EXCMODE);
+ setconstraint(FUZZER_CONSTRAINT_RANGE, target_vcpu_ids, 2,
+ FFA_RUN_CALL_ARG1_TARGET_VCPU_ID, mmod,
+ FUZZER_CONSTRAINT_EXCMODE);
+ ip = generate_args(FFA_RUN_CALL, SMC_FUZZ_SANITY_LEVEL);
+ ret = ffa_call_with_params(ip, FFA_RUN);
+
+ switch (ret.fid) {
+ case FFA_ERROR:
+ printf("FFA_RUN returned with FFA_ERROR code %d\n",
+ ffa_error_code(ret));
+ break;
+
+ case FFA_INTERRUPT:
+ case FFA_MSG_WAIT:
+ case FFA_MSG_YIELD:
+ case FFA_MSG_SEND_DIRECT_RESP_SMC64:
+ case FFA_MSG_SEND_DIRECT_RESP_SMC32:
+ printf("FFA_RUN successfully returned with 0x%lx\n",
+ ret.fid);
+ break;
+ default:
+ printf("FAIL FFA_RUN returned with 0x%lx\n", ret.fid);
+ break;
+ }
+ break;
+ }
+ case ffa_notification_bitmap_create_funcid: {
+ uint64_t vm_id[] = {0, MAX_VM_ID};
+ uint64_t n_vcpus[] = {0, MAX_NUM_VCPUS};
+ struct inputparameters ip;
+ struct ffa_value ret;
+ uint64_t gen_vm_id;
+ uint64_t gen_n_vcpus;
+
+ setconstraint(FUZZER_CONSTRAINT_RANGE, n_vcpus, 2,
+ FFA_NOTIFICATION_BITMAP_CREATE_CALL_ARG2_N_VCPUS,
+ mmod, FUZZER_CONSTRAINT_EXCMODE);
+ setconstraint(FUZZER_CONSTRAINT_RANGE, vm_id, 2,
+ FFA_NOTIFICATION_BITMAP_CREATE_CALL_ARG1_VM_ID,
+ mmod, FUZZER_CONSTRAINT_EXCMODE);
+
+ ip = generate_args(FFA_NOTIFICATION_BITMAP_CREATE_CALL,
+ SMC_FUZZ_SANITY_LEVEL);
+ ret = ffa_call_with_params(ip, FFA_NOTIFICATION_BITMAP_CREATE);
+
+ gen_vm_id = get_generated_value(
+ FFA_NOTIFICATION_BITMAP_CREATE_CALL_ARG1_VM_ID, ip);
+ gen_n_vcpus = get_generated_value(
+ FFA_NOTIFICATION_BITMAP_CREATE_CALL_ARG2_N_VCPUS, ip);
+
+ if (ret.fid == FFA_SUCCESS_SMC32 ||
+ ret.fid == FFA_SUCCESS_SMC64) {
+ printf("FFA_NOTIFICATION_BITMAP_CREATE succeeded for "
+ "VM %lld with vCPU count %lld\n",
+ gen_vm_id, gen_n_vcpus);
+ } else if (ret.fid == FFA_ERROR) {
+ printf("FFA_NOTIFICATION_BITMAP_CREATE returned with "
+ "FFA_ERROR code %d\n",
+ ffa_error_code(ret));
+ } else {
+ printf("FAIL FFA_NOTIFICATION_BITMAP_CREATE returned with 0x%lx\n",
+ ret.fid);
+ }
+ break;
+ }
+ case ffa_notification_bind_funcid: {
+ uint64_t sps[] = {SP_ID(1), SP_ID(2), SP_ID(3)};
+ uint64_t vm_ids[] = {0, MAX_VM_ID};
+ uint64_t max_bitmap_value = 0xFFFFFFFF;
+ uint64_t bitmap_range[] = {0, max_bitmap_value};
+ struct inputparameters ip;
+ struct ffa_value ret;
+
+ setconstraint(FUZZER_CONSTRAINT_RANGE, vm_ids, 2,
+ FFA_NOTIFICATION_BIND_CALL_ARG1_RECEIVER_ID, mmod,
+ FUZZER_CONSTRAINT_ACCMODE);
+ setconstraint(FUZZER_CONSTRAINT_RANGE, vm_ids, 2,
+ FFA_NOTIFICATION_BIND_CALL_ARG1_SENDER_ID, mmod,
+ FUZZER_CONSTRAINT_ACCMODE);
+ setconstraint(FUZZER_CONSTRAINT_VECTOR, sps, 3,
+ FFA_NOTIFICATION_BIND_CALL_ARG1_RECEIVER_ID, mmod,
+ FUZZER_CONSTRAINT_ACCMODE);
+ setconstraint(FUZZER_CONSTRAINT_VECTOR, sps, 3,
+ FFA_NOTIFICATION_BIND_CALL_ARG1_SENDER_ID, mmod,
+ FUZZER_CONSTRAINT_ACCMODE);
+ setconstraint(FUZZER_CONSTRAINT_RANGE, bitmap_range, 2,
+ FFA_NOTIFICATION_BIND_CALL_ARG3_BITMAP, mmod,
+ FUZZER_CONSTRAINT_EXCMODE);
+ setconstraint(FUZZER_CONSTRAINT_RANGE, bitmap_range, 2,
+ FFA_NOTIFICATION_BIND_CALL_ARG4_BITMAP, mmod,
+ FUZZER_CONSTRAINT_EXCMODE);
+ ip = generate_args(FFA_NOTIFICATION_BIND_CALL,
+ SMC_FUZZ_SANITY_LEVEL);
+ ret = ffa_call_with_params(ip, FFA_NOTIFICATION_BIND);
+
+ if (ret.fid == FFA_SUCCESS_SMC32 ||
+ ret.fid == FFA_SUCCESS_SMC64) {
+ printf("FFA_NOTIFICATION_BIND succeeded\n");
+ } else if (ret.fid == FFA_ERROR) {
+ printf("FFA_NOTIFICATION_BIND returned with FFA_ERROR code %d\n",
+ ffa_error_code(ret));
+ } else {
+ printf("FAIL FFA_NOTIFICATION_BIND returned with 0x%lx\n",
+ ret.fid);
+ }
+ break;
+ }
+ case ffa_notification_bitmap_destroy_funcid: {
+ uint64_t vm_id[] = {0, MAX_VM_ID};
+ struct inputparameters ip;
+ struct ffa_value ret;
+ uint64_t gen_vm_id;
+
+ gen_vm_id = get_generated_value(
+ FFA_NOTIFICATION_BITMAP_DESTROY_CALL_ARG1_VM_ID, ip);
+
+ setconstraint(FUZZER_CONSTRAINT_RANGE, vm_id, 2,
+ FFA_NOTIFICATION_BITMAP_DESTROY_CALL_ARG1_VM_ID,
+ mmod, FUZZER_CONSTRAINT_EXCMODE);
+ ip = generate_args(FFA_NOTIFICATION_BITMAP_DESTROY_CALL,
+ SMC_FUZZ_SANITY_LEVEL);
+ ret = ffa_call_with_params(ip, FFA_NOTIFICATION_BITMAP_DESTROY);
+
+ gen_vm_id = get_generated_value(
+ FFA_NOTIFICATION_BITMAP_DESTROY_CALL_ARG1_VM_ID, ip);
+
+ if (ret.fid == FFA_SUCCESS_SMC32 ||
+ ret.fid == FFA_SUCCESS_SMC64) {
+ printf("FFA_NOTIFICATION_BITMAP_DESTROY succeeded for VM %lld\n",
+ gen_vm_id);
+ } else if (ret.fid == FFA_ERROR) {
+ printf("FFA_NOTIFICATION_BITMAP_CREATE returned with FFA_ERROR code %d\n",
+ ffa_error_code(ret));
+ } else {
+ printf("FAIL FFA_NOTIFICATION_BITMAP_CREATE returned with 0x%lx\n",
+ ret.fid);
+ }
+ break;
+ }
+ default:
+ break;
+ }
+}
+#endif
diff --git a/smc_fuzz/src/runtestfunction_helpers.c b/smc_fuzz/src/runtestfunction_helpers.c
index fbee707..7ef55e8 100644
--- a/smc_fuzz/src/runtestfunction_helpers.c
+++ b/smc_fuzz/src/runtestfunction_helpers.c
@@ -5,12 +5,12 @@
*/
#include <arg_struct_def.h>
+#include <ffa_fuzz_helper.h>
#include <sdei_fuzz_helper.h>
#include "smcmalloc.h"
#include <tsp_fuzz_helper.h>
int cntid = 0;
-
#include <vendor_fuzz_helper.h>
/*
@@ -23,6 +23,9 @@
#ifdef SDEI_INCLUDE
run_sdei_fuzz(funcid, mmod, inrange, cntid);
#endif
+#ifdef FFA_INCLUDE
+ run_ffa_fuzz(funcid, mmod);
+#endif
run_tsp_fuzz(funcid);
#ifdef VEN_INCLUDE
run_ven_el3_fuzz(funcid, mmod);
diff --git a/tftf/tests/runtime_services/secure_service/spm_common.c b/tftf/tests/runtime_services/secure_service/spm_common.c
index 753d491..4405c50 100644
--- a/tftf/tests/runtime_services/secure_service/spm_common.c
+++ b/tftf/tests/runtime_services/secure_service/spm_common.c
@@ -687,7 +687,17 @@
(uuid1.uuid[3] == uuid2.uuid[3]);
}
-static bool ffa_partition_info_regs_get_part_info(
+uint64_t ffa_get_uuid_lo(const struct ffa_uuid uuid)
+{
+ return (uint64_t)uuid.uuid[1] << 32 | uuid.uuid[0];
+}
+
+uint64_t ffa_get_uuid_hi(const struct ffa_uuid uuid)
+{
+ return (uint64_t)uuid.uuid[3] << 32 | uuid.uuid[2];
+}
+
+bool ffa_partition_info_regs_get_part_info(
struct ffa_value *args, uint8_t idx,
struct ffa_partition_info *partition_info)
{
diff --git a/tftf/tests/tests-smcfuzzing.mk b/tftf/tests/tests-smcfuzzing.mk
index 9218da1..ca93469 100644
--- a/tftf/tests/tests-smcfuzzing.mk
+++ b/tftf/tests/tests-smcfuzzing.mk
@@ -80,12 +80,19 @@
)
TESTS_SOURCES += \
+ $(addprefix tftf/tests/runtime_services/secure_service/, \
+ ${ARCH}/ffa_arch_helpers.S \
+ ffa_helpers.c \
+ spm_common.c \
+ )
+TESTS_SOURCES += \
$(addprefix smc_fuzz/src/, \
randsmcmod.c \
smcmalloc.c \
fifo3d.c \
runtestfunction_helpers.c \
sdei_fuzz_helper.c \
+ ffa_fuzz_helper.c \
tsp_fuzz_helper.c \
nfifo.c \
constraint.c \