FIH: Re-enable FIH on AN521
1. Define FIH_RET_TYPE macro to avoid defining a function twice with
different return types.
2. Rename tfm_fih_implementation to tfm_fih.
3. Change all FIH protected functions into FIH format.
4. Expand stack sizes because SPM needs more stack to call FIH function.
- S_MSP_STACK_SIZE: 2048 -> 2496
- TFM_NS_AGENT_TZ_STACK_SIZE: 1024 -> 1256
Signed-off-by: Xinyu Zhang <xinyu.zhang@arm.com>
Change-Id: Ic0136f0232b1e99940fddcbc57e2898516e9d1fc
diff --git a/secure_fw/spm/CMakeLists.txt b/secure_fw/spm/CMakeLists.txt
index 1812821..ce02d19 100755
--- a/secure_fw/spm/CMakeLists.txt
+++ b/secure_fw/spm/CMakeLists.txt
@@ -93,6 +93,7 @@
tfm_partitions
tfm_fih_headers
tfm_sprt
+ $<$<NOT:$<STREQUAL:${TFM_FIH_PROFILE},OFF>>:tfm_fih>
)
target_compile_definitions(tfm_spm
diff --git a/secure_fw/spm/cmsis_psa/main.c b/secure_fw/spm/cmsis_psa/main.c
index b74bfc4..937322e 100644
--- a/secure_fw/spm/cmsis_psa/main.c
+++ b/secure_fw/spm/cmsis_psa/main.c
@@ -23,27 +23,16 @@
static fih_int tfm_core_init(void)
{
enum tfm_plat_err_t plat_err = TFM_PLAT_ERR_SYSTEM_ERR;
-#ifdef TFM_FIH_PROFILE_ON
fih_int fih_rc = FIH_FAILURE;
-#else
- enum tfm_hal_status_t hal_status = TFM_HAL_ERROR_GENERIC;
-#endif
/*
* Access to any peripheral should be performed after programming
* the necessary security components such as PPC/SAU.
*/
-#ifdef TFM_FIH_PROFILE_ON
FIH_CALL(tfm_hal_set_up_static_boundaries, fih_rc);
if (fih_not_eq(fih_rc, fih_int_encode(TFM_HAL_SUCCESS))) {
FIH_RET(fih_int_encode(TFM_ERROR_GENERIC));
}
-#else /* TFM_FIH_PROFILE_ON */
- hal_status = tfm_hal_set_up_static_boundaries();
- if (hal_status != TFM_HAL_SUCCESS) {
- return TFM_ERROR_GENERIC;
- }
-#endif /* TFM_FIH_PROFILE_ON */
#ifdef TFM_FIH_PROFILE_ON
FIH_CALL(tfm_hal_verify_static_boundaries, fih_rc);
@@ -52,21 +41,14 @@
}
#endif
-#ifdef TFM_FIH_PROFILE_ON
FIH_CALL(tfm_hal_platform_init, fih_rc);
if (fih_not_eq(fih_rc, fih_int_encode(TFM_HAL_SUCCESS))) {
FIH_RET(fih_int_encode(TFM_ERROR_GENERIC));
}
-#else /* TFM_FIH_PROFILE_ON */
- hal_status = tfm_hal_platform_init();
- if (hal_status != TFM_HAL_SUCCESS) {
- return TFM_ERROR_GENERIC;
- }
-#endif /* TFM_FIH_PROFILE_ON */
plat_err = tfm_plat_otp_init();
if (plat_err != TFM_PLAT_ERR_SUCCESS) {
- FIH_RET(fih_int_encode(TFM_ERROR_GENERIC));
+ FIH_RET(fih_int_encode(TFM_ERROR_GENERIC));
}
/* Perform provisioning. */
diff --git a/secure_fw/spm/cmsis_psa/spm_ipc.c b/secure_fw/spm/cmsis_psa/spm_ipc.c
index 3ff9499..19ade00 100755
--- a/secure_fw/spm/cmsis_psa/spm_ipc.c
+++ b/secure_fw/spm/cmsis_psa/spm_ipc.c
@@ -451,10 +451,7 @@
{
struct partition_t *partition;
uint32_t service_setting;
-
-#ifdef TFM_FIH_PROFILE_ON
fih_int fih_rc = FIH_FAILURE;
-#endif
tfm_pool_init(conn_handle_pool,
POOL_BUFFER_SIZE(conn_handle_pool),
@@ -482,19 +479,11 @@
load_irqs_assuredly(partition);
/* Bind the partition with platform. */
-#if TFM_FIH_PROFILE_ON
FIH_CALL(tfm_hal_bind_boundary, fih_rc, partition->p_ldinf,
&partition->boundary);
if (fih_not_eq(fih_rc, fih_int_encode(TFM_HAL_SUCCESS))) {
tfm_core_panic();
}
-#else /* TFM_FIH_PROFILE_ON */
- if (tfm_hal_bind_boundary(partition->p_ldinf,
- &partition->boundary)
- != TFM_HAL_SUCCESS) {
- tfm_core_panic();
- }
-#endif /* TFM_FIH_PROFILE_ON */
backend_init_comp_assuredly(partition, service_setting);
}
diff --git a/secure_fw/spm/ffm/backend_ipc.c b/secure_fw/spm/ffm/backend_ipc.c
index 6e72b90..4123e29 100644
--- a/secure_fw/spm/ffm/backend_ipc.c
+++ b/secure_fw/spm/ffm/backend_ipc.c
@@ -197,6 +197,7 @@
{
uint32_t control;
struct partition_t *p_cur_pt;
+ fih_int fih_rc = FIH_FAILURE;
#if CONFIG_TFM_PSA_API_CROSS_CALL == 1
TFM_CORE_ASSERT(SPM_THREAD_CONTEXT);
@@ -208,8 +209,8 @@
p_cur_pt = TO_CONTAINER(CURRENT_THREAD->p_context_ctrl,
struct partition_t, ctx_ctrl);
- if (tfm_hal_activate_boundary(p_cur_pt->p_ldinf, p_cur_pt->boundary)
- != TFM_HAL_SUCCESS) {
+ FIH_CALL(tfm_hal_activate_boundary, fih_rc, p_cur_pt->p_ldinf, p_cur_pt->boundary);
+ if (fih_not_eq(fih_rc, fih_int_encode(TFM_HAL_SUCCESS))) {
tfm_core_panic();
}
@@ -249,6 +250,7 @@
uint64_t ipc_schedule(void)
{
+ fih_int fih_rc = FIH_FAILURE;
AAPCS_DUAL_U32_T ctx_ctrls;
struct partition_t *p_part_curr, *p_part_next;
struct context_ctrl_t *p_curr_ctx;
@@ -276,9 +278,9 @@
* implementation. Change privilege, MPU or other configurations.
*/
if (p_part_curr->boundary != p_part_next->boundary) {
- if (tfm_hal_activate_boundary(p_part_next->p_ldinf,
- p_part_next->boundary)
- != TFM_HAL_SUCCESS) {
+ FIH_CALL(tfm_hal_activate_boundary, fih_rc,
+ p_part_next->p_ldinf, p_part_next->boundary);
+ if (fih_not_eq(fih_rc, fih_int_encode(TFM_HAL_SUCCESS))) {
tfm_core_panic();
}
}
diff --git a/secure_fw/spm/ffm/interrupt.c b/secure_fw/spm/ffm/interrupt.c
index a873a4f..802657b 100644
--- a/secure_fw/spm/ffm/interrupt.c
+++ b/secure_fw/spm/ffm/interrupt.c
@@ -37,6 +37,7 @@
struct partition_t *p_curr_sp;
uintptr_t sp_base, sp_limit, curr_stack, ctx_stack;
struct context_ctrl_t flih_ctx_ctrl;
+ fih_int fih_rc = FIH_FAILURE;
/* Come too early before runtime setup, should not happen. */
if (!CURRENT_THREAD) {
@@ -58,8 +59,8 @@
}
if (p_owner_sp->boundary != p_curr_sp->boundary) {
- tfm_hal_activate_boundary(p_owner_sp->p_ldinf,
- p_owner_sp->boundary);
+ FIH_CALL(tfm_hal_activate_boundary, fih_rc,
+ p_owner_sp->p_ldinf, p_owner_sp->boundary);
}
/*
@@ -85,13 +86,14 @@
struct context_flih_ret_t *p_ctx_flih_ret)
{
struct partition_t *p_prev_sp, *p_owner_sp;
+ fih_int fih_rc = FIH_FAILURE;
p_prev_sp = (struct partition_t *)(p_ctx_flih_ret->state_ctx.r2);
p_owner_sp = GET_CURRENT_COMPONENT();
if (p_owner_sp->boundary != p_prev_sp->boundary) {
- tfm_hal_activate_boundary(p_prev_sp->p_ldinf,
- p_prev_sp->boundary);
+ FIH_CALL(tfm_hal_activate_boundary, fih_rc,
+ p_prev_sp->p_ldinf, p_prev_sp->boundary);
}
/* Restore current component */
diff --git a/secure_fw/spm/ffm/psa_api.c b/secure_fw/spm/ffm/psa_api.c
index a93b2c9..c0c4aac 100644
--- a/secure_fw/spm/ffm/psa_api.c
+++ b/secure_fw/spm/ffm/psa_api.c
@@ -156,6 +156,7 @@
int32_t type = (int32_t)(int16_t)((ctrl_param & TYPE_MASK) >> TYPE_OFFSET);
size_t in_num = (size_t)((ctrl_param & IN_LEN_MASK) >> IN_LEN_OFFSET);
size_t out_num = (size_t)((ctrl_param & OUT_LEN_MASK) >> OUT_LEN_OFFSET);
+ fih_int fih_rc = FIH_FAILURE;
/* The request type must be zero or positive. */
if (type < 0) {
@@ -247,9 +248,10 @@
* if the memory reference for the wrap input vector is invalid or not
* readable.
*/
- if (tfm_hal_memory_check(curr_partition->boundary,
- (uintptr_t)inptr, in_num * sizeof(psa_invec),
- TFM_HAL_ACCESS_READABLE) != PSA_SUCCESS) {
+ FIH_CALL(tfm_hal_memory_check, fih_rc,
+ curr_partition->boundary, (uintptr_t)inptr,
+ in_num * sizeof(psa_invec), TFM_HAL_ACCESS_READABLE);
+ if (fih_not_eq(fih_rc, fih_int_encode(PSA_SUCCESS))) {
return PSA_ERROR_PROGRAMMER_ERROR;
}
@@ -258,8 +260,10 @@
* actual length later. It is a PROGRAMMER ERROR if the memory reference for
* the wrap output vector is invalid or not read-write.
*/
- if (tfm_hal_memory_check(curr_partition->boundary, (uintptr_t)outptr,
- out_num * sizeof(psa_outvec), TFM_HAL_ACCESS_READWRITE) != PSA_SUCCESS) {
+ FIH_CALL(tfm_hal_memory_check, fih_rc,
+ curr_partition->boundary, (uintptr_t)outptr,
+ out_num * sizeof(psa_outvec), TFM_HAL_ACCESS_READWRITE);
+ if (fih_not_eq(fih_rc, fih_int_encode(PSA_SUCCESS))) {
return PSA_ERROR_PROGRAMMER_ERROR;
}
@@ -275,9 +279,10 @@
* memory reference was invalid or not readable.
*/
for (i = 0; i < in_num; i++) {
- if (tfm_hal_memory_check(curr_partition->boundary,
- (uintptr_t)invecs[i].base, invecs[i].len,
- TFM_HAL_ACCESS_READABLE) != PSA_SUCCESS) {
+ FIH_CALL(tfm_hal_memory_check, fih_rc,
+ curr_partition->boundary, (uintptr_t)invecs[i].base,
+ invecs[i].len, TFM_HAL_ACCESS_READABLE);
+ if (fih_not_eq(fih_rc, fih_int_encode(PSA_SUCCESS))) {
return PSA_ERROR_PROGRAMMER_ERROR;
}
}
@@ -303,9 +308,10 @@
* payload memory reference was invalid or not read-write.
*/
for (i = 0; i < out_num; i++) {
- if (tfm_hal_memory_check(curr_partition->boundary,
- (uintptr_t)outvecs[i].base, outvecs[i].len,
- TFM_HAL_ACCESS_READWRITE) != PSA_SUCCESS) {
+ FIH_CALL(tfm_hal_memory_check, fih_rc,
+ curr_partition->boundary, (uintptr_t)outvecs[i].base,
+ outvecs[i].len, TFM_HAL_ACCESS_READWRITE);
+ if (fih_not_eq(fih_rc, fih_int_encode(PSA_SUCCESS))) {
return PSA_ERROR_PROGRAMMER_ERROR;
}
}
@@ -479,6 +485,7 @@
{
struct conn_handle_t *handle = NULL;
struct partition_t *partition = NULL;
+ fih_int fih_rc = FIH_FAILURE;
/*
* Only one message could be retrieved every time for psa_get(). It is a
@@ -494,8 +501,10 @@
* Write the message to the service buffer. It is a fatal error if the
* input msg pointer is not a valid memory reference or not read-write.
*/
- if (tfm_hal_memory_check(partition->boundary, (uintptr_t)msg,
- sizeof(psa_msg_t), TFM_HAL_ACCESS_READWRITE) != PSA_SUCCESS) {
+ FIH_CALL(tfm_hal_memory_check, fih_rc,
+ partition->boundary, (uintptr_t)msg,
+ sizeof(psa_msg_t), TFM_HAL_ACCESS_READWRITE);
+ if (fih_not_eq(fih_rc, fih_int_encode(PSA_SUCCESS))) {
tfm_core_panic();
}
@@ -536,6 +545,7 @@
size_t bytes;
struct conn_handle_t *handle = NULL;
struct partition_t *curr_partition = GET_CURRENT_COMPONENT();
+ fih_int fih_rc = FIH_FAILURE;
/* It is a fatal error if message handle is invalid */
handle = spm_get_handle_by_msg_handle(msg_handle);
@@ -580,8 +590,10 @@
* Copy the client data to the service buffer. It is a fatal error
* if the memory reference for buffer is invalid or not read-write.
*/
- if (tfm_hal_memory_check(curr_partition->boundary, (uintptr_t)buffer,
- num_bytes, TFM_HAL_ACCESS_READWRITE) != PSA_SUCCESS) {
+ FIH_CALL(tfm_hal_memory_check, fih_rc,
+ curr_partition->boundary, (uintptr_t)buffer,
+ num_bytes, TFM_HAL_ACCESS_READWRITE);
+ if (fih_not_eq(fih_rc, fih_int_encode(PSA_SUCCESS))) {
tfm_core_panic();
}
@@ -663,6 +675,7 @@
{
struct conn_handle_t *handle = NULL;
struct partition_t *curr_partition = GET_CURRENT_COMPONENT();
+ fih_int fih_rc = FIH_FAILURE;
/* It is a fatal error if message handle is invalid */
handle = spm_get_handle_by_msg_handle(msg_handle);
@@ -711,8 +724,10 @@
* Copy the service buffer to client outvecs. It is a fatal error
* if the memory reference for buffer is invalid or not readable.
*/
- if (tfm_hal_memory_check(curr_partition->boundary,
- (uintptr_t)buffer, num_bytes, TFM_HAL_ACCESS_READABLE) != PSA_SUCCESS) {
+ FIH_CALL(tfm_hal_memory_check, fih_rc,
+ curr_partition->boundary, (uintptr_t)buffer,
+ num_bytes, TFM_HAL_ACCESS_READABLE);
+ if (fih_not_eq(fih_rc, fih_int_encode(PSA_SUCCESS))) {
tfm_core_panic();
}
@@ -1020,6 +1035,7 @@
{
struct conn_handle_t *handle;
struct partition_t *partition = NULL;
+ fih_int fih_rc = FIH_FAILURE;
/* It is a fatal error if message handle is invalid */
handle = spm_get_handle_by_msg_handle(msg_handle);
@@ -1078,10 +1094,10 @@
* It is a fatal error if the memory reference for the wrap input vector is
* invalid or not readable.
*/
- if (tfm_hal_memory_check(partition->boundary,
- (uintptr_t)handle->invec[invec_idx].base,
- handle->invec[invec_idx].len,
- TFM_HAL_ACCESS_READABLE) != PSA_SUCCESS) {
+ FIH_CALL(tfm_hal_memory_check, fih_rc,
+ partition->boundary, (uintptr_t)handle->invec[invec_idx].base,
+ handle->invec[invec_idx].len, TFM_HAL_ACCESS_READABLE);
+ if (fih_not_eq(fih_rc, fih_int_encode(PSA_SUCCESS))) {
tfm_core_panic();
}
@@ -1150,6 +1166,7 @@
struct conn_handle_t *handle;
uint32_t privileged;
struct partition_t *partition = NULL;
+ fih_int fih_rc = FIH_FAILURE;
/* It is a fatal error if message handle is invalid */
handle = spm_get_handle_by_msg_handle(msg_handle);
@@ -1208,10 +1225,10 @@
/*
* It is a fatal error if the output vector is invalid or not read-write.
*/
- if (tfm_hal_memory_check(partition->boundary,
- (uintptr_t)handle->outvec[outvec_idx].base,
- handle->outvec[outvec_idx].len,
- TFM_HAL_ACCESS_READWRITE) != PSA_SUCCESS) {
+ FIH_CALL(tfm_hal_memory_check, fih_rc,
+ partition->boundary, (uintptr_t)handle->outvec[outvec_idx].base,
+ handle->outvec[outvec_idx].len, TFM_HAL_ACCESS_READWRITE);
+ if (fih_not_eq(fih_rc, fih_int_encode(PSA_SUCCESS))) {
tfm_core_panic();
}
SET_IOVEC_MAPPED(handle, (outvec_idx + OUTVEC_IDX_BASE));
diff --git a/secure_fw/spm/ffm/tfm_boot_data.c b/secure_fw/spm/ffm/tfm_boot_data.c
index deb88e7..eb6bc8d 100644
--- a/secure_fw/spm/ffm/tfm_boot_data.c
+++ b/secure_fw/spm/ffm/tfm_boot_data.c
@@ -156,6 +156,7 @@
uint32_t res;
#else
struct partition_t *curr_partition = GET_CURRENT_COMPONENT();
+ fih_int fih_rc = FIH_FAILURE;
#endif
#ifndef TFM_PSA_API
@@ -174,10 +175,10 @@
}
#else
- if (tfm_hal_memory_check(curr_partition->boundary,
- (uintptr_t)buf_start, buf_size,
- TFM_HAL_ACCESS_READWRITE) != PSA_SUCCESS) {
- /* Not in accessible range, return error */
+ FIH_CALL(tfm_hal_memory_check, fih_rc,
+ curr_partition->boundary, (uintptr_t)buf_start,
+ buf_size, TFM_HAL_ACCESS_READWRITE);
+ if (fih_not_eq(fih_rc, fih_int_encode(PSA_SUCCESS))) {
args[0] = (uint32_t)TFM_ERROR_INVALID_PARAMETER;
return;
}