Lines Matching full:secure
1 Secure Partition Manager
49 | SP | Secure Partition |
51 | SPD | Secure Payload Dispatcher |
53 | SPM | Secure Partition Manager |
61 | SWd | Secure World |
73 Three implementations of a Secure Partition Manager co-exist in the TF-A
77 the secure world, managing multiple S-EL1 or S-EL0 partitions.
79 without virtualization in the secure world.
90 reference code base for an S-EL2/SPMC secure firmware on platforms
98 - The term SPMC refers to the S-EL2 component managing secure partitions in
99 the secure world when the FEAT_SEL2 architecture extension is implemented.
100 - Alternatively, SPMC can refer to an S-EL1 component, itself being a secure
104 - The term SP refers to a secure world "Virtual Machine" managed by an SPMC.
131 and SPMC, one or multiple secure partitions, with an optional
145 enable another Secure Payload Dispatcher when this option is chosen.
159 (see `Describing secure partitions`_). It
161 secure partitions are to be loaded by BL2 on behalf of the SPMC.
187 the Hafnium binary path (built for the secure world) or the path to a TEE
225 implemented, the SPMC is located at S-EL2, and enabling secure boot:
330 Loading Hafnium and secure partitions in the secure world
333 TF-A BL2 is the bootlader for the SPMC and SPs in the secure world.
351 Secure Partition packages
354 Secure partitions are bundled as independent package files consisting
373 Secure Payload BL32 (Trusted OS): offset=0x1BCD1, size=0x15270, cmdline="--tos-fw"
383 .. uml:: ../resources/diagrams/plantuml/fip-secure-partitions.puml
385 Describing secure partitions
446 SP that co-resides with the SPMC and executes at S-EL1 or Secure Supervisor
475 Other nodes in the manifest are consumed by Hafnium in the secure world.
486 secure or non-secure memory, depending on the *device_type* field.
487 If the field specifies "memory" the range is secure, else if it specifies
488 "ns-memory" the memory is non-secure. The system integrator must exclude
521 different boot flow. The flow restricts to a maximum of 8 secure partitions.
523 Secure boot
527 SPMC manifest, secure partitions and verifies them for authenticity and integrity.
539 Also refer to `Describing secure partitions`_ and `TF-A build options`_ sections.
541 Hafnium in the secure world
547 Build platform for the secure world
551 the secure world. Such portions are isolated in architecture specific files
554 Secure partitions scheduling
558 secure partitions. For this a VM (Hypervisor or OS kernel), or SP invokes one of:
563 Additionally a secure interrupt can pre-empt the normal world execution and give
595 state of the range that it relates to. I.e. non-secure memory shall be
596 part of a non-secure memory range, and secure memory shall be contained
597 in a secure memory range of a given platform.
609 provides a memory security attribute hinting to map either to the secure or
610 non-secure EL1&0 Stage-2 table if it exists.
632 of the SP (see section `Describing secure partitions`_) shall be updated to contain
650 The whole secure partition package image (see `Secure Partition packages`_) is
651 mapped to the SP secure EL1&0 Stage-2 translation regime. As such, the SP can
679 at secure physical FF-A instance).
681 The SPMC then creates secure partitions based on SP packages and manifests. Each
682 secure partition is launched in sequence (`SP Boot order`_) on their "primary"
692 - In the case of a MP SP, it invokes the FFA_SECONDARY_EP_REGISTER at secure
710 In a linux based system, once secure and normal worlds are booted but prior to
716 - Other SPs have their first execution context initialized as a result of secure
772 - Schedule Receiver Interrupt: non-secure physical interrupt to be handled by
774 donates a SGI ID chosen from the secure SGI IDs range and configures it as
775 non-secure. The SPMC triggers this SGI on the currently running core when
780 given secure partition. The NPI is pended when the NWd relinquishes CPU cycles
841 FF-A features supported by the SPMC may be discovered by secure partitions at
844 The SPMC calling FFA_FEATURES at secure physical FF-A instance always get
853 When invoked from a secure partition FFA_RXTX_MAP maps the provided send and
855 regime as secure buffers in the MMU descriptors.
860 which is expected to receive messages from the secure world. The SPMC will in
866 caller, either it being the Hypervisor or OS kernel, as well as a secure
880 The FF-A id space is split into a non-secure space and secure space:
896 use a secure FF-A ID as origin world by spoofing:
898 - A VM-to-SP direct request/response shall set the origin world to be non-secure
899 (FF-A ID bit 15 clear) and destination world to be secure (FF-A ID bit 15
917 - or initiated by an SP and thus origin endpoint ID must be a "secure world ID".
923 This is a mandatory interface for secure partitions consisting in direct request
936 The secure partitions notifications bitmap are statically allocated by the SPMC.
937 Hence, this interface is not to be issued by secure partitions.
984 the FFA_SPM_ID_GET interface at the secure physical FF-A instance.
986 Secure partitions call this interface at the virtual FF-A instance, to which
995 When the SPMC boots, all secure partitions are initialized on their primary
998 The FFA_SECONDARY_EP_REGISTER interface is to be used by a secure partition
1016 If a normal world VM is expected to exchange messages with secure world,
1096 secure world. If there is an SP involved, the SPMC allocates data to track the
1114 multiple endpoints (from both secure world and normal world). If there is
1129 With secure virtualization enabled (``HCR_EL2.VM = 1``) and for S-EL1
1130 partitions, two IPA spaces (secure and non-secure) are output from the
1131 secure EL1&0 Stage-1 translation.
1134 - A secure IPA when the SP EL1&0 Stage-1 MMU is disabled.
1135 - One of secure or non-secure IPA when the secure EL1&0 Stage-1 MMU is enabled.
1143 - Stage-2 translation table walks for the NS IPA space are to the secure PA space.
1145 Secure and non-secure IPA regions (rooted to by ``VTTBR_EL2`` and ``VSTTBR_EL2``)
1151 For S-EL0 partitions with VHE enabled, a single secure EL2&0 Stage-1 translation
1162 request. When execution on a PE is in the secure state, only a single call chain
1180 allocated CPU cycles by SPMC to handle a secure interrupt.
1194 The SPMC owns the GIC configuration. Secure and non-secure interrupts are
1201 - NS-Int: A non-secure physical interrupt. It requires a switch to the normal
1202 world to be handled if it triggers while execution is in secure world.
1203 - Other S-Int: A secure physical interrupt targeted to an SP different from
1205 - Self S-Int: A secure physical interrupt targeted to the SP that is currently
1208 Non-secure interrupt handling
1211 This section documents the actions supported in SPMC in response to a non-secure
1215 - Non-secure interrupt is signaled.
1216 - Non-secure interrupt is signaled after a managed exit.
1217 - Non-secure interrupt is queued.
1225 Secure interrupt handling
1228 This section documents the support implemented for secure interrupt handling in
1237 - Secure interrupts are configured as G1S or G0 interrupts.
1238 - All physical interrupts are routed to SPMC when running a secure partition
1241 to corresponding CPUs. Hence, a secure virtual interrupt cannot be signaled
1245 A physical secure interrupt could trigger while CPU is executing in normal world
1246 or secure world.
1247 The action of SPMC for a secure interrupt depends on: the state of the target
1249 whether the interrupt triggered while execution was in normal world or secure
1252 Secure interrupt signaling mechanisms
1259 to S-EL1 SPs. When normal world execution is preempted by a secure interrupt,
1284 Secure interrupt completion mechanisms
1287 A SP signals secure interrupt handling completion to the SPMC through the
1299 deactivation of the secure virtual interrupt.
1301 If the current SP execution context was preempted by a secure interrupt to be
1305 Actions for a secure interrupt triggered while execution is in normal world
1316 | | | by a non-secure interrupt. SPMC queues the |
1317 | | | secure virtual interrupt now. It is signaled |
1327 If normal world execution was preempted by a secure interrupt, SPMC uses
1328 FFA_NORMAL_WORLD_RESUME ABI to indicate completion of secure interrupt handling
1331 The following figure describes interrupt handling flow when a secure interrupt
1334 .. image:: ../resources/diagrams/ffa-secure-interrupt-handling-nwd.png
1338 - 1) Secure interrupt triggers while normal world is running.
1340 - 3) SPMD signals secure interrupt to SPMC at S-EL2 using FFA_INTERRUPT ABI.
1353 clears the fields tracking the secure interrupt and resumes SP1 vCPU.
1354 - 9) SP1 performs secure interrupt completion through FFA_MSG_WAIT ABI.
1358 Actions for a secure interrupt triggered while execution is in secure world
1369 | S-Int | | RUNNING state to handle the secure virtual |
1372 | PREEMPTED by | Queued | SPMC queues the secure virtual interrupt now. |
1387 The following figure describes interrupt handling flow when a secure interrupt
1388 triggers while execution is in secure world. We assume OS kernel sends a direct
1392 .. image:: ../resources/diagrams/ffa-secure-interrupt-handling-swd.png
1396 - 1) Secure interrupt triggers while SP2 is running.
1398 - 3) SPMC finds the target vCPU of secure partition responsible for handling
1399 this secure interrupt. In this scenario, it is SP1.
1410 clears the fields tracking the secure interrupt and resumes SP1 vCPU.
1418 In GICv3 based systems, EL3 interrupts are configured as Group0 secure
1430 SPMD provides platform hook to handle Group0 secure interrupts. In the
1437 In platforms with or without secure virtualization:
1443 - While coordinating PM events, the PSCI library calls backs into the Secure
1446 When using the SPMD as a Secure Payload Dispatcher:
1515 support for SMMUv3 driver in both normal and secure world. A brief introduction
1533 - SMMUv3 offers non-secure stream support with secure stream support being
1535 instance for secure and non-secure stream support.
1539 extensions. Consequently, SPM depends on Secure EL2 support in SMMUv3.2
1540 for providing Secure Stage2 translation support to upstream peripheral
1554 registers have independent secure and non-secure versions to configure the
1555 behaviour of SMMUv3 for translation of secure and non-secure streams
1591 The primary design goal for the Hafnium SMMU driver is to support secure
1604 FEAT_VHE (mandatory with ARMv8.1 in non-secure state, and in secure world
1621 a S-EL0 partition to accept a direct message from secure world and normal world,
1640 [2] :ref:`Secure Partition Manager using MM interface<Secure Partition Manager (MM)>`