Lines Matching refs:secure
77 the secure world, managing multiple S-EL1 or S-EL0 partitions.
79 without virtualization in the secure world.
90 reference code base for an S-EL2/SPMC secure firmware on platforms
98 - The term SPMC refers to the S-EL2 component managing secure partitions in
99 the secure world when the FEAT_SEL2 architecture extension is implemented.
100 - Alternatively, SPMC can refer to an S-EL1 component, itself being a secure
104 - The term SP refers to a secure world "Virtual Machine" managed by an SPMC.
131 and SPMC, one or multiple secure partitions, with an optional
160 (see `Describing secure partitions`_). It
162 secure partitions are to be loaded by BL2 on behalf of the SPMC.
188 the Hafnium binary path (built for the secure world) or the path to a TEE
226 implemented, the SPMC is located at S-EL2, and enabling secure boot:
315 Loading Hafnium and secure partitions in the secure world
318 TF-A BL2 is the bootlader for the SPMC and SPs in the secure world.
368 .. uml:: ../resources/diagrams/plantuml/fip-secure-partitions.puml
370 Describing secure partitions
460 Other nodes in the manifest are consumed by Hafnium in the secure world.
499 different boot flow. The flow restricts to a maximum of 8 secure partitions.
505 SPMC manifest, secure partitions and verifies them for authenticity and integrity.
517 Also refer to `Describing secure partitions`_ and `TF-A build options`_ sections.
519 Hafnium in the secure world
525 Build platform for the secure world
529 the secure world. Such portions are isolated in architecture specific files
536 secure partitions. For this a VM (Hypervisor or OS kernel), or SP invokes one of:
541 Additionally a secure interrupt can pre-empt the normal world execution and give
582 provides a memory security attribute hinting to map either to the secure or
583 non-secure EL1&0 Stage-2 table if it exists.
605 of the SP (see section `Describing secure partitions`_) shall be updated to contain
623 The whole secure partition package image (see `Secure Partition packages`_) is
624 mapped to the SP secure EL1&0 Stage-2 translation regime. As such, the SP can
652 at secure physical FF-A instance).
654 The SPMC then creates secure partitions based on SP packages and manifests. Each
655 secure partition is launched in sequence (`SP Boot order`_) on their "primary"
665 - In the case of a MP SP, it invokes the FFA_SECONDARY_EP_REGISTER at secure
683 In a linux based system, once secure and normal worlds are booted but prior to
689 - Other SPs have their first execution context initialized as a result of secure
745 - Schedule Receiver Interrupt: non-secure physical interrupt to be handled by
747 donates a SGI ID chosen from the secure SGI IDs range and configures it as
748 non-secure. The SPMC triggers this SGI on the currently running core when
753 given secure partition. The NPI is pended when the NWd relinquishes CPU cycles
814 FF-A features supported by the SPMC may be discovered by secure partitions at
817 The SPMC calling FFA_FEATURES at secure physical FF-A instance always get
826 When invoked from a secure partition FFA_RXTX_MAP maps the provided send and
828 regime as secure buffers in the MMU descriptors.
833 which is expected to receive messages from the secure world. The SPMC will in
839 caller, either it being the Hypervisor or OS kernel, as well as a secure
853 The FF-A id space is split into a non-secure space and secure space:
869 use a secure FF-A ID as origin world by spoofing:
871 - A VM-to-SP direct request/response shall set the origin world to be non-secure
872 (FF-A ID bit 15 clear) and destination world to be secure (FF-A ID bit 15
890 - or initiated by an SP and thus origin endpoint ID must be a "secure world ID".
896 This is a mandatory interface for secure partitions consisting in direct request
909 The secure partitions notifications bitmap are statically allocated by the SPMC.
910 Hence, this interface is not to be issued by secure partitions.
957 the FFA_SPM_ID_GET interface at the secure physical FF-A instance.
968 When the SPMC boots, all secure partitions are initialized on their primary
971 The FFA_SECONDARY_EP_REGISTER interface is to be used by a secure partition
989 If a normal world VM is expected to exchange messages with secure world,
1040 With secure virtualization enabled (``HCR_EL2.VM = 1``) and for S-EL1
1041 partitions, two IPA spaces (secure and non-secure) are output from the
1042 secure EL1&0 Stage-1 translation.
1045 - A secure IPA when the SP EL1&0 Stage-1 MMU is disabled.
1046 - One of secure or non-secure IPA when the secure EL1&0 Stage-1 MMU is enabled.
1054 - Stage-2 translation table walks for the NS IPA space are to the secure PA space.
1056 Secure and non-secure IPA regions (rooted to by ``VTTBR_EL2`` and ``VSTTBR_EL2``)
1062 For S-EL0 partitions with VHE enabled, a single secure EL2&0 Stage-1 translation
1073 request. When execution on a PE is in the secure state, only a single call chain
1091 allocated CPU cycles by SPMC to handle a secure interrupt.
1105 The SPMC owns the GIC configuration. Secure and non-secure interrupts are
1112 - NS-Int: A non-secure physical interrupt. It requires a switch to the normal
1113 world to be handled if it triggers while execution is in secure world.
1114 - Other S-Int: A secure physical interrupt targeted to an SP different from
1116 - Self S-Int: A secure physical interrupt targeted to the SP that is currently
1119 Non-secure interrupt handling
1122 This section documents the actions supported in SPMC in response to a non-secure
1126 - Non-secure interrupt is signaled.
1127 - Non-secure interrupt is signaled after a managed exit.
1128 - Non-secure interrupt is queued.
1139 This section documents the support implemented for secure interrupt handling in
1149 - All physical interrupts are routed to SPMC when running a secure partition
1152 to corresponding CPUs. Hence, a secure virtual interrupt cannot be signaled
1156 A physical secure interrupt could trigger while CPU is executing in normal world
1157 or secure world.
1158 The action of SPMC for a secure interrupt depends on: the state of the target
1160 whether the interrupt triggered while execution was in normal world or secure
1170 to S-EL1 SPs. When normal world execution is preempted by a secure interrupt,
1198 A SP signals secure interrupt handling completion to the SPMC through the
1210 deactivation of the secure virtual interrupt.
1212 If the current SP execution context was preempted by a secure interrupt to be
1216 Actions for a secure interrupt triggered while execution is in normal world
1227 | | | by a non-secure interrupt. SPMC queues the |
1228 | | | secure virtual interrupt now. It is signaled |
1238 If normal world execution was preempted by a secure interrupt, SPMC uses
1239 FFA_NORMAL_WORLD_RESUME ABI to indicate completion of secure interrupt handling
1242 The following figure describes interrupt handling flow when a secure interrupt
1245 .. image:: ../resources/diagrams/ffa-secure-interrupt-handling-nwd.png
1251 - 3) SPMD signals secure interrupt to SPMC at S-EL2 using FFA_INTERRUPT ABI.
1264 clears the fields tracking the secure interrupt and resumes SP1 vCPU.
1265 - 9) SP1 performs secure interrupt completion through FFA_MSG_WAIT ABI.
1269 Actions for a secure interrupt triggered while execution is in secure world
1280 | S-Int | | RUNNING state to handle the secure virtual |
1283 | PREEMPTED by | Queued | SPMC queues the secure virtual interrupt now. |
1298 The following figure describes interrupt handling flow when a secure interrupt
1299 triggers while execution is in secure world. We assume OS kernel sends a direct
1303 .. image:: ../resources/diagrams/ffa-secure-interrupt-handling-swd.png
1309 - 3) SPMC finds the target vCPU of secure partition responsible for handling
1310 this secure interrupt. In this scenario, it is SP1.
1321 clears the fields tracking the secure interrupt and resumes SP1 vCPU.
1329 In platforms with or without secure virtualization:
1407 support for SMMUv3 driver in both normal and secure world. A brief introduction
1425 - SMMUv3 offers non-secure stream support with secure stream support being
1427 instance for secure and non-secure stream support.
1446 registers have independent secure and non-secure versions to configure the
1447 behaviour of SMMUv3 for translation of secure and non-secure streams
1483 The primary design goal for the Hafnium SMMU driver is to support secure
1496 FEAT_VHE (mandatory with ARMv8.1 in non-secure state, and in secure world
1513 a S-EL0 partition to accept a direct message from secure world and normal world,