platform/intel-quark/imr.c

0001 // SPDX-License-Identifier: GPL-2.0-only
0002 /*
0003  * imr.c -- Intel Isolated Memory Region driver
0004  *
0005  * Copyright(c) 2013 Intel Corporation.
0006  * Copyright(c) 2015 Bryan O'Donoghue <pure.logic@nexus-software.ie>
0007  *
0008  * IMR registers define an isolated region of memory that can
0009  * be masked to prohibit certain system agents from accessing memory.
0010  * When a device behind a masked port performs an access - snooped or
0011  * not, an IMR may optionally prevent that transaction from changing
0012  * the state of memory or from getting correct data in response to the
0013  * operation.
0014  *
0015  * Write data will be dropped and reads will return 0xFFFFFFFF, the
0016  * system will reset and system BIOS will print out an error message to
0017  * inform the user that an IMR has been violated.
0018  *
0019  * This code is based on the Linux MTRR code and reference code from
0020  * Intel's Quark BSP EFI, Linux and grub code.
0021  *
0022  * See quark-x1000-datasheet.pdf for register definitions.
0023  * http://www.intel.com/content/dam/www/public/us/en/documents/datasheets/quark-x1000-datasheet.pdf
0024  */
0025
0026 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
0027
0028 #include <asm-generic/sections.h>
0029 #include <asm/cpu_device_id.h>
0030 #include <asm/imr.h>
0031 #include <asm/iosf_mbi.h>
0032 #include <asm/io.h>
0033
0034 #include <linux/debugfs.h>
0035 #include <linux/init.h>
0036 #include <linux/mm.h>
0037 #include <linux/types.h>
0038
0039 struct imr_device {
0040     bool        init;
0041     struct mutex    lock;
0042     int     max_imr;
0043     int     reg_base;
0044 };
0045
0046 static struct imr_device imr_dev;
0047
0048 /*
0049  * IMR read/write mask control registers.
0050  * See quark-x1000-datasheet.pdf sections 12.7.4.5 and 12.7.4.6 for
0051  * bit definitions.
0052  *
0053  * addr_hi
0054  * 31       Lock bit
0055  * 30:24    Reserved
0056  * 23:2     1 KiB aligned lo address
0057  * 1:0      Reserved
0058  *
0059  * addr_hi
0060  * 31:24    Reserved
0061  * 23:2     1 KiB aligned hi address
0062  * 1:0      Reserved
0063  */
0064 #define IMR_LOCK    BIT(31)
0065
0066 struct imr_regs {
0067     u32 addr_lo;
0068     u32 addr_hi;
0069     u32 rmask;
0070     u32 wmask;
0071 };
0072
0073 #define IMR_NUM_REGS    (sizeof(struct imr_regs)/sizeof(u32))
0074 #define IMR_SHIFT   8
0075 #define imr_to_phys(x)  ((x) << IMR_SHIFT)
0076 #define phys_to_imr(x)  ((x) >> IMR_SHIFT)
0077
0078 /**
0079  * imr_is_enabled - true if an IMR is enabled false otherwise.
0080  *
0081  * Determines if an IMR is enabled based on address range and read/write
0082  * mask. An IMR set with an address range set to zero and a read/write
0083  * access mask set to all is considered to be disabled. An IMR in any
0084  * other state - for example set to zero but without read/write access
0085  * all is considered to be enabled. This definition of disabled is how
0086  * firmware switches off an IMR and is maintained in kernel for
0087  * consistency.
0088  *
0089  * @imr:    pointer to IMR descriptor.
0090  * @return: true if IMR enabled false if disabled.
0091  */
0092 static inline int imr_is_enabled(struct imr_regs *imr)
0093 {
0094     return !(imr->rmask == IMR_READ_ACCESS_ALL &&
0095          imr->wmask == IMR_WRITE_ACCESS_ALL &&
0096          imr_to_phys(imr->addr_lo) == 0 &&
0097          imr_to_phys(imr->addr_hi) == 0);
0098 }
0099
0100 /**
0101  * imr_read - read an IMR at a given index.
0102  *
0103  * Requires caller to hold imr mutex.
0104  *
0105  * @idev:   pointer to imr_device structure.
0106  * @imr_id: IMR entry to read.
0107  * @imr:    IMR structure representing address and access masks.
0108  * @return: 0 on success or error code passed from mbi_iosf on failure.
0109  */
0110 static int imr_read(struct imr_device *idev, u32 imr_id, struct imr_regs *imr)
0111 {
0112     u32 reg = imr_id * IMR_NUM_REGS + idev->reg_base;
0113     int ret;
0114
0115     ret = iosf_mbi_read(QRK_MBI_UNIT_MM, MBI_REG_READ, reg++, &imr->addr_lo);
0116     if (ret)
0117         return ret;
0118
0119     ret = iosf_mbi_read(QRK_MBI_UNIT_MM, MBI_REG_READ, reg++, &imr->addr_hi);
0120     if (ret)
0121         return ret;
0122
0123     ret = iosf_mbi_read(QRK_MBI_UNIT_MM, MBI_REG_READ, reg++, &imr->rmask);
0124     if (ret)
0125         return ret;
0126
0127     return iosf_mbi_read(QRK_MBI_UNIT_MM, MBI_REG_READ, reg++, &imr->wmask);
0128 }
0129
0130 /**
0131  * imr_write - write an IMR at a given index.
0132  *
0133  * Requires caller to hold imr mutex.
0134  * Note lock bits need to be written independently of address bits.
0135  *
0136  * @idev:   pointer to imr_device structure.
0137  * @imr_id: IMR entry to write.
0138  * @imr:    IMR structure representing address and access masks.
0139  * @return: 0 on success or error code passed from mbi_iosf on failure.
0140  */
0141 static int imr_write(struct imr_device *idev, u32 imr_id, struct imr_regs *imr)
0142 {
0143     unsigned long flags;
0144     u32 reg = imr_id * IMR_NUM_REGS + idev->reg_base;
0145     int ret;
0146
0147     local_irq_save(flags);
0148
0149     ret = iosf_mbi_write(QRK_MBI_UNIT_MM, MBI_REG_WRITE, reg++, imr->addr_lo);
0150     if (ret)
0151         goto failed;
0152
0153     ret = iosf_mbi_write(QRK_MBI_UNIT_MM, MBI_REG_WRITE, reg++, imr->addr_hi);
0154     if (ret)
0155         goto failed;
0156
0157     ret = iosf_mbi_write(QRK_MBI_UNIT_MM, MBI_REG_WRITE, reg++, imr->rmask);
0158     if (ret)
0159         goto failed;
0160
0161     ret = iosf_mbi_write(QRK_MBI_UNIT_MM, MBI_REG_WRITE, reg++, imr->wmask);
0162     if (ret)
0163         goto failed;
0164
0165     local_irq_restore(flags);
0166     return 0;
0167 failed:
0168     /*
0169      * If writing to the IOSF failed then we're in an unknown state,
0170      * likely a very bad state. An IMR in an invalid state will almost
0171      * certainly lead to a memory access violation.
0172      */
0173     local_irq_restore(flags);
0174     WARN(ret, "IOSF-MBI write fail range 0x%08x-0x%08x unreliable\n",
0175          imr_to_phys(imr->addr_lo), imr_to_phys(imr->addr_hi) + IMR_MASK);
0176
0177     return ret;
0178 }
0179
0180 /**
0181  * imr_dbgfs_state_show - print state of IMR registers.
0182  *
0183  * @s:      pointer to seq_file for output.
0184  * @unused: unused parameter.
0185  * @return: 0 on success or error code passed from mbi_iosf on failure.
0186  */
0187 static int imr_dbgfs_state_show(struct seq_file *s, void *unused)
0188 {
0189     phys_addr_t base;
0190     phys_addr_t end;
0191     int i;
0192     struct imr_device *idev = s->private;
0193     struct imr_regs imr;
0194     size_t size;
0195     int ret = -ENODEV;
0196
0197     mutex_lock(&idev->lock);
0198
0199     for (i = 0; i < idev->max_imr; i++) {
0200
0201         ret = imr_read(idev, i, &imr);
0202         if (ret)
0203             break;
0204
0205         /*
0206          * Remember to add IMR_ALIGN bytes to size to indicate the
0207          * inherent IMR_ALIGN size bytes contained in the masked away
0208          * lower ten bits.
0209          */
0210         if (imr_is_enabled(&imr)) {
0211             base = imr_to_phys(imr.addr_lo);
0212             end = imr_to_phys(imr.addr_hi) + IMR_MASK;
0213             size = end - base + 1;
0214         } else {
0215             base = 0;
0216             end = 0;
0217             size = 0;
0218         }
0219         seq_printf(s, "imr%02i: base=%pa, end=%pa, size=0x%08zx "
0220                "rmask=0x%08x, wmask=0x%08x, %s, %s\n", i,
0221                &base, &end, size, imr.rmask, imr.wmask,
0222                imr_is_enabled(&imr) ? "enabled " : "disabled",
0223                imr.addr_lo & IMR_LOCK ? "locked" : "unlocked");
0224     }
0225
0226     mutex_unlock(&idev->lock);
0227     return ret;
0228 }
0229 DEFINE_SHOW_ATTRIBUTE(imr_dbgfs_state);
0230
0231 /**
0232  * imr_debugfs_register - register debugfs hooks.
0233  *
0234  * @idev:   pointer to imr_device structure.
0235  */
0236 static void imr_debugfs_register(struct imr_device *idev)
0237 {
0238     debugfs_create_file("imr_state", 0444, NULL, idev,
0239                 &imr_dbgfs_state_fops);
0240 }
0241
0242 /**
0243  * imr_check_params - check passed address range IMR alignment and non-zero size
0244  *
0245  * @base:   base address of intended IMR.
0246  * @size:   size of intended IMR.
0247  * @return: zero on valid range -EINVAL on unaligned base/size.
0248  */
0249 static int imr_check_params(phys_addr_t base, size_t size)
0250 {
0251     if ((base & IMR_MASK) || (size & IMR_MASK)) {
0252         pr_err("base %pa size 0x%08zx must align to 1KiB\n",
0253             &base, size);
0254         return -EINVAL;
0255     }
0256     if (size == 0)
0257         return -EINVAL;
0258
0259     return 0;
0260 }
0261
0262 /**
0263  * imr_raw_size - account for the IMR_ALIGN bytes that addr_hi appends.
0264  *
0265  * IMR addr_hi has a built in offset of plus IMR_ALIGN (0x400) bytes from the
0266  * value in the register. We need to subtract IMR_ALIGN bytes from input sizes
0267  * as a result.
0268  *
0269  * @size:   input size bytes.
0270  * @return: reduced size.
0271  */
0272 static inline size_t imr_raw_size(size_t size)
0273 {
0274     return size - IMR_ALIGN;
0275 }
0276
0277 /**
0278  * imr_address_overlap - detects an address overlap.
0279  *
0280  * @addr:   address to check against an existing IMR.
0281  * @imr:    imr being checked.
0282  * @return: true for overlap false for no overlap.
0283  */
0284 static inline int imr_address_overlap(phys_addr_t addr, struct imr_regs *imr)
0285 {
0286     return addr >= imr_to_phys(imr->addr_lo) && addr <= imr_to_phys(imr->addr_hi);
0287 }
0288
0289 /**
0290  * imr_add_range - add an Isolated Memory Region.
0291  *
0292  * @base:   physical base address of region aligned to 1KiB.
0293  * @size:   physical size of region in bytes must be aligned to 1KiB.
0294  * @read_mask:  read access mask.
0295  * @write_mask: write access mask.
0296  * @return: zero on success or negative value indicating error.
0297  */
0298 int imr_add_range(phys_addr_t base, size_t size,
0299           unsigned int rmask, unsigned int wmask)
0300 {
0301     phys_addr_t end;
0302     unsigned int i;
0303     struct imr_device *idev = &imr_dev;
0304     struct imr_regs imr;
0305     size_t raw_size;
0306     int reg;
0307     int ret;
0308
0309     if (WARN_ONCE(idev->init == false, "driver not initialized"))
0310         return -ENODEV;
0311
0312     ret = imr_check_params(base, size);
0313     if (ret)
0314         return ret;
0315
0316     /* Tweak the size value. */
0317     raw_size = imr_raw_size(size);
0318     end = base + raw_size;
0319
0320     /*
0321      * Check for reserved IMR value common to firmware, kernel and grub
0322      * indicating a disabled IMR.
0323      */
0324     imr.addr_lo = phys_to_imr(base);
0325     imr.addr_hi = phys_to_imr(end);
0326     imr.rmask = rmask;
0327     imr.wmask = wmask;
0328     if (!imr_is_enabled(&imr))
0329         return -ENOTSUPP;
0330
0331     mutex_lock(&idev->lock);
0332
0333     /*
0334      * Find a free IMR while checking for an existing overlapping range.
0335      * Note there's no restriction in silicon to prevent IMR overlaps.
0336      * For the sake of simplicity and ease in defining/debugging an IMR
0337      * memory map we exclude IMR overlaps.
0338      */
0339     reg = -1;
0340     for (i = 0; i < idev->max_imr; i++) {
0341         ret = imr_read(idev, i, &imr);
0342         if (ret)
0343             goto failed;
0344
0345         /* Find overlap @ base or end of requested range. */
0346         ret = -EINVAL;
0347         if (imr_is_enabled(&imr)) {
0348             if (imr_address_overlap(base, &imr))
0349                 goto failed;
0350             if (imr_address_overlap(end, &imr))
0351                 goto failed;
0352         } else {
0353             reg = i;
0354         }
0355     }
0356
0357     /* Error out if we have no free IMR entries. */
0358     if (reg == -1) {
0359         ret = -ENOMEM;
0360         goto failed;
0361     }
0362
0363     pr_debug("add %d phys %pa-%pa size %zx mask 0x%08x wmask 0x%08x\n",
0364          reg, &base, &end, raw_size, rmask, wmask);
0365
0366     /* Enable IMR at specified range and access mask. */
0367     imr.addr_lo = phys_to_imr(base);
0368     imr.addr_hi = phys_to_imr(end);
0369     imr.rmask = rmask;
0370     imr.wmask = wmask;
0371
0372     ret = imr_write(idev, reg, &imr);
0373     if (ret < 0) {
0374         /*
0375          * In the highly unlikely event iosf_mbi_write failed
0376          * attempt to rollback the IMR setup skipping the trapping
0377          * of further IOSF write failures.
0378          */
0379         imr.addr_lo = 0;
0380         imr.addr_hi = 0;
0381         imr.rmask = IMR_READ_ACCESS_ALL;
0382         imr.wmask = IMR_WRITE_ACCESS_ALL;
0383         imr_write(idev, reg, &imr);
0384     }
0385 failed:
0386     mutex_unlock(&idev->lock);
0387     return ret;
0388 }
0389 EXPORT_SYMBOL_GPL(imr_add_range);
0390
0391 /**
0392  * __imr_remove_range - delete an Isolated Memory Region.
0393  *
0394  * This function allows you to delete an IMR by its index specified by reg or
0395  * by address range specified by base and size respectively. If you specify an
0396  * index on its own the base and size parameters are ignored.
0397  * imr_remove_range(0, base, size); delete IMR at index 0 base/size ignored.
0398  * imr_remove_range(-1, base, size); delete IMR from base to base+size.
0399  *
0400  * @reg:    imr index to remove.
0401  * @base:   physical base address of region aligned to 1 KiB.
0402  * @size:   physical size of region in bytes aligned to 1 KiB.
0403  * @return: -EINVAL on invalid range or out or range id
0404  *      -ENODEV if reg is valid but no IMR exists or is locked
0405  *      0 on success.
0406  */
0407 static int __imr_remove_range(int reg, phys_addr_t base, size_t size)
0408 {
0409     phys_addr_t end;
0410     bool found = false;
0411     unsigned int i;
0412     struct imr_device *idev = &imr_dev;
0413     struct imr_regs imr;
0414     size_t raw_size;
0415     int ret = 0;
0416
0417     if (WARN_ONCE(idev->init == false, "driver not initialized"))
0418         return -ENODEV;
0419
0420     /*
0421      * Validate address range if deleting by address, else we are
0422      * deleting by index where base and size will be ignored.
0423      */
0424     if (reg == -1) {
0425         ret = imr_check_params(base, size);
0426         if (ret)
0427             return ret;
0428     }
0429
0430     /* Tweak the size value. */
0431     raw_size = imr_raw_size(size);
0432     end = base + raw_size;
0433
0434     mutex_lock(&idev->lock);
0435
0436     if (reg >= 0) {
0437         /* If a specific IMR is given try to use it. */
0438         ret = imr_read(idev, reg, &imr);
0439         if (ret)
0440             goto failed;
0441
0442         if (!imr_is_enabled(&imr) || imr.addr_lo & IMR_LOCK) {
0443             ret = -ENODEV;
0444             goto failed;
0445         }
0446         found = true;
0447     } else {
0448         /* Search for match based on address range. */
0449         for (i = 0; i < idev->max_imr; i++) {
0450             ret = imr_read(idev, i, &imr);
0451             if (ret)
0452                 goto failed;
0453
0454             if (!imr_is_enabled(&imr) || imr.addr_lo & IMR_LOCK)
0455                 continue;
0456
0457             if ((imr_to_phys(imr.addr_lo) == base) &&
0458                 (imr_to_phys(imr.addr_hi) == end)) {
0459                 found = true;
0460                 reg = i;
0461                 break;
0462             }
0463         }
0464     }
0465
0466     if (!found) {
0467         ret = -ENODEV;
0468         goto failed;
0469     }
0470
0471     pr_debug("remove %d phys %pa-%pa size %zx\n", reg, &base, &end, raw_size);
0472
0473     /* Tear down the IMR. */
0474     imr.addr_lo = 0;
0475     imr.addr_hi = 0;
0476     imr.rmask = IMR_READ_ACCESS_ALL;
0477     imr.wmask = IMR_WRITE_ACCESS_ALL;
0478
0479     ret = imr_write(idev, reg, &imr);
0480
0481 failed:
0482     mutex_unlock(&idev->lock);
0483     return ret;
0484 }
0485
0486 /**
0487  * imr_remove_range - delete an Isolated Memory Region by address
0488  *
0489  * This function allows you to delete an IMR by an address range specified
0490  * by base and size respectively.
0491  * imr_remove_range(base, size); delete IMR from base to base+size.
0492  *
0493  * @base:   physical base address of region aligned to 1 KiB.
0494  * @size:   physical size of region in bytes aligned to 1 KiB.
0495  * @return: -EINVAL on invalid range or out or range id
0496  *      -ENODEV if reg is valid but no IMR exists or is locked
0497  *      0 on success.
0498  */
0499 int imr_remove_range(phys_addr_t base, size_t size)
0500 {
0501     return __imr_remove_range(-1, base, size);
0502 }
0503 EXPORT_SYMBOL_GPL(imr_remove_range);
0504
0505 /**
0506  * imr_clear - delete an Isolated Memory Region by index
0507  *
0508  * This function allows you to delete an IMR by an address range specified
0509  * by the index of the IMR. Useful for initial sanitization of the IMR
0510  * address map.
0511  * imr_ge(base, size); delete IMR from base to base+size.
0512  *
0513  * @reg:    imr index to remove.
0514  * @return: -EINVAL on invalid range or out or range id
0515  *      -ENODEV if reg is valid but no IMR exists or is locked
0516  *      0 on success.
0517  */
0518 static inline int imr_clear(int reg)
0519 {
0520     return __imr_remove_range(reg, 0, 0);
0521 }
0522
0523 /**
0524  * imr_fixup_memmap - Tear down IMRs used during bootup.
0525  *
0526  * BIOS and Grub both setup IMRs around compressed kernel, initrd memory
0527  * that need to be removed before the kernel hands out one of the IMR
0528  * encased addresses to a downstream DMA agent such as the SD or Ethernet.
0529  * IMRs on Galileo are setup to immediately reset the system on violation.
0530  * As a result if you're running a root filesystem from SD - you'll need
0531  * the boot-time IMRs torn down or you'll find seemingly random resets when
0532  * using your filesystem.
0533  *
0534  * @idev:   pointer to imr_device structure.
0535  * @return:
0536  */
0537 static void __init imr_fixup_memmap(struct imr_device *idev)
0538 {
0539     phys_addr_t base = virt_to_phys(&_text);
0540     size_t size = virt_to_phys(&__end_rodata) - base;
0541     unsigned long start, end;
0542     int i;
0543     int ret;
0544
0545     /* Tear down all existing unlocked IMRs. */
0546     for (i = 0; i < idev->max_imr; i++)
0547         imr_clear(i);
0548
0549     start = (unsigned long)_text;
0550     end = (unsigned long)__end_rodata - 1;
0551
0552     /*
0553      * Setup an unlocked IMR around the physical extent of the kernel
0554      * from the beginning of the .text section to the end of the
0555      * .rodata section as one physically contiguous block.
0556      *
0557      * We don't round up @size since it is already PAGE_SIZE aligned.
0558      * See vmlinux.lds.S for details.
0559      */
0560     ret = imr_add_range(base, size, IMR_CPU, IMR_CPU);
0561     if (ret < 0) {
0562         pr_err("unable to setup IMR for kernel: %zu KiB (%lx - %lx)\n",
0563             size / 1024, start, end);
0564     } else {
0565         pr_info("protecting kernel .text - .rodata: %zu KiB (%lx - %lx)\n",
0566             size / 1024, start, end);
0567     }
0568
0569 }
0570
0571 static const struct x86_cpu_id imr_ids[] __initconst = {
0572     X86_MATCH_VENDOR_FAM_MODEL(INTEL, 5, INTEL_FAM5_QUARK_X1000, NULL),
0573     {}
0574 };
0575
0576 /**
0577  * imr_init - entry point for IMR driver.
0578  *
0579  * return: -ENODEV for no IMR support 0 if good to go.
0580  */
0581 static int __init imr_init(void)
0582 {
0583     struct imr_device *idev = &imr_dev;
0584
0585     if (!x86_match_cpu(imr_ids) || !iosf_mbi_available())
0586         return -ENODEV;
0587
0588     idev->max_imr = QUARK_X1000_IMR_MAX;
0589     idev->reg_base = QUARK_X1000_IMR_REGBASE;
0590     idev->init = true;
0591
0592     mutex_init(&idev->lock);
0593     imr_debugfs_register(idev);
0594     imr_fixup_memmap(idev);
0595     return 0;
0596 }
0597 device_initcall(imr_init);