Trusted Firmware-A Tests, version 2.0
This is the first public version of the tests for the Trusted
Firmware-A project. Please see the documentation provided in the
source tree for more details.
Change-Id: I6f3452046a1351ac94a71b3525c30a4ca8db7867
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Co-authored-by: amobal01 <amol.balasokamble@arm.com>
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Co-authored-by: Asha R <asha.r@arm.com>
Co-authored-by: Chandni Cherukuri <chandni.cherukuri@arm.com>
Co-authored-by: David Cunado <david.cunado@arm.com>
Co-authored-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Co-authored-by: Douglas Raillard <douglas.raillard@arm.com>
Co-authored-by: dp-arm <dimitris.papastamos@arm.com>
Co-authored-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Co-authored-by: Jonathan Wright <jonathan.wright@arm.com>
Co-authored-by: Kévin Petit <kevin.petit@arm.com>
Co-authored-by: Roberto Vargas <roberto.vargas@arm.com>
Co-authored-by: Sathees Balya <sathees.balya@arm.com>
Co-authored-by: Shawon Roy <Shawon.Roy@arm.com>
Co-authored-by: Soby Mathew <soby.mathew@arm.com>
Co-authored-by: Thomas Abraham <thomas.abraham@arm.com>
Co-authored-by: Vikram Kanigiri <vikram.kanigiri@arm.com>
Co-authored-by: Yatharth Kochar <yatharth.kochar@arm.com>
diff --git a/spm/cactus/aarch64/cactus_entrypoint.S b/spm/cactus/aarch64/cactus_entrypoint.S
new file mode 100644
index 0000000..704905e
--- /dev/null
+++ b/spm/cactus/aarch64/cactus_entrypoint.S
@@ -0,0 +1,111 @@
+/*
+ * Copyright (c) 2017-2018, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <asm_macros.S>
+#include <secure_partition.h>
+#include <spm_svc.h>
+#include <xlat_tables_defs.h>
+
+ .globl cactus_entrypoint
+
+func cactus_entrypoint
+
+ /*
+ * All the information needed to remap the memory of the Secure
+ * Partition is in the buffer whose pointer is passed on X0 and size on
+ * X1. If the size is 0, return with an error.
+ */
+ cmp x1, #0
+ beq .return_error
+
+ /* Save the base address and size of the buffer. */
+ mov x20, x0
+ mov x21, x1
+ /* Size of the Secure Partition image. */
+ ldr x22, [x20, SP_BOOT_INFO_IMAGE_SIZE_OFFSET]
+
+ /*
+ * Remap all sections of the image before doing anything else.
+ *
+ * Not even the console can be initialized before because it needs to
+ * initialize variables (that can only be modified after remapping that
+ * region as RW).
+ *
+ * If any of the calls fails, loop, as there is no console to print an
+ * error message to.
+ */
+ .macro set_sp_mem_attributes
+ cmp x2, #0 /* If size is 0, skip the call. */
+ beq 1f
+ mov_imm x0, SP_MEMORY_ATTRIBUTES_SET_AARCH64
+ svc #0
+ cmp x0, #0
+ bne .return_error
+1:
+ .endm
+
+ adr x1, __TEXT_START__
+ adr x2, __TEXT_END__
+ sub x2, x2, x1 /* __TEXT_SIZE__ */
+ lsr x2, x2, PAGE_SIZE_SHIFT /* __TEXT_SIZE__ in pages */
+ mov x3, SP_MEMORY_ATTRIBUTES_ACCESS_RO | SP_MEMORY_ATTRIBUTES_EXEC
+ set_sp_mem_attributes
+
+ adr x1, __RODATA_START__
+ adr x2, __RODATA_END__
+ sub x2, x2, x1 /* __RODATA_SIZE__ */
+ lsr x2, x2, PAGE_SIZE_SHIFT /* __RODATA_SIZE__ in pages */
+ mov x3, SP_MEMORY_ATTRIBUTES_ACCESS_RO | SP_MEMORY_ATTRIBUTES_NON_EXEC
+ set_sp_mem_attributes
+
+ adr x1, __RWDATA_START__
+ adr x2, __RWDATA_END__
+ sub x2, x2, x1 /* __RWDATA_SIZE__ */
+ lsr x2, x2, PAGE_SIZE_SHIFT /* __RWDATA_SIZE__ in pages */
+ mov x3, SP_MEMORY_ATTRIBUTES_ACCESS_RW | SP_MEMORY_ATTRIBUTES_NON_EXEC
+ set_sp_mem_attributes
+
+ /*
+ * To avoid accessing it by mistake, prevent EL0 from accessing the rest
+ * of the memory reserved for the Secure Partition.
+ *
+ * Unused size = Total size - Used size
+ * = Total size - (__RWDATA_END__ - __TEXT_START__)
+ */
+ adr x1, __RWDATA_END__
+ adr x2, __TEXT_START__
+ sub x2, x1, x2 /* x2 = Used size, x22 = Total size */
+ sub x2, x22, x2 /* x2 = Unused size */
+ lsr x2, x2, PAGE_SIZE_SHIFT /* Unused size in pages */
+ mov x3, SP_MEMORY_ATTRIBUTES_ACCESS_NOACCESS | SP_MEMORY_ATTRIBUTES_NON_EXEC
+ set_sp_mem_attributes
+
+ adr x0, __BSS_START__
+ adr x1, __BSS_END__
+ sub x1, x1, x0
+ bl zeromem16
+
+ /* Setup the stack pointer. */
+ ldr x0, [x20, SP_BOOT_INFO_STACK_BASE_OFFSET]
+ ldr x1, [x20, SP_BOOT_INFO_PCPU_STACK_SIZE_OFFSET]
+ add x0, x0, x1
+ mov sp, x0
+
+ /* And do the rest in C code */
+ mov x0, x20
+ mov x1, x21
+ b cactus_main
+
+.return_error:
+ /* Tell SPM that the initialization failed. */
+ mov_imm x0, SP_EVENT_COMPLETE_AARCH64
+ mov x1, #-1
+ svc #0
+
+ /* Loop forever */
+ b .
+
+endfunc cactus_entrypoint
diff --git a/spm/cactus/cactus.h b/spm/cactus/cactus.h
new file mode 100644
index 0000000..966b154
--- /dev/null
+++ b/spm/cactus/cactus.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 2017, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef __CACTUS_H__
+#define __CACTUS_H__
+
+#include <secure_partition.h>
+#include <types.h>
+
+/* Linker symbols used to figure out the memory layout of Cactus. */
+extern uintptr_t __TEXT_START__, __TEXT_END__;
+#define CACTUS_TEXT_START ((uintptr_t)&__TEXT_START__)
+#define CACTUS_TEXT_END ((uintptr_t)&__TEXT_END__)
+
+extern uintptr_t __RODATA_START__, __RODATA_END__;
+#define CACTUS_RODATA_START ((uintptr_t)&__RODATA_START__)
+#define CACTUS_RODATA_END ((uintptr_t)&__RODATA_END__)
+
+extern uintptr_t __RWDATA_START__, __RWDATA_END__;
+#define CACTUS_RWDATA_START ((uintptr_t)&__RWDATA_START__)
+#define CACTUS_RWDATA_END ((uintptr_t)&__RWDATA_END__)
+
+extern uintptr_t __BSS_START__, __BSS_END__;
+#define CACTUS_BSS_START ((uintptr_t)&__BSS_START__)
+#define CACTUS_BSS_END ((uintptr_t)&__BSS_END__)
+
+/*
+ * Once Cactus has finished its initialisation, this is the function it will
+ * jump to to handle runtime services for the rest of its lifetime.
+ */
+__dead2 void secure_services_loop(void);
+
+#endif /* __CACTUS_H__ */
diff --git a/spm/cactus/cactus.ld.S b/spm/cactus/cactus.ld.S
new file mode 100644
index 0000000..b33f591
--- /dev/null
+++ b/spm/cactus/cactus.ld.S
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 2017-2018, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <platform_def.h>
+#include <xlat_tables_defs.h>
+
+OUTPUT_FORMAT(PLATFORM_LINKER_FORMAT)
+OUTPUT_ARCH(PLATFORM_LINKER_ARCH)
+ENTRY(cactus_entrypoint)
+
+SECTIONS
+{
+ ASSERT(. == ALIGN(PAGE_SIZE),
+ "TEXT_START address is not aligned to PAGE_SIZE.")
+
+ .text : {
+ __TEXT_START__ = .;
+ *cactus_entrypoint.o(.text*)
+ *(.text*)
+ *(.vectors)
+ . = NEXT(PAGE_SIZE);
+ __TEXT_END__ = .;
+ }
+
+ .rodata : {
+ . = ALIGN(PAGE_SIZE);
+ __RODATA_START__ = .;
+ *(.rodata*)
+ . = NEXT(PAGE_SIZE);
+ __RODATA_END__ = .;
+ }
+
+
+ .data : {
+ . = ALIGN(PAGE_SIZE);
+ __RWDATA_START__ = .;
+ *(.data*)
+ }
+
+ .bss : {
+ . = ALIGN(16);
+ __BSS_START__ = .;
+ *(SORT_BY_ALIGNMENT(.bss*))
+ *(COMMON)
+ . = NEXT(PAGE_SIZE);
+ __BSS_END__ = .;
+ __RWDATA_END__ = .;
+ }
+}
diff --git a/spm/cactus/cactus.mk b/spm/cactus/cactus.mk
new file mode 100644
index 0000000..f7794db
--- /dev/null
+++ b/spm/cactus/cactus.mk
@@ -0,0 +1,73 @@
+#
+# Copyright (c) 2018, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+CACTUS_INCLUDES := \
+ -Iinclude \
+ -Iinclude/common \
+ -Iinclude/common/${ARCH} \
+ -Iinclude/drivers \
+ -Iinclude/drivers/arm \
+ -Iinclude/lib \
+ -Iinclude/lib/${ARCH} \
+ -Iinclude/lib/stdlib \
+ -Iinclude/lib/stdlib/sys \
+ -Iinclude/lib/utils \
+ -Iinclude/lib/xlat_tables \
+ -Iinclude/runtime_services \
+ -Iinclude/runtime_services/secure_el0_payloads \
+ -Ispm/cactus \
+ -Ispm/common \
+
+CACTUS_SOURCES := \
+ $(addprefix spm/cactus/, \
+ aarch64/cactus_entrypoint.S \
+ cactus_main.c \
+ cactus_service_loop.c \
+ cactus_tests_memory_attributes.c \
+ cactus_tests_misc.c \
+ cactus_tests_system_setup.c \
+ ) \
+ $(addprefix spm/common/, \
+ aarch64/sp_arch_helpers.S \
+ sp_helpers.c \
+ ) \
+
+STDLIB_SOURCES := $(addprefix lib/stdlib/, \
+ assert.c \
+ mem.c \
+ putchar.c \
+ printf.c \
+ rand.c \
+ strlen.c \
+ subr_prf.c \
+)
+
+# TODO: Remove dependency on TFTF files.
+CACTUS_SOURCES += \
+ tftf/framework/debug.c \
+ tftf/framework/${ARCH}/asm_debug.S
+
+CACTUS_SOURCES += drivers/arm/pl011/${ARCH}/pl011_console.S \
+ lib/${ARCH}/cache_helpers.S \
+ lib/${ARCH}/misc_helpers.S \
+ plat/common/${ARCH}/platform_helpers.S \
+ ${STDLIB_SOURCES}
+
+CACTUS_LINKERFILE := spm/cactus/cactus.ld.S
+
+CACTUS_DEFINES :=
+
+$(eval $(call add_define,CACTUS_DEFINES,DEBUG))
+$(eval $(call add_define,CACTUS_DEFINES,ENABLE_ASSERTIONS))
+$(eval $(call add_define,CACTUS_DEFINES,LOG_LEVEL))
+$(eval $(call add_define,CACTUS_DEFINES,PLAT_${PLAT}))
+ifeq (${ARCH},aarch32)
+ $(eval $(call add_define,CACTUS_DEFINES,AARCH32))
+else
+ $(eval $(call add_define,CACTUS_DEFINES,AARCH64))
+endif
+
+cactus: ${AUTOGEN_DIR}/tests_list.h
diff --git a/spm/cactus/cactus_main.c b/spm/cactus/cactus_main.c
new file mode 100644
index 0000000..45197d3
--- /dev/null
+++ b/spm/cactus/cactus_main.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright (c) 2018, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <assert.h>
+#include <console.h>
+#include <debug.h>
+#include <pl011.h>
+#include <plat_arm.h>
+#include <platform_def.h>
+#include <secure_partition.h>
+#include <sp_helpers.h>
+#include <spm_svc.h>
+#include <std_svc.h>
+
+#include "cactus.h"
+#include "cactus_tests.h"
+
+
+/* Host machine information injected by the build system in the ELF file. */
+extern const char build_message[];
+extern const char version_string[];
+
+/*
+ * The ARM Trusted Firmware passes a description of the memory resources
+ * allocated to the secure partition through the x0 register. This maps to
+ * a secure_partition_boot_info_t structure type.
+ *
+ * This functions prints the information stored in this structure.
+ */
+static void cactus_print_memory_layout(const secure_partition_boot_info_t *boot_info)
+{
+ NOTICE("Secure Partition memory layout:\n");
+
+ NOTICE(" Secure Partition image : %p - %p\n",
+ (void *) boot_info->sp_image_base,
+ (void *)(boot_info->sp_image_base + boot_info->sp_image_size));
+ NOTICE(" Text region : %p - %p\n",
+ (void *) CACTUS_TEXT_START, (void *) CACTUS_TEXT_END);
+ NOTICE(" Read-only data region : %p - %p\n",
+ (void *) CACTUS_RODATA_START, (void *) CACTUS_RODATA_END);
+ NOTICE(" Read-write data region : %p - %p\n",
+ (void *) CACTUS_RWDATA_START, (void *) CACTUS_RWDATA_END);
+ NOTICE(" BSS region : %p - %p\n",
+ (void *) CACTUS_BSS_START, (void *) CACTUS_BSS_END);
+ NOTICE(" Unused SP image space : %p - %p\n",
+ (void *) CACTUS_BSS_END,
+ (void *)(boot_info->sp_image_base + boot_info->sp_image_size));
+
+ NOTICE(" EL3-EL0 shared buffer : %p - %p\n",
+ (void *) boot_info->sp_shared_buf_base,
+ (void *)(boot_info->sp_shared_buf_base + boot_info->sp_shared_buf_size));
+
+ NOTICE(" S-NS shared buffer : %p - %p\n",
+ (void *) boot_info->sp_ns_comm_buf_base,
+ (void *)(boot_info->sp_ns_comm_buf_base + boot_info->sp_ns_comm_buf_size));
+
+ assert(boot_info->sp_ns_comm_buf_base == ARM_SECURE_SERVICE_BUFFER_BASE);
+ assert(boot_info->sp_ns_comm_buf_size == ARM_SECURE_SERVICE_BUFFER_SIZE);
+
+ NOTICE(" Stacks region (%u CPUS) : %p - %p\n",
+ boot_info->num_cpus,
+ (void *) boot_info->sp_stack_base,
+ (void *)(boot_info->sp_stack_base +
+ (boot_info->sp_pcpu_stack_size * boot_info->num_cpus)));
+
+ NOTICE(" Heap region : %p - %p\n",
+ (void *) boot_info->sp_heap_base,
+ (void *)(boot_info->sp_heap_base + boot_info->sp_heap_size));
+
+ NOTICE("Total memory : %p - %p\n",
+ (void *) boot_info->sp_mem_base, (void *) boot_info->sp_mem_limit);
+}
+
+
+void __dead2 cactus_main(void *el3_el0_buffer, size_t el3_el0_buffer_size)
+{
+ console_init(PLAT_ARM_UART_BASE,
+ PLAT_ARM_UART_CLK_IN_HZ,
+ PL011_BAUDRATE);
+
+ NOTICE("Booting test Secure Partition Cactus\n");
+ NOTICE("%s\n", build_message);
+ NOTICE("%s\n", version_string);
+ NOTICE("Running at S-EL0\n");
+
+ const secure_partition_boot_info_t *boot_info =
+ (const secure_partition_boot_info_t *) el3_el0_buffer;
+
+ if (el3_el0_buffer_size < sizeof(secure_partition_boot_info_t)) {
+ ERROR("The memory buffer shared between EL3/S-EL0 is too small\n");
+ ERROR("It is %lu bytes, it should be at least %lu bytes\n",
+ el3_el0_buffer_size,
+ sizeof(secure_partition_boot_info_t));
+ panic();
+ }
+
+ if ((CACTUS_TEXT_START != boot_info->sp_image_base) ||
+ (CACTUS_RWDATA_END > boot_info->sp_image_base
+ + boot_info->sp_image_size)) {
+ ERROR("Cactus does not fit in the buffer allocated for the secure partition\n");
+ panic();
+ }
+
+ cactus_print_memory_layout(boot_info);
+
+
+ /*
+ * Run some initial tests.
+ *
+ * These are executed when the system is still booting, just after SPM
+ * has handed over to Cactus.
+ */
+ misc_tests();
+ system_setup_tests();
+ mem_attr_changes_tests(boot_info);
+
+ /*
+ * Handle secure service requests.
+ */
+ secure_services_loop();
+}
diff --git a/spm/cactus/cactus_service_loop.c b/spm/cactus/cactus_service_loop.c
new file mode 100644
index 0000000..9f542b5
--- /dev/null
+++ b/spm/cactus/cactus_service_loop.c
@@ -0,0 +1,141 @@
+/*
+ * Copyright (c) 2018, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <assert.h>
+#include <debug.h>
+#include <mm_svc.h>
+#include <secure_partition.h>
+#include <sp_helpers.h>
+#include <spm_svc.h>
+#include <string.h>
+
+
+/*
+ * Handle a fast secure service request, i.e. one made through an MM_COMMUNICATE
+ * call.
+ *
+ * cc
+ * Calling convention. If MM_COMMUNICATE has been invoked using the SMC32
+ * calling convention, this argument must be 32, else 64.
+ *
+ * sps
+ * Communication buffer attached to the secure partition service request.
+ */
+static int32_t cactus_handle_fast_request(int cc,
+ secure_partition_request_info_t *sps)
+{
+ assert(cc == 32 || cc == 64);
+
+ /* No SMC32 is supported at the moment. Just ignore them. */
+ if (cc == 32) {
+ INFO("Ignoring MM_COMMUNICATE_AARCH32 call\n");
+ return SPM_SUCCESS;
+ }
+
+ /* See secure_partition.h for possible ID values. */
+ switch (sps->id) {
+ case SPS_TIMER_SLEEP: {
+ if (sps->data_size != 1) {
+ ERROR("Invalid payload size for SPM_SPS_TIMER_SLEEP request (%llu)\n",
+ sps->data_size);
+ return SPM_INVALID_PARAMETER;
+ }
+ int duration_sec = sps->data[0];
+ sp_sleep(duration_sec);
+
+ /*
+ * Write back to the communication buffer to acknowledge the
+ * request has been successfully handled.
+ */
+ uint32_t response = CACTUS_FAST_REQUEST_SUCCESS;
+ memcpy(sps->data, &response, sizeof(response));
+ return SPM_SUCCESS;
+ }
+
+ case SPS_CHECK_ALIVE:
+ return SPM_SUCCESS;
+
+ default:
+ INFO("Unsupported MM_COMMUNICATE_AARCH64 call with service ID 0x%x, ignoring it\n",
+ sps->id);
+ return SPM_INVALID_PARAMETER;
+ }
+}
+
+__dead2 void secure_services_loop(void)
+{
+ int32_t event_status_code;
+ svc_args svc_values = { 0 };
+
+ /*
+ * The first time this loop is executed corresponds to when Cactus has
+ * finished initialising its run time environment and is ready to handle
+ * secure service requests.
+ */
+ NOTICE("Cactus: Signal end of init to SPM\n");
+ event_status_code = SPM_SUCCESS;
+
+ while (1) {
+ svc_values.arg0 = SP_EVENT_COMPLETE_AARCH64;
+ svc_values.arg1 = event_status_code;
+ int32_t event_id = sp_svc(&svc_values);
+
+ switch (event_id) {
+ case MM_COMMUNICATE_AARCH64:
+ {
+ uint64_t ctx_addr = svc_values.arg1;
+ uint32_t ctx_size = svc_values.arg2;
+ uint64_t cookie = svc_values.arg3;
+
+ NOTICE("Cactus: Received MM_COMMUNICATE_AARCH64 call\n");
+ NOTICE("Cactus: Context address: 0x%llx\n", ctx_addr);
+ NOTICE("Cactus: Context size : %u\n", ctx_size);
+ NOTICE("Cactus: Cookie : 0x%llx\n", cookie);
+
+ if (ctx_addr == 0) {
+ ERROR("Context address is invalid\n");
+ event_status_code = SPM_INVALID_PARAMETER;
+ continue;
+ }
+
+ secure_partition_request_info_t *sps = (void *)(uintptr_t) ctx_addr;
+ NOTICE("Received fast secure service request with ID #%u\n",
+ sps->id);
+ event_status_code = cactus_handle_fast_request(64, sps);
+ break;
+ }
+
+ case MM_COMMUNICATE_AARCH32:
+ {
+ uint32_t ctx_addr = svc_values.arg1;
+ uint32_t ctx_size = svc_values.arg2;
+ uint32_t cookie = svc_values.arg3;
+
+ NOTICE("Cactus: Received MM_COMMUNICATE_AARCH32 call\n");
+ NOTICE("Cactus: Context address: 0x%x\n", ctx_addr);
+ NOTICE("Cactus: Context size : %u\n", ctx_size);
+ NOTICE("Cactus: Cookie : 0x%x\n", cookie);
+
+ if (ctx_addr == 0) {
+ ERROR("Context address is invalid\n");
+ event_status_code = SPM_INVALID_PARAMETER;
+ continue;
+ }
+
+ secure_partition_request_info_t *sps = (void *)(uintptr_t) ctx_addr;
+ NOTICE("Received fast secure service request with ID #%u\n",
+ sps->id);
+ event_status_code = cactus_handle_fast_request(32, sps);
+ break;
+ }
+
+ default:
+ NOTICE("Unhandled Service ID 0x%x\n", event_id);
+ event_status_code = SPM_NOT_SUPPORTED;
+ break;
+ }
+ }
+}
diff --git a/spm/cactus/cactus_tests.h b/spm/cactus/cactus_tests.h
new file mode 100644
index 0000000..d0e11dc
--- /dev/null
+++ b/spm/cactus/cactus_tests.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 2017, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef __CACTUS_TESTS_H__
+#define __CACTUS_TESTS_H__
+
+#include <secure_partition.h>
+
+/*
+ * Test functions
+ */
+
+/*
+ * Test other things like the version number returned by SPM.
+ */
+void misc_tests(void);
+
+/*
+ * The Arm TF is responsible for setting up system registers on behalf of the
+ * Secure Partition. For example, TF is supposed to allow Secure Partitions to
+ * perform cache maintenance operations (by setting the SCTLR_EL1.UCI bit).
+ *
+ * This function attempts to verify that we indeed have access to these system
+ * features from S-EL0. These tests report their results on the UART. They do
+ * not recover from a failure : when an error is encountered they will most
+ * likely trigger an exception into S-EL1.
+ */
+void system_setup_tests(void);
+
+/*
+ * Exercise the SP_MEMORY_ATTRIBUTES_SET_AARCH64 SMC interface. A variety of
+ * valid and invalid requests to change memory attributes are tested.
+ *
+ * These tests report their results on the UART. They do not recover from a
+ * failure : when an error is encountered they endlessly loop.
+ *
+ * The argument is a pointer to a secure_partition_boot_info_t struct that has
+ * been filled by EL3 with the information about the memory map of this Secure
+ * Partition.
+ */
+void mem_attr_changes_tests(const secure_partition_boot_info_t *boot_info);
+
+#endif /* __CACTUS_TESTS_H__ */
diff --git a/spm/cactus/cactus_tests_memory_attributes.c b/spm/cactus/cactus_tests_memory_attributes.c
new file mode 100644
index 0000000..1a3072b
--- /dev/null
+++ b/spm/cactus/cactus_tests_memory_attributes.c
@@ -0,0 +1,236 @@
+/*
+ * Copyright (c) 2018, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <assert.h>
+#include <debug.h>
+#include <errno.h>
+#include <platform_def.h>
+#include <secure_partition.h>
+#include <sp_helpers.h>
+#include <spm_svc.h>
+#include <stdio.h>
+#include <types.h>
+#include <xlat_tables_defs.h>
+
+#include "cactus.h"
+#include "cactus_tests.h"
+
+/* This is filled at runtime. */
+static uintptr_t cactus_tests_start;
+static uintptr_t cactus_tests_end;
+static uintptr_t cactus_tests_size;
+
+/*
+ * Given the required instruction and data access permissions,
+ * create a memory access controls value that is formatted as expected
+ * by the SP_MEMORY_ATTRIBUTES_SET_AARCH64 SMC.
+ */
+static inline uint32_t mem_access_perm(int instr_access_perm,
+ int data_access_perm)
+{
+ return instr_access_perm |
+ ((data_access_perm & SP_MEMORY_ATTRIBUTES_ACCESS_MASK)
+ << SP_MEMORY_ATTRIBUTES_ACCESS_SHIFT);
+}
+
+/*
+ * Send an SP_MEMORY_ATTRIBUTES_SET_AARCH64 SVC with the given arguments.
+ * Return the return value of the SVC.
+ */
+static int32_t request_mem_attr_changes(uintptr_t base_address,
+ int pages_count,
+ uint32_t memory_access_controls)
+{
+ INFO("Requesting memory attributes change\n");
+ INFO(" Start address : %p\n", (void *) base_address);
+ INFO(" Number of pages: %i\n", pages_count);
+ INFO(" Attributes : 0x%x\n", memory_access_controls);
+
+ svc_args svc_values = { SP_MEMORY_ATTRIBUTES_SET_AARCH64,
+ base_address,
+ pages_count,
+ memory_access_controls };
+ return sp_svc(&svc_values);
+}
+
+/*
+ * Send an SP_MEMORY_ATTRIBUTES_GET_AARCH64 SVC with the given arguments.
+ * Return the return value of the SVC.
+ */
+static int32_t request_get_mem_attr(uintptr_t base_address)
+{
+ INFO("Requesting memory attributes\n");
+ INFO(" Base address : %p\n", (void *) base_address);
+
+ svc_args svc_values = { SP_MEMORY_ATTRIBUTES_GET_AARCH64,
+ base_address };
+ return sp_svc(&svc_values);
+}
+
+/*
+ * This function expects a base address and number of pages identifying the
+ * extents of some memory region mapped as non-executable, read-only.
+ *
+ * 1) It changes its data access permissions to read-write.
+ * 2) It checks this memory can now be written to.
+ * 3) It restores the original data access permissions.
+ *
+ * If any check fails, it loops forever. It could also trigger a permission
+ * fault while trying to write to the memory.
+ */
+static void mem_attr_changes_unittest(uintptr_t addr, int pages_count)
+{
+ int32_t ret;
+ uintptr_t end_addr = addr + pages_count * PAGE_SIZE;
+ uint32_t old_attr, new_attr;
+
+ char test_desc[50];
+
+ snprintf(test_desc, sizeof(test_desc),
+ "RO -> RW (%i page(s) from address 0x%lx)", pages_count, addr);
+ announce_test_start(test_desc);
+
+ /*
+ * Ensure we don't change the attributes of some random memory
+ * location
+ */
+ assert(addr >= cactus_tests_start);
+ assert(end_addr < (cactus_tests_start + cactus_tests_size));
+
+ old_attr = mem_access_perm(SP_MEMORY_ATTRIBUTES_NON_EXEC, SP_MEMORY_ATTRIBUTES_ACCESS_RO);
+ /* Memory was read-only, let's try changing that to RW */
+ new_attr = mem_access_perm(SP_MEMORY_ATTRIBUTES_NON_EXEC, SP_MEMORY_ATTRIBUTES_ACCESS_RW);
+
+ ret = request_mem_attr_changes(addr, pages_count, new_attr);
+ expect(ret, SPM_SUCCESS);
+ printf("Successfully changed memory attributes\n");
+
+ /* The attributes should be the ones we have just written. */
+ ret = request_get_mem_attr(addr);
+ expect(ret, new_attr);
+
+ /* If it worked, we should be able to write to this memory now! */
+ for (unsigned char *data = (unsigned char *) addr;
+ (uintptr_t) data != end_addr;
+ ++data) {
+ *data = 42;
+ }
+ printf("Successfully wrote to the memory\n");
+
+ /* Let's revert back to the original attributes for the next test */
+ ret = request_mem_attr_changes(addr, pages_count, old_attr);
+ expect(ret, SPM_SUCCESS);
+ printf("Successfully restored the old attributes\n");
+
+ /* The attributes should be the original ones again. */
+ ret = request_get_mem_attr(addr);
+ expect(ret, old_attr);
+
+ announce_test_end(test_desc);
+}
+
+/*
+ * Exercise the ability of the Trusted Firmware to change the data access
+ * permissions and instruction execution permissions of some memory region.
+ */
+void mem_attr_changes_tests(const secure_partition_boot_info_t *boot_info)
+{
+ uint32_t attributes;
+ int32_t ret;
+ uintptr_t addr;
+
+ cactus_tests_start = CACTUS_BSS_END;
+ cactus_tests_end = boot_info->sp_image_base + boot_info->sp_image_size;
+ cactus_tests_size = cactus_tests_end - cactus_tests_start;
+
+ const char *test_sect_desc = "memory attributes changes";
+
+ announce_test_section_start(test_sect_desc);
+ /*
+ * Start with error cases, i.e. requests that are expected to be denied
+ */
+ const char *test_desc1 = "Read-write, executable";
+
+ announce_test_start(test_desc1);
+ attributes = mem_access_perm(SP_MEMORY_ATTRIBUTES_EXEC, SP_MEMORY_ATTRIBUTES_ACCESS_RW);
+ ret = request_mem_attr_changes(CACTUS_RWDATA_START, 1, attributes);
+ expect(ret, SPM_INVALID_PARAMETER);
+ announce_test_end(test_desc1);
+
+ const char *test_desc2 = "Size == 0";
+
+ announce_test_start(test_desc2);
+ attributes = mem_access_perm(SP_MEMORY_ATTRIBUTES_NON_EXEC, SP_MEMORY_ATTRIBUTES_ACCESS_RW);
+ ret = request_mem_attr_changes(CACTUS_RWDATA_START, 0, attributes);
+ expect(ret, SPM_INVALID_PARAMETER);
+ announce_test_end(test_desc2);
+
+ const char *test_desc3 = "Unaligned address";
+
+ announce_test_start(test_desc3);
+ attributes = mem_access_perm(SP_MEMORY_ATTRIBUTES_NON_EXEC, SP_MEMORY_ATTRIBUTES_ACCESS_RW);
+ /* Choose an address not aligned to a page boundary. */
+ addr = cactus_tests_start + 5;
+ ret = request_mem_attr_changes(addr, 1, attributes);
+ expect(ret, SPM_INVALID_PARAMETER);
+ announce_test_end(test_desc3);
+
+ const char *test_desc4 = "Unmapped memory region";
+
+ announce_test_start(test_desc4);
+ addr = boot_info->sp_mem_limit + 2 * PAGE_SIZE;
+ attributes = mem_access_perm(SP_MEMORY_ATTRIBUTES_NON_EXEC, SP_MEMORY_ATTRIBUTES_ACCESS_RW);
+ ret = request_mem_attr_changes(addr, 3, attributes);
+ expect(ret, SPM_INVALID_PARAMETER);
+ announce_test_end(test_desc4);
+
+ const char *test_desc5 = "Partially unmapped memory region";
+
+ announce_test_start(test_desc5);
+ addr = boot_info->sp_mem_base - 2 * PAGE_SIZE;
+ attributes = mem_access_perm(SP_MEMORY_ATTRIBUTES_NON_EXEC, SP_MEMORY_ATTRIBUTES_ACCESS_RW);
+ ret = request_mem_attr_changes(addr, 6, attributes);
+ expect(ret, SPM_INVALID_PARAMETER);
+ announce_test_end(test_desc5);
+
+ const char *test_desc6 = "Memory region mapped with the wrong granularity";
+
+ announce_test_start(test_desc6);
+ /*
+ * This address is usually mapped at a 2 MiB granularity. By using as
+ * test address the block after the console we make sure that in case
+ * the attributes of the block actually changed, the console would work
+ * and we would get the error message.
+ */
+ addr = ((uintptr_t)PLAT_ARM_UART_BASE + 0x200000ULL) & ~(0x200000ULL - 1ULL);
+ attributes = mem_access_perm(SP_MEMORY_ATTRIBUTES_NON_EXEC, SP_MEMORY_ATTRIBUTES_ACCESS_RW);
+ ret = request_mem_attr_changes(addr, 1, attributes);
+ expect(ret, SPM_INVALID_PARAMETER);
+ announce_test_end(test_desc6);
+
+ const char *test_desc7 = "Try some valid memory change requests";
+
+ announce_test_start(test_desc7);
+ for (unsigned int i = 0; i < 20; ++i) {
+ /*
+ * Choose some random address in the pool of memory reserved
+ * for these tests.
+ */
+ const int pages_max = cactus_tests_size / PAGE_SIZE;
+ int pages_count = bound_rand(1, pages_max);
+
+ addr = bound_rand(
+ cactus_tests_start,
+ cactus_tests_end - (pages_count * PAGE_SIZE));
+ /* Align to PAGE_SIZE. */
+ addr &= ~(PAGE_SIZE - 1);
+
+ mem_attr_changes_unittest(addr, pages_count);
+ }
+ announce_test_end(test_desc7);
+
+ announce_test_section_end(test_sect_desc);
+}
diff --git a/spm/cactus/cactus_tests_misc.c b/spm/cactus/cactus_tests_misc.c
new file mode 100644
index 0000000..bb8eaa7
--- /dev/null
+++ b/spm/cactus/cactus_tests_misc.c
@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 2018, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <assert.h>
+#include <debug.h>
+#include <errno.h>
+#include <sp_helpers.h>
+#include <spm_svc.h>
+#include <types.h>
+
+#include "cactus.h"
+#include "cactus_tests.h"
+
+/*
+ * Miscellaneous SPM tests.
+ */
+void misc_tests(void)
+{
+ int32_t ret;
+
+ const char *test_sect_desc = "miscellaneous";
+
+ announce_test_section_start(test_sect_desc);
+
+ const char *test_version = "SPM version check";
+
+ announce_test_start(test_version);
+ svc_args svc_values = { SPM_VERSION_AARCH32 };
+ ret = sp_svc(&svc_values);
+ INFO("Version = 0x%x (%u.%u)\n", ret,
+ (ret >> 16) & 0x7FFF, ret & 0xFFFF);
+ expect(ret, SPM_VERSION_COMPILED);
+ announce_test_end(test_version);
+
+ announce_test_section_end(test_sect_desc);
+}
diff --git a/spm/cactus/cactus_tests_system_setup.c b/spm/cactus/cactus_tests_system_setup.c
new file mode 100644
index 0000000..685d82d
--- /dev/null
+++ b/spm/cactus/cactus_tests_system_setup.c
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 2018, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <arch_helpers.h>
+#include <debug.h>
+#include <sp_helpers.h>
+#include <types.h>
+
+#include "cactus.h"
+
+extern uintptr_t __TEXT_START__;
+
+void system_setup_tests(void)
+{
+ const char *test_sect_desc = "system setup";
+
+ announce_test_section_start(test_sect_desc);
+
+ /*
+ * Try accessing CTR_EL0 register. This should work if SCTLR_EL1.UCT bit
+ * has been correctly setup by TF.
+ */
+ const char *test_desc1 = "Read CTR_EL0 register";
+
+ announce_test_start(test_desc1);
+
+ uint32_t ctr __unused = read_ctr_el0();
+
+ INFO("CTR_EL0 = 0x%x\n", ctr);
+ announce_test_end(test_desc1);
+
+ /*
+ * Try to execute a cache maintenance instruction. This should work if
+ * SCTLR_EL1.UCI bit has been correctly setup by TF.
+ */
+ const char *test_desc2 = "Access to cache maintenance operations";
+
+ announce_test_start(test_desc2);
+ flush_dcache_range((uintptr_t)&__TEXT_START__, 1);
+ announce_test_end(test_desc2);
+
+ /*
+ * Try accessing a floating point register. This should not trap to
+ * S-EL1.
+ */
+ const char *test_desc3 = "Access to FP regs";
+
+ announce_test_start(test_desc3);
+ /*
+ * Can't use the 'double' type here because Cactus (like the rest of
+ * the TF code) is compiled with GCC's -mgeneral-regs-only compiler flag
+ * that disables floating point support in GCC.
+ */
+ uint64_t fp_reg;
+
+ __asm__ volatile("fmov %0, d0" : "=r" (fp_reg) :: "d0");
+ INFO("D0 = 0x%llx\n", fp_reg);
+ __asm__ volatile(
+ "fmov d0, #1.0 \n\t"
+ "fmov %0, d0 \n\t"
+ : "=r" (fp_reg)
+ :
+ : "d0");
+ INFO("D0 = 0x%llx\n", fp_reg);
+ announce_test_end(test_desc3);
+
+ announce_test_section_end(test_sect_desc);
+}
diff --git a/spm/common/aarch64/sp_arch_helpers.S b/spm/common/aarch64/sp_arch_helpers.S
new file mode 100644
index 0000000..11f4087
--- /dev/null
+++ b/spm/common/aarch64/sp_arch_helpers.S
@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 2018, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <asm_macros.S>
+
+ .globl sp_svc
+
+func sp_svc
+ /*
+ * Save the address of the svc_args structure on the stack.
+ *
+ * Although x0 contains an 8-byte value, we are allocating 16 bytes
+ * on the stack to respect the 16-byte stack-alignment.
+ */
+ str x0, [sp, #-16]!
+
+ /* Load the SVC arguments values into the appropriate registers. */
+ ldp x6, x7, [x0, #48]
+ ldp x4, x5, [x0, #32]
+ ldp x2, x3, [x0, #16]
+ ldp x0, x1, [x0, #0]
+
+ svc #0
+
+ /*
+ * Pop the svc_args structure address from the stack into a caller-saved
+ * register.
+ */
+ ldr x9, [sp], #16
+
+ /*
+ * The return values are stored in x0-x3, put them in the svc_args
+ * return structure.
+ */
+ stp x0, x1, [x9, #0]
+ stp x2, x3, [x9, #16]
+ ret
+endfunc sp_svc
diff --git a/spm/common/sp_helpers.c b/spm/common/sp_helpers.c
new file mode 100644
index 0000000..cccaf8b
--- /dev/null
+++ b/spm/common/sp_helpers.c
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 2018, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <debug.h>
+#include <mmio.h>
+#include <platform_def.h>
+#include <stdint.h>
+#include <stdlib.h>
+
+uintptr_t bound_rand(uintptr_t min, uintptr_t max)
+{
+ /*
+ * This is not ideal as some numbers will never be generated because of
+ * the integer arithmetic rounding.
+ */
+ return ((rand() * (UINT64_MAX/RAND_MAX)) % (max - min)) + min;
+}
+
+/*******************************************************************************
+ * Test framework helpers
+ ******************************************************************************/
+
+void expect(int expr, int expected)
+{
+ if (expr != expected) {
+ ERROR("Expected value %i, got %i\n", expected, expr);
+ while (1)
+ continue;
+ }
+}
+
+void announce_test_section_start(const char *test_sect_desc)
+{
+ INFO("========================================\n");
+ INFO("Starting %s tests\n", test_sect_desc);
+ INFO("========================================\n");
+}
+void announce_test_section_end(const char *test_sect_desc)
+{
+ INFO("========================================\n");
+ INFO("End of %s tests\n", test_sect_desc);
+ INFO("========================================\n");
+}
+
+void announce_test_start(const char *test_desc)
+{
+ INFO("[+] %s\n", test_desc);
+}
+
+void announce_test_end(const char *test_desc)
+{
+ INFO("Test \"%s\" passed.\n", test_desc);
+}
+
+void sp_sleep(uint32_t duration_sec)
+{
+ uint32_t timer_freq = mmio_read_32(SYS_CNT_CONTROL_BASE + CNTFID_OFF);
+ VERBOSE("%s: Timer frequency = %u\n", __func__, timer_freq);
+
+ INFO("%s: Sleeping for %u seconds...\n", __func__, duration_sec);
+ uint64_t time1 = mmio_read_64(SYS_CNT_READ_BASE);
+ volatile uint64_t time2 = time1;
+ while ((time2 - time1) < duration_sec * timer_freq) {
+ time2 = mmio_read_64(SYS_CNT_READ_BASE);
+ }
+
+ INFO("%s: Done\n", __func__);
+}
diff --git a/spm/common/sp_helpers.h b/spm/common/sp_helpers.h
new file mode 100644
index 0000000..ab6415d
--- /dev/null
+++ b/spm/common/sp_helpers.h
@@ -0,0 +1,61 @@
+/*
+ * Copyright (c) 2018, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef SP_HELPERS_H
+#define SP_HELPERS_H
+
+#include <stdint.h>
+#include <sys/types.h>
+
+typedef struct {
+ u_register_t arg0;
+ u_register_t arg1;
+ u_register_t arg2;
+ u_register_t arg3;
+ u_register_t arg4;
+ u_register_t arg5;
+ u_register_t arg6;
+ u_register_t arg7;
+} svc_args;
+
+/*
+ * Trigger an SVC call.
+ *
+ * The arguments to pass through the SVC call must be stored in the svc_args
+ * structure. The return values of the SVC call will be stored in the same
+ * structure (overriding the input arguments).
+ *
+ * Return the first return value. It is equivalent to args.arg0 but is also
+ * provided as the return value for convenience.
+ */
+u_register_t sp_svc(svc_args *args);
+
+/*
+ * Choose a pseudo-random number within the [min,max] range (both limits are
+ * inclusive).
+ */
+uintptr_t bound_rand(uintptr_t min, uintptr_t max);
+
+/*
+ * Check that expr == expected.
+ * If not, loop forever.
+ */
+void expect(int expr, int expected);
+
+/*
+ * Test framework functions
+ */
+
+void announce_test_section_start(const char *test_sect_desc);
+void announce_test_section_end(const char *test_sect_desc);
+
+void announce_test_start(const char *test_desc);
+void announce_test_end(const char *test_desc);
+
+/* Sleep for at least 'duration_sec' seconds then return. */
+void sp_sleep(uint32_t duration_sec);
+
+#endif /* SP_HELPERS_H */