如何解读 ARM 的 SMC 调用? [英] How to interpret ARM's SMC calls?

问题描述

我一直在阅读 Android 的内核，以了解 CPU 内核(也称为 DVFS、DCVS)的动态电源管理是如何完成的.我在这里找到的代码 调用以下函数(定义 here) 依次调用 SMC 汇编指令.

I have been reading Android's kernel to see how dynamic power management for CPU cores (aka DVFS, DCVS) is being done. The code I found here makes some calls to the following function (defined here) which in turn calls the SMC assembly instruction.

ARM 有一份文档解释了 SMC 调用约定，但我一直无法使用它来理解以下功能.如何根据输入操作数进一步追踪 SMC 指令以查看它实际执行的操作?

ARM has a document that explains SMC calling convention, but I haven't been able to use it to make sense of the following function. How can I track down the SMC instruction further to see what it actually does based on its input operands?

s32 scm_call_atomic4_3(u32 svc, u32 cmd, u32 arg1, u32 arg2,
        u32 arg3, u32 arg4, u32 *ret1, u32 *ret2)
{
    int ret;
    int context_id;
    register u32 r0 asm("r0") = SCM_ATOMIC(svc, cmd, 4);
    register u32 r1 asm("r1") = (u32)&context_id;
    register u32 r2 asm("r2") = arg1;
    register u32 r3 asm("r3") = arg2;
    register u32 r4 asm("r4") = arg3;
    register u32 r5 asm("r5") = arg4;
    asm volatile(
        __asmeq("%0", "r0")
        __asmeq("%1", "r1")
        __asmeq("%2", "r2")
        __asmeq("%3", "r0")
        __asmeq("%4", "r1")
        __asmeq("%5", "r2")
        __asmeq("%6", "r3")
#ifdef REQUIRES_SEC
            ".arch_extension sec\n"
#endif
        "smc    #0  @ switch to secure world\n"
        : "=r" (r0), "=r" (r1), "=r" (r2)
        : "r" (r0), "r" (r1), "r" (r2), "r" (r3), "r" (r4), "r" (r5));
    ret = r0;
    if (ret1)
        *ret1 = r1;
    if (ret2)
        *ret2 = r2;
    return r0;
}
EXPORT_SYMBOL(scm_call_atomic4_3);

推荐答案

SMC 调用约定是来自 ARM 的关于如何实现cross world API 的建议，以便多个供应商可以在任一世界编写代码并以最少的方式共存的不兼容.至少这是意图.供应商(在您的情况下是 Android/Linux)不必这样做，如果安全世界不遵循它，则可能无法这样做.

The SMC calling conventions is a suggestion from ARM on how to implement cross world API, so that multiple vendors can write code in either world and co-exist with a minimum of incompatibility. At least that is the intent. A vendor (Android/Linux in your case) does not have to do this and may not be able to do this if the secure world does not follow it.

但我一直无法使用它来理解以下功能

but I haven't been able to use it to make sense of the following function

SMC 指令是从正常世界到安全监视器的受控更改.监视器有它自己的向量表，svc 的条目是 SMC 调用.寄存器是世界之间共享"的信息.通常在世界切换时，监视器可能会将所有寄存器交换到某个上下文存储.在SMC情况下，寄存器可以传递参数并返回结果.这就是这个函数所做的一切.

The SMC instruction is a controlled change from the normal world to the secure monitor. The monitor has it's own vector table and the entry for svc is the SMC call. Registers are 'shared' information between worlds. Normally on a world switch the monitor may swap out all register to some context store. In the SMC case, the register can transfer parameter and return results. This is all this function is doing.

register u32 r0 asm("r0") = SCM_ATOMIC(svc, cmd, 4);

这是SMC 调用约定文档中类似于表 2-1 的位字段.它是从正常世界的 Linux 到安全监视器来判断哪个函数(以及要编组/保留四个的参数数量).

This is a bit field like table 2-1 in the SMC calling conventions document. It is from the normal world Linux to the secure monitor to tell which function (and number of arguments to marshal/keep of four).

register u32 r2 asm("r2") = arg1;
register u32 r3 asm("r3") = arg2;
register u32 r4 asm("r4") = arg3;
register u32 r5 asm("r5") = arg4;

如果 ARM ABI 是偶然的，参数 arg1-arg4 已经在这些寄存器中，所以不会生成代码.全局 context_id(到 Linux/Android 内核)也被传递.

If the ARM ABI is fortuitous, the parameters arg1-arg4 will already be in these register, so no code will be generated. The global context_id (to Linux/Android kernel) is also passed.

如何根据输入操作数进一步追踪 SMC 指令以查看它实际执行的操作?

How can I track down the SMC instruction further to see what it actually does based on its input operands?

要做到这一点，您需要安全世界的代码.我的猜测是，这是一些手机和基带等处于安全世界中并且代码不可用.如果您有安全的世界代码，监视器向量表将有一个 SMC 条目.这将有一个基于 r0 或 'cmd' 值的开关(或 if/then)，它选择特定的 smc 函数.通用 smc 处理程序可以恢复安全的世界寄存器/上下文，但保留 r0 位字段中指定的四个参数.

To do that, you need the code to the secure world. My guess is that this is some cell phone and base band, etc. are in the secure world and the code is not available. If you have the secure world code, the monitor vector table will have an SMC entry. This will have a switch (or if/then) based on the r0 or 'cmd' value which selects the particular smc function. A generic smc handler may restore secure world registers/context but keep the four arguements as specified in an r0 bit field.

所以答案可能是你无法追踪它的作用.您必须依赖供应商文档，或者有幸拥有通往安全世界的代码.

So probably the answer is you can't trace down what it does. You have to rely on the vendor documents or be lucky enough to have code to the secure world.

这篇关于如何解读 ARM 的 SMC 调用?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！