Skip to content

Latest commit

 

History

History
525 lines (445 loc) · 21.4 KB

planes_scenarios.rst

File metadata and controls

525 lines (445 loc) · 21.4 KB

Arm RMM ACS Planes Testcase checklist

Test name Test Assertion Test Approach Validated by ACS
planes_plane_exit_smc_hvc An exception due to execution of SMC/HVC instruction in Pn causes a plane exit due to Synchronous Exception taken to P0.
  1. Configure Realm with one auxiliary plane and enter Realm.
  2. P0 to configure necessary permissions for P1's protected IPA and Enter P1.
  3. Execute SMC/HVC instruction
  4. On Plane exit, all of the following are true.
  • plane_exit.exit_reason = RSI_EXIT_SYNC
  • plane_exit.esr_el2 = SMC/HVC execution in Aarch64 state.
 Yes
planes_plane_exit_wfe An exception due to execution ofi trapped WFE instruction in Pn causes a plane exit due to Synchronous Exception taken to P0
  1. Configure Realm with one auxiliary plane and enter Realm.
  2. P0 to configure necessary permissions for P1's protected IPA.
  3. Enter P1 with RsiPlaneEnterFlags.trap_wfx = RSI_TRAP.
  4. Execute WFE instruction
  5. On Plane exit, all of the following are true
  • plane_exit.exit_reason = RSI_EXIT_SYNC
  • plane_exit.esr_el2.ec = 0x1 (Trapped WFx instruction.
  • plane_exit.esr_el2.ISS.TI = WFE Instruction
 Yes
planes_plane_exit_wfi An exception due to execution ofi trapped WFI instruction in Pn causes a plane exit due to Synchronous Exception taken to P0
  1. Configure Realm with one auxiliary plane and enter Realm.
  2. P0 to configure necessary permissions for P1's protected IPA.
  3. Enter P1 with RsiPlaneEnterFlags.trap_wfx = RSI_TRAP.
  4. Execute WFI instruction
  5. On Plane exit, all of the following are true
  • plane_exit.exit_reason = RSI_EXIT_SYNC
  • plane_exit.esr_el2.ec = 0x1 (Trapped WFx instruction.
  • plane_exit.esr_el2.ISS.TI = WFI Instruction
 Yes
planes_plane_exit_ia_unprotected An instruction fetch by Pn to an unprotected IPA causes a plane exit due to Synchronous Exception taken to P0
  1. Pick a Unprotected IPA, Map the IPA at stage 2 with RW permission.
  2. Configure Realm with one auxiliary plane and enter Realm.
  3. P0 to configure necessary permissions for P1's protected IPA and Enter P1.
  4. Flat - Map an IPA belonging to P1 as CODE (RO + X) in stage 1 (since MMU is enabled)
  5. Perform a Instruction fetch from above IPA
  6. On Plane exit, all of the following are true
  • plane_exit.exit_reason = RSI_EXIT_SYNC
  • plane_exit.esr_el2 = Instruction abort
  • plane_exit.far_el2, plane_exit.hpfar_el2 = IPA
 Yes
planes_plane_exit_da_ia_ripas_empty A data access or an instruction fetch by Pn to a protected IPA whose RIPAS is EMPTY causes a plane exit due to Synchronous Exception taken to P0.
  1. Pick a protected IPA, Map the IPA at stage 2.
  2. Configure Realm with one auxiliary plane and enter Realm.
  3. P0 to configure necessary permissions for P1's protected IPA and Enter P1.
  4. Flat - Map an IPA belonging to P1 as CODE (RO + X) or DATA (RW) accordingly in stage 1 (since MMU is enabled)
  5. Perform data access and Instruction fetch from above IPA
  6. On Plane exit, all of the following are true
  • plane_exit.exit_reason = RSI_EXIT_SYNC
  • plane_exit.esr_el2 = Data abort/Instruction abort
  • plane_exit.far_el2, plane_exit.hpfar_el2 = IPA
 Yes
planes_plane_exit_da_ia_permission A data access or an instruction fetch by Pn to a protected IPA belonging to P0 or violates the stage 2 permissions set by P0 causes a plane exit due to Synchronous Exception taken to P0.
  1. Pick a protected IPA belonging to P0 .
  2. Configure Realm with one auxiliary plane and enter Realm.
  3. P0 to configure necessary permissions for P1's protected IPA and Enter P1.
  4. Flat - Map an IPA belonging to P0 as CODE (RO + X) or DATA (RW) accordingly in stage 1 (since MMU is enabled)
  5. Perform data access and Instruction fetch from above IPA
  6. On Plane exit, all of the following are true
  • plane_exit.exit_reason = RSI_EXIT_SYNC
  • plane_exit.esr_el2 = Data abort/Instruction abort
  • plane_exit.far_el2, plane_exit.hpfar_el2 = IPA
 Yes
planes_plane_exit_host_call If plane_enter.flags.trap_hc == RSI_TRAP then execution by Pn of RSI_HOST_CALL results in a Plane exit due to synchronous exception
  1. Configure Realm with one auxiliary plane and enter Realm.
  2. P0 to configure necessary permissions for P1's protected IPA.
  3. Enter P1 with trap_hc == RSI_TRAP
  4. On Plane exit, all of the following are true
  • plane_exit.exit_reason = RSI_EXIT_SYNC
  • plane_exit.esr_el2 = SMC Execution
  • plane_exit.gprs[0] = RSI_HOST_CALL
 Yes
planes_rec_exit_da_ia_hipas_unassigned _ripas_ram A data access or an instruction fetch by Pn to a protected IPA whose HIPAS is DESTORYED or HIPAS is UNASSIGNED and RIPAS is not EMPTY causes a REC exit due to Synchronous Exception taken to host
  1. Pick a protected IPA whose (HIPAS, RIPAS ) is (UNASSIGNED, RAM) .
  2. Configure Realm with one auxiliary plane and enter Realm.
  3. P0 to configure necessary permissions for P1's protected IPA and Enter P1.
  4. Flat - Map the IPA as CODE (RO + X) or DATA (RW) accordingly in stage 1 (since MMU is enabled)
  5. Perform data access and Instruction fetch from above IPA
  6. On REC exit, all of the following are true
  • rec_exit.exit_reason = RMI_EXIT_SYNC
  • rec_exit.esr_el2 = Data abort/Instruction abort
  • rec_exit.far_el2, rec_exit.hpfar_el2 = IPA
 Yes
planes_rec_exit_da_ripas_destroyed A data access by Pn to a protected IPA whose HIPAS is DESTORYED or HIPAS is UNASSIGNED and RIPAS is not EMPTY causes a REC exit due to Synchronous Exception taken to host
  1. Pick a protected IPA whose (HIPAS, RIPAS ) is (ANY, DESTROYED).
  2. Configure Realm with one auxiliary plane and enter Realm.
  3. P0 to configure necessary permissions for P1's protected IPA and Enter P1.
  4. Flat - Map the IPA as CODE (RO + X) or DATA (RW) accordingly in stage 1 (since MMU is enabled)
  5. Perform data access from above IPA
  6. On REC exit, all of the following are true
  • rec_exit.exit_reason = RMI_EXIT_SYNC
  • rec_exit.esr_el2 = Data abort
  • rec_exit.far_el2, rec_exit.hpfar_el2 = IPA
 Yes
planes_rec_exit_ia_ripas_destroyed An instruction fetch by Pn to a protected IPA whose HIPAS is DESTORYED or HIPAS is UNASSIGNED and RIPAS is not EMPTY causes a REC exit due to Synchronous Exception taken to host
  1. Pick a protected IPA whose (HIPAS, RIPAS ) is (ANY, DESTROYED).
  2. Configure Realm with one auxiliary plane and enter Realm.
  3. P0 to configure necessary permissions for P1's protected IPA and Enter P1.
  4. Flat - Map the IPA as CODE (RO + X) or DATA (RW) accordingly in stage 1 (since MMU is enabled)
  5. Perform instruction fetch from above IPA
  6. On REC exit, all of the following are true
  • rec_exit.exit_reason = RMI_EXIT_SYNC
  • rec_exit.esr_el2 = Instruction abort
  • rec_exit.far_el2, rec_exit.hpfar_el2 = IPA
 Yes
planes_rec_exit_da_hipas_unassigned_ns A data access by Pn to a Unprotected IPA whose HIPAS is UNASSIGNED_NS causes a REC exit due to Synchronous Exception taken to host
  1. Pick a Uprotected IPA whose HIPAS is UNASSIGNED_NS
  2. Configure Realm with one auxiliary plane and enter Realm.
  3. P0 to configure necessary permissions for P1's protected IPA and Enter P1.
  4. Flat - Map the IPA as CODE (RO + X) in stage 1 (since MMU is enabled)
  5. Perform data access and Instruction fetch from above IPA
  6. On REC exit, all of the following are true
  • rec_exit.exit_reason = RMI_EXIT_SYNC
  • rec_exit.esr_el2 = Data abort/Instruction abort
  • rec_exit.far_el2, rec_exit.hpfar_el2 = IPA
 Yes
planes_rec_exit_irq An exception due to IRQ while executing in Pn causes a REC exit due to asynchronous Exception taken to host
  1. Configure Realm with one auxiliary plane and enter Realm.
  2. P0 to configure necessary permissions for P1's protected IPA and Enter P1.
  3. Generate IRQ
  4. On REC exit, all of the following are true
  • rec_exit.exit_reason = RMI_EXIT_IRQ
  • rec_exit.esr_el2 = 0
 Yes
planes_rec_exit_host_call If plane_enter.flags.trap_hc == RSI_NO_TRAP then execution by Pn of RSI_HOST_CALL results in a REC exit due to Host call
  1. Configure Realm with one auxiliary plane and enter Realm.
  2. P0 to configure necessary permissions for P1's protected IPA and Enter P1.
  3. Enter P1 with trap_hc == RSI_NO_TRAP
  4. Execute HOST_CALL
  5. On REC exit, all of the following are true
  • rec_exit.exit_reason = RMI_EXIT_HOST_CALL
  • rec_exit.plane = P1 index
  • rec_exit.esr_el2 = 0
 Yes
planes_s2ap_protected
At Realm Activation,
  • All Protected IPA to use Overlay index 0
  • Overlay index 0 has Permission value RW + upX for P0 and No access to all other planes
  1. Configure Realm with one auxiliary plane
  2. Prepare a granule(CODE) with following contents
LDR x1, [ x0 ]
HVC
  1. Enter Realm, P0 to configure permissions RO+upX to granule CODE.
  2. Enter P1 with PC = CODE, gprs.x0 = Any other page belonging to P1
  3. Check for
  • plane_exit.exit_reason = RSI_EXIT_SYNC
  • plane_exit.esr = Data Abort due to permission fault.
 Yes
planes_s2ap_unprotected
At Realm Activation,
  • All Protected IPA to use Overlay index 0
  • Overlay index 0 has Permission value RW + upX for P0 and No access to all other planes
  1. Pick an Unprotected IPA, Map the IPA at stage 2 with RW permission.
  2. Configure Realm with one auxiliary plane.
  3. Enter Realm, P0 to set necessary Permissions for P1's protected IPA.
  4. Validate P1 has RW permissions for the above Unprotected IPA.
  5. Perform a instruction fetch from Unprotected IPA → Plane exit due to Permission fault Check for
  • plane_exit.exit_reason = RSI_EXIT_SYNC
  • plane_exit.esr = Instruction due to permission fault.
 Yes
planes_s2ap_locking
At Realm Activation,
  • Permission overlay index 0 is LOCKED, index 1-14 are unlocked.
  • Overlay Permission index once used with RSI_MEM_SET_PERM_INDEX will be LOCKED for further use for RSI_MEM_SET_PERM_VALUE
  1. Configure Realm with one auxiliary plane, Enter realm.
  2. Execute RSI_MEM_SET_PERM_VALUE for Overlay index 0 ---> RSI_ERROR_INPUT
  3. Execute RSI_MEM_SET_PERM_VALUE for Overlay index 1 ---> RSI_SUCCESS
  4. Execute RSI_MEM_SET_PERM_INDEX for P0 with Overlay index 1.
  5. Execute RSI_MEM_SET_PERM_VALUE for Overlay index 1 ---> RSI_ERROR_INPUT
 Yes
planes_s2ap_enforced_by_p0 To validate permissions set by P0
  1. Configure Realm with one auxiliary plane
  2. Prepare code granules CODE1, CODE2, CODE3, CODE4 as shown in Table 1 below.
  3. Enter Realm, P0 to configure permissions to code and data granuels as shown in Table 2 below..
  4. Test for permissions with the all the combinations of inputs to RSI_PLANE_ENTER as listed in Table 3 below and check for respective results.
 Yes
planes_rec_entry_no_virt_int On REC entry, if the values of enter.gicv3_lrs describe one or more Pending interrupts and the most recent REC exit was from a Plane which is not the GIC owner then control returns to P0. This results in a Plane exit due to synchronous exception.
  1. Configure Realm with one auxiliary plane and enter Realm.
  2. P0 to configure necessary permissions for P1's protected IPA and Enter P1 with P0 as GIC owner.
  3. Trigger a REC exit (any reason : eg access to HIPAS = UNASSIGNED)
  4. Call RMI_REC_ENTER with no virtual interrupt pending.
    • Check that control passes to Pn
 Yes
planes_rec_entry_p0_owner_virt_int On REC entry, if the values of enter.gicv3_lrs describe one or more Pending interrupts and the most recent REC exit was from a Plane which is not the GIC owner then control returns to P0. This results in a Plane exit due to synchronous exception.
  1. Configure Realm with one auxiliary plane and enter Realm.
  2. P0 to configure necessary permissions for P1's protected IPA and Enter P1 with P0 as GIC owner.
  3. Trigger a REC exit (any reason : eg access to HIPAS = UNASSIGNED)
  4. Call RMI_REC_ENTER with a virtual interrupt pending.
    • Check that control passes to P0
    • Check that Plane exit due to synchronous exception
    • Acknowledge the interrupt
 Yes
planes_rec_entry_pn_owner_virt_int On REC entry, if the values of enter.gicv3_lrs describe one or more Pending interrupts and the most recent REC exit was from a Plane which is not the GIC owner then control returns to P0. This results in a Plane exit due to synchronous exception.
  1. Configure Realm with one auxiliary plane and enter Realm.
  2. P0 to configure necessary permissions for P1's protected IPA and Enter P1 with Pn as GIC owner.
  3. Trigger a REC exit (any reason : eg access to HIPAS = UNASSIGNED)
  4. Call RMI_REC_ENTER with a virtual interrupt pending
    • Check that control passes to Pn
    • Acknowledge the interrupt
 Yes
planes_rec_entry_maint_int On REC entry, if the most recent REC exit was from Pn and the value of ICH_MISR_EL2 at the time of the REC exit was not zero then control returns to P0. This results in a Plane exit due to synchronous exception.
  1. Configure Realm with one auxiliary plane and enter Realm.
  2. P0 to configure necessary permissions for P1's protected IPA and Enter P1 with HCR_EL2.NPIE flag set.
  3. Trigger a REC exit (any reason : eg access to HIPAS = UNASSIGNED)
  4. Call RMI_REC_ENTER
    • Check that control passes to P0
    • Check that Plane exit due to synchronous exception
 Yes
planes_p0_gic_virt_pn Check behavour when P0 is virtualising GIC for Pn
  1. Configure Realm with one auxiliary plane and enter Realm.
  2. P0 to configure necessary permissions for P1's protected IPA and Enter P1 wiht P0 as GIC owner.
  3. Trigger a REC exit (any reason : eg access to HIPAS = UNASSIGNED)
  4. Call RMI_REC_ENTER with a virtual interrupt pending
    • Check that control passes to P0
    • Check that Plane exit due to synchronous exception
    • Acknowledge the interrupt
  5. Call PLANE_ENTER with virtual interrupt pending
    • Check that control passes to P1
    • Acknowledge the interrupt
 Yes
planes_el1_timer_trig On a change in the output of an EL1 timer which requires a Realm-observable change to the state of virtual interrupts, a REC exit
  1. Configure Realm with one auxiliary plane and enter Realm.
  2. P0 to configure necessary permissions for P1's protected IPA and Enter P1.
  3. Enable EL1 timer and wait for interrupt
  4. Upon REC exit
    • Check that rec exit due to IRQ
    • rec_exit->cntp_ctl is expected value
 Yes
planes_timer_state_rec_exit

On REC exit from Pn, for each of the EL1 virtual and physical timers, if any of the following is true then the timer state reported to the Host is Pn’s EL1 timer state:

  • The Pn timer is active and the P0 timer is not active.
  • Both Pn and P0 timers are active and the Pn timer deadline is earlier than the P0 timer deadline
  1. Configure Realm with one auxiliary plane and enter Realm.
  2. At P0 configure El1 timer compare value to V1 and enable it according to the Table 4 below.
  3. P0 to configure necessary permissions for P1's protected IPA and Enter P1 with trap_hc == RSI_NO_TRAP.
  4. P1 to Enable and set REL1 timer compare value to V2 and enable it according to Table 4 below
  5. Call RSI_HOST_CALL from Pn
  6. Upon REC exit check that rec_exit.cntv_cval is according to Table 4 below
  7. REC_ENTER again and repeat from Step 2 until all the configurations in the Table 4 below is covered
 Yes
Table 1 : Contents of Granueles
Granule Content
CODE1 
HVC
CODE2 
HVC
CODE3 
LDR x1, [x0]
HVC
CODE4 
STR x1, [x0]
HVC
Table 2 : Permissions for Granules
Granules Permissions
P1 P2
CODE1 No Access No Access
CODE2 RO + upX RO + upX
CODE3 RO + upX RO + upX
CODE4 RO + upX RO + upX
DATA1 RO No Access
DATA2 RW No Access
DATA3 WO No Access
DATA4 No Access RO
DATA5 No Access RW
DATA6 No Access WO
Table 3 : Test Pattern
Inputs
Result of execution
plane_exit.esr_el2.EC
entry.PC entry.x0 plane_index = 1 plane_index = 2
CODE1 -- I.A I.A
CODE2 -- HVC HVC
CODE3 DATA1 HVC D.A
DATA2 HVC D.A
DATA3 D.A D.A
DATA4 D.A HVC
DATA5 D.A HVC
DATA6 D.A D.A
CODE4 DATA1 D.A D.A
DATA2 HVC D.A
DATA3 HVC D.A
DATA4 D.A D.A
DATA5 D.A HVC
DATA6 D.A HVC
Table 4 : Timer configuration
P0 enabled P1 enabled V1 (ms) V2 (ms) Expected palane index
No No 5 10 P0
No No 10 5 P0
No Yes 5 10 P1
No Yes 10 5 P1
Yes No 5 10 P0
Yes No 10 5 P0
Yes Yes 5 10 P0
Yes Yes 10 5 P1