secure_services: Lock scheduler before calling secure services

Rename the services from spm_foo() to spm_foo_nsc() and create new
wrapper functions spm_foo() k_sched_*) using
TZ_THREAD_SAFE_NONSECURE_ENTRY_FUNC().

Ref: NCSIDB-108

Signed-off-by: Øyvind Rønningstad <oyvind.ronningstad@nordicsemi.no>

include/secure_services.h

@@ -22,19 +22,40 @@
 
 #include <stddef.h>
 #include <zephyr/types.h>
+#include <zephyr.h>
 #include <fw_info.h>
+#include <../arch/arm/include/aarch32/cortex_m/tz_ns.h>
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+/** Implement a wrapper function around a secure_service.
+ *
+ * This function must reside in the non-secure binary. It makes the secure
+ * service thread safe by locking the scheduler while the service is running.
+ * The scheduler locking is done via TZ_THREAD_SAFE_NONSECURE_ENTRY_FUNC().
+ *
+ * The macro implements of the wrapper function. The wrapper function has the
+ * same function signature as the secure service.
+ *
+ * @param ret   The return type of the secure service and the wrapper function.
+ * @param name  The name of the wrapper function. The secure service is assumed
+ *              to be named the same, but with the suffix '_nse'. E.g. the
+ *              wrapper function foo() wraps the secure service foo_nse().
+ * @param ...   The arguments of the secure service and the wrapper function, as
+ *              they would appear in a function signature, i.e. type and name.
+ */
+#define NRF_NSE(ret, name, ...) \
+ret name ## _nse(__VA_ARGS__); \
+TZ_THREAD_SAFE_NONSECURE_ENTRY_FUNC(name, ret, name ## _nse, __VA_ARGS__)
+
 /** Request a system reboot from the Secure Firmware.
  *
  * Rebooting is not available from the Non-Secure Firmware.
  */
 void spm_request_system_reboot(void);
 
-
 /** Request a random number from the Secure Firmware.
  *
  * This provides a True Random Number from the on-board random number generator.
@@ -52,7 +73,6 @@ void spm_request_system_reboot(void);
  */
 int spm_request_random_number(uint8_t *output, size_t len, size_t *olen);
 
-
 /** Request a read operation to be executed from Secure Firmware.
  *
  * @param[out] destination Pointer to destination array where the content is

subsys/nonsecure/secure_services_ns.c

@@ -6,15 +6,35 @@
 #include <autoconf.h>
 #include <secure_services.h>
 #include <toolchain.h>
+#include <fw_info.h>
+
+#ifdef CONFIG_SPM_SERVICE_REBOOT
+NRF_NSE(void, spm_request_system_reboot);
 
 /* Overrides the weak ARM implementation:
  * Call into secure firmware if in the non-secure firmware since the non-secure
  * firmware is not allowed to directly reboot the system.
  */
-#ifdef CONFIG_SPM_SERVICE_REBOOT
 void sys_arch_reboot(int type)
 {
 	ARG_UNUSED(type);
 	spm_request_system_reboot();
 }
-#endif
+#endif /* CONFIG_SPM_SERVICE_REBOOT */
+
+#ifdef CONFIG_SPM_SERVICE_RNG
+NRF_NSE(int, spm_request_random_number, uint8_t *output, size_t len,
+					size_t *olen);
+#endif /* CONFIG_SPM_SERVICE_RNG */
+
+#ifdef CONFIG_SPM_SERVICE_READ
+NRF_NSE(int, spm_request_read, void *destination, uint32_t addr, size_t len);
+#endif /* CONFIG_SPM_SERVICE_READ */
+
+#ifdef CONFIG_SPM_SERVICE_FIND_FIRMWARE_INFO
+NRF_NSE(int, spm_firmware_info, uint32_t fw_address, struct fw_info *info);
+#endif /* CONFIG_SPM_SERVICE_FIND_FIRMWARE_INFO */
+
+#ifdef CONFIG_SPM_SERVICE_PREVALIDATE
+NRF_NSE(int, spm_prevalidate_b1_upgrade, uint32_t dst_addr, uint32_t src_addr);
+#endif /* CONFIG_SPM_SERVICE_PREVALIDATE */

subsys/spm/CMakeLists.txt

@@ -8,7 +8,6 @@ zephyr_sources(spm.c)
 zephyr_sources_ifdef(CONFIG_SPM_SECURE_SERVICES secure_services.c)
 zephyr_linker_sources(SECTIONS secure_services.ld)
 
-
 if(CONFIG_ARM_FIRMWARE_HAS_SECURE_ENTRY_FUNCS)
   share(
     "list(APPEND ${IMAGE_NAME}BUILD_BYPRODUCTS

subsys/spm/secure_services.c

@@ -9,7 +9,6 @@
 #include <power/reboot.h>
 #include <sys/util.h>
 #include <autoconf.h>
-#include <secure_services.h>
 #include <string.h>
 #include <bl_validation.h>
 
@@ -26,6 +25,9 @@
  *
  * Note: the function will be located in a Non-Secure
  * Callable region of the Secure Firmware Image.
+ *
+ * These should not be called directly. Instead call them through their wrapper
+ * functions, e.g. call spm_request_read_nse() via spm_request_read().
  */
 
 #ifdef CONFIG_SPM_SERVICE_RNG
@@ -66,7 +68,7 @@ struct read_range {
 
 
 __TZ_NONSECURE_ENTRY_FUNC
-int spm_request_read(void *destination, uint32_t addr, size_t len)
+int spm_request_read_nse(void *destination, uint32_t addr, size_t len)
 {
 	static const struct read_range ranges[] = {
 #ifdef PM_MCUBOOT_ADDRESS
@@ -101,7 +103,7 @@ int spm_request_read(void *destination, uint32_t addr, size_t len)
 
 #ifdef CONFIG_SPM_SERVICE_REBOOT
 __TZ_NONSECURE_ENTRY_FUNC
-void spm_request_system_reboot(void)
+void spm_request_system_reboot_nse(void)
 {
 	sys_reboot(SYS_REBOOT_COLD);
 }
@@ -110,7 +112,7 @@ void spm_request_system_reboot(void)
 
 #ifdef CONFIG_SPM_SERVICE_RNG
 __TZ_NONSECURE_ENTRY_FUNC
-int spm_request_random_number(uint8_t *output, size_t len, size_t *olen)
+int spm_request_random_number_nse(uint8_t *output, size_t len, size_t *olen)
 {
 	int err;
 
@@ -126,7 +128,7 @@ int spm_request_random_number(uint8_t *output, size_t len, size_t *olen)
 
 #ifdef CONFIG_SPM_SERVICE_FIND_FIRMWARE_INFO
 __TZ_NONSECURE_ENTRY_FUNC
-int spm_firmware_info(uint32_t fw_address, struct fw_info *info)
+int spm_firmware_info_nse(uint32_t fw_address, struct fw_info *info)
 {
 	const struct fw_info *tmp_info;
 
@@ -148,7 +150,7 @@ int spm_firmware_info(uint32_t fw_address, struct fw_info *info)
 
 #ifdef CONFIG_SPM_SERVICE_PREVALIDATE
 __TZ_NONSECURE_ENTRY_FUNC
-int spm_prevalidate_b1_upgrade(uint32_t dst_addr, uint32_t src_addr)
+int spm_prevalidate_b1_upgrade_nse(uint32_t dst_addr, uint32_t src_addr)
 {
 	if (!bl_validate_firmware_available()) {
 		return -ENOTSUP;