[PATCH 0/5] firmware/irqchip: Add FF-A DT interrupt support for donated NS SGIs

[PATCH 0/5] firmware/irqchip: Add FF-A DT interrupt support for donated NS SGIs

[Sudeep Holla]

Hi all,

This series wires FF-A notification interrupts up through DT using the
standard interrupts property on the arm,ffa node and adds the
required GICv3 and binding support for secure-donated non-secure SGIs.

This has been long pending after the discussions here[1][2]. I have been
waiting for some ACPI story to shape up for almost an year now, but no
progress there. So posting this for now to start discussion on the approach
taken here instead of waiting for another year to sort out ACPI 😉.

It:

- documents secure-donated NS SGIs in the GIC DT binding
- teaches the GICv3 driver to accept and map those SGIs
- adds a DT binding for the arm,ffa firmware node
- updates the FF-A driver to use the arm,ffa node interrupt instead of
  synthesizing its own GIC mapping
- adds an FVP DT node using SGI 8 as the FF-A notification interrupt

The FF-A DT lookup expects a single interrupt entry, verifies that it is
a per-CPU interrupt via the reported affinity mask, and cross-checks the
resolved Linux IRQ hwirq against the interrupt ID returned by
FFA_FEATURES.

[1] https://lore.kernel.org/all/86plqayvu6.wl-maz@kernel.org/
[2] https://lore.kernel.org/all/86zfpgztmt.wl-maz@kernel.org/

Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
---
Sudeep Holla (5):
      dt-bindings: interrupt-controller: Add support for secure donated SGIs
      irqchip/gic-v3: Support secure-donated non-secure SGIs
      dt-bindings: firmware: Add Arm FF-A binding
      firmware: arm_ffa: Use device node interrupts property for IRQ lookup
      arm64: dts: arm: fvp-base-revc: Add FF-A notification interrupt

 .../devicetree/bindings/firmware/arm,ffa.yaml      | 42 +++++++++++
 .../bindings/interrupt-controller/arm,gic-v3.yaml  | 27 ++++++-
 arch/arm64/boot/dts/arm/fvp-base-revc.dts          |  6 ++
 drivers/firmware/arm_ffa/driver.c                  | 53 +++++++++----
 drivers/irqchip/irq-gic-v3.c                       | 86 ++++++++++++++++++++++
 include/dt-bindings/interrupt-controller/arm-gic.h |  1 +
 6 files changed, 201 insertions(+), 14 deletions(-)
---
base-commit: f5459048c38a00fc583658d6dcd0f894aff6df8f
change-id: 20260412-b4-ffa_ns_sgi_gicv3-ede4dfe9d76e


-- 
Regards,
Sudeep

[PATCH 1/5] dt-bindings: interrupt-controller: Add support for secure donated SGIs

[Sudeep Holla]

In GICv3, SGI security is defined by interrupt grouping and configuration
rather than by SGI number alone. Linux conventionally reserves SGIs 0-7
for non-secure internal kernel IPIs, while higher SGIs is assumed to be
owned/stolen by the Secure world unless explicitly made available.

Document secure donated SGI interrupt specifiers for the GICv3 binding.
It describes "arm,secure-donated-ns-sgi-ranges" for SGIs donated by the
secure world to non-secure software. It excludes SGIs 0-7, which are
already used by the kernel for internal IPI purposes.

Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
---
 .../bindings/interrupt-controller/arm,gic-v3.yaml  | 27 +++++++++++++++++++++-
 include/dt-bindings/interrupt-controller/arm-gic.h |  1 +
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/Documentation/devicetree/bindings/interrupt-controller/arm,gic-v3.yaml b/Documentation/devicetree/bindings/interrupt-controller/arm,gic-v3.yaml
index bfd30aae682b..664727d071c9 100644
--- a/Documentation/devicetree/bindings/interrupt-controller/arm,gic-v3.yaml
+++ b/Documentation/devicetree/bindings/interrupt-controller/arm,gic-v3.yaml
@@ -45,17 +45,24 @@ description: |
 
       The 1st cell is the interrupt type; 0 for SPI interrupts, 1 for PPI
       interrupts, 2 for interrupts in the Extended SPI range, 3 for the
-      Extended PPI range. Other values are reserved for future use.
+      Extended PPI range, and 4 for SGI interrupts. Other values are
+      reserved for future use.
 
       The 2nd cell contains the interrupt number for the interrupt type.
       SPI interrupts are in the range [0-987]. PPI interrupts are in the
       range [0-15]. Extended SPI interrupts are in the range [0-1023].
       Extended PPI interrupts are in the range [0-127].
 
+      SGI interrupts are in the range [8-15] which overlaps with the SGIs
+      assigned to/reserved for the secure world but donated to the non
+      secure world to use. Refer "arm,secure-donated-ns-sgi-ranges" for
+      more details.
+
       The 3rd cell is the flags, encoded as follows:
       bits[3:0] trigger type and level flags.
         1 = edge triggered
         4 = level triggered
+      SGIs are edge triggered and must be described as such.
 
       The 4th cell is a phandle to a node describing a set of CPUs this
       interrupt is affine to. The interrupt must be a PPI, and the node
@@ -136,6 +143,24 @@ description: |
       - $ref: /schemas/types.yaml#/definitions/uint32
       - $ref: /schemas/types.yaml#/definitions/uint64
 
+  arm,secure-donated-ns-sgi-ranges:
+    description:
+      A list of pairs <sgi span>, where "sgi" is the first SGI INTID of a
+      range donated by the secure side to non-secure software, and "span" is
+      the size of that range. Multiple ranges can be provided.
+
+      SGIs described by interrupt specifiers with type 4 (SGI) must fall
+      within one of these ranges. SGIs(0-7) reserved by non-secure world
+      for internal IPIs must not be listed here. "sgi" must be in the
+      range [8-15], "span" must be in the range [1-8], and the range must
+      not extend past SGI 15.
+    $ref: /schemas/types.yaml#/definitions/uint32-matrix
+    items:
+      - minimum: 8
+        maximum: 15
+      - minimum: 1
+        maximum: 8
+
   ppi-partitions:
     type: object
     additionalProperties: false
diff --git a/include/dt-bindings/interrupt-controller/arm-gic.h b/include/dt-bindings/interrupt-controller/arm-gic.h
index 887f53363e8a..52c2f3f090c5 100644
--- a/include/dt-bindings/interrupt-controller/arm-gic.h
+++ b/include/dt-bindings/interrupt-controller/arm-gic.h
@@ -14,6 +14,7 @@
 #define GIC_PPI 1
 #define GIC_ESPI 2
 #define GIC_EPPI 3
+#define GIC_SGI 4
 
 /*
  * Interrupt specifier cell 2.

-- 
2.43.0

Re: [PATCH 1/5] dt-bindings: interrupt-controller: Add support for secure donated SGIs

[Rob Herring]

On Sun, Apr 12, 2026 at 06:04:37PM +0100, Sudeep Holla wrote:
> In GICv3, SGI security is defined by interrupt grouping and configuration
> rather than by SGI number alone. Linux conventionally reserves SGIs 0-7
> for non-secure internal kernel IPIs, while higher SGIs is assumed to be
> owned/stolen by the Secure world unless explicitly made available.
> 
> Document secure donated SGI interrupt specifiers for the GICv3 binding.
> It describes "arm,secure-donated-ns-sgi-ranges" for SGIs donated by the
> secure world to non-secure software. It excludes SGIs 0-7, which are
> already used by the kernel for internal IPI purposes.
> 
> Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
> ---
>  .../bindings/interrupt-controller/arm,gic-v3.yaml  | 27 +++++++++++++++++++++-
>  include/dt-bindings/interrupt-controller/arm-gic.h |  1 +
>  2 files changed, 27 insertions(+), 1 deletion(-)
> 
> diff --git a/Documentation/devicetree/bindings/interrupt-controller/arm,gic-v3.yaml b/Documentation/devicetree/bindings/interrupt-controller/arm,gic-v3.yaml
> index bfd30aae682b..664727d071c9 100644
> --- a/Documentation/devicetree/bindings/interrupt-controller/arm,gic-v3.yaml
> +++ b/Documentation/devicetree/bindings/interrupt-controller/arm,gic-v3.yaml
> @@ -45,17 +45,24 @@ description: |
>  
>        The 1st cell is the interrupt type; 0 for SPI interrupts, 1 for PPI
>        interrupts, 2 for interrupts in the Extended SPI range, 3 for the
> -      Extended PPI range. Other values are reserved for future use.
> +      Extended PPI range, and 4 for SGI interrupts. Other values are
> +      reserved for future use.
>  
>        The 2nd cell contains the interrupt number for the interrupt type.
>        SPI interrupts are in the range [0-987]. PPI interrupts are in the
>        range [0-15]. Extended SPI interrupts are in the range [0-1023].
>        Extended PPI interrupts are in the range [0-127].
>  
> +      SGI interrupts are in the range [8-15] which overlaps with the SGIs
> +      assigned to/reserved for the secure world but donated to the non
> +      secure world to use. Refer "arm,secure-donated-ns-sgi-ranges" for
> +      more details.
> +
>        The 3rd cell is the flags, encoded as follows:
>        bits[3:0] trigger type and level flags.
>          1 = edge triggered
>          4 = level triggered
> +      SGIs are edge triggered and must be described as such.
>  
>        The 4th cell is a phandle to a node describing a set of CPUs this
>        interrupt is affine to. The interrupt must be a PPI, and the node
> @@ -136,6 +143,24 @@ description: |
>        - $ref: /schemas/types.yaml#/definitions/uint32
>        - $ref: /schemas/types.yaml#/definitions/uint64
>  
> +  arm,secure-donated-ns-sgi-ranges:
> +    description:
> +      A list of pairs <sgi span>, where "sgi" is the first SGI INTID of a
> +      range donated by the secure side to non-secure software, and "span" is
> +      the size of that range. Multiple ranges can be provided.
> +
> +      SGIs described by interrupt specifiers with type 4 (SGI) must fall
> +      within one of these ranges. SGIs(0-7) reserved by non-secure world
> +      for internal IPIs must not be listed here. "sgi" must be in the
> +      range [8-15], "span" must be in the range [1-8], and the range must
> +      not extend past SGI 15.
> +    $ref: /schemas/types.yaml#/definitions/uint32-matrix
> +    items:

As a matrix, you need:

items:
  items:
    - ...
    - ...

However, given this is at most 8 entries, I would just do an array:

minItems: 1
maxItems: 8
uniqueItems: true
items:
  minimum: 8
  maximum: 15

Unless we need more flexibility in GICv5?

Is there an example we can stick this property into so it gets tested?

> +      - minimum: 8
> +        maximum: 15
> +      - minimum: 1
> +        maximum: 8
> +
>    ppi-partitions:
>      type: object
>      additionalProperties: false
> diff --git a/include/dt-bindings/interrupt-controller/arm-gic.h b/include/dt-bindings/interrupt-controller/arm-gic.h
> index 887f53363e8a..52c2f3f090c5 100644
> --- a/include/dt-bindings/interrupt-controller/arm-gic.h
> +++ b/include/dt-bindings/interrupt-controller/arm-gic.h
> @@ -14,6 +14,7 @@
>  #define GIC_PPI 1
>  #define GIC_ESPI 2
>  #define GIC_EPPI 3
> +#define GIC_SGI 4
>  
>  /*
>   * Interrupt specifier cell 2.
> 
> -- 
> 2.43.0
> 

Re: [PATCH 1/5] dt-bindings: interrupt-controller: Add support for secure donated SGIs

[Sudeep Holla]

On Thu, Apr 16, 2026 at 07:11:46AM -0500, Rob Herring wrote:
> On Sun, Apr 12, 2026 at 06:04:37PM +0100, Sudeep Holla wrote:
> > In GICv3, SGI security is defined by interrupt grouping and configuration
> > rather than by SGI number alone. Linux conventionally reserves SGIs 0-7
> > for non-secure internal kernel IPIs, while higher SGIs is assumed to be
> > owned/stolen by the Secure world unless explicitly made available.
> > 
> > Document secure donated SGI interrupt specifiers for the GICv3 binding.
> > It describes "arm,secure-donated-ns-sgi-ranges" for SGIs donated by the
> > secure world to non-secure software. It excludes SGIs 0-7, which are
> > already used by the kernel for internal IPI purposes.
> > 
> > Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
> > ---
> >  .../bindings/interrupt-controller/arm,gic-v3.yaml  | 27 +++++++++++++++++++++-
> >  include/dt-bindings/interrupt-controller/arm-gic.h |  1 +
> >  2 files changed, 27 insertions(+), 1 deletion(-)
> > 
> > diff --git a/Documentation/devicetree/bindings/interrupt-controller/arm,gic-v3.yaml b/Documentation/devicetree/bindings/interrupt-controller/arm,gic-v3.yaml
> > index bfd30aae682b..664727d071c9 100644
> > --- a/Documentation/devicetree/bindings/interrupt-controller/arm,gic-v3.yaml
> > +++ b/Documentation/devicetree/bindings/interrupt-controller/arm,gic-v3.yaml
> > @@ -45,17 +45,24 @@ description: |
> >  
> >        The 1st cell is the interrupt type; 0 for SPI interrupts, 1 for PPI
> >        interrupts, 2 for interrupts in the Extended SPI range, 3 for the
> > -      Extended PPI range. Other values are reserved for future use.
> > +      Extended PPI range, and 4 for SGI interrupts. Other values are
> > +      reserved for future use.
> >  
> >        The 2nd cell contains the interrupt number for the interrupt type.
> >        SPI interrupts are in the range [0-987]. PPI interrupts are in the
> >        range [0-15]. Extended SPI interrupts are in the range [0-1023].
> >        Extended PPI interrupts are in the range [0-127].
> >  
> > +      SGI interrupts are in the range [8-15] which overlaps with the SGIs
> > +      assigned to/reserved for the secure world but donated to the non
> > +      secure world to use. Refer "arm,secure-donated-ns-sgi-ranges" for
> > +      more details.
> > +
> >        The 3rd cell is the flags, encoded as follows:
> >        bits[3:0] trigger type and level flags.
> >          1 = edge triggered
> >          4 = level triggered
> > +      SGIs are edge triggered and must be described as such.
> >  
> >        The 4th cell is a phandle to a node describing a set of CPUs this
> >        interrupt is affine to. The interrupt must be a PPI, and the node
> > @@ -136,6 +143,24 @@ description: |
> >        - $ref: /schemas/types.yaml#/definitions/uint32
> >        - $ref: /schemas/types.yaml#/definitions/uint64
> >  
> > +  arm,secure-donated-ns-sgi-ranges:
> > +    description:
> > +      A list of pairs <sgi span>, where "sgi" is the first SGI INTID of a
> > +      range donated by the secure side to non-secure software, and "span" is
> > +      the size of that range. Multiple ranges can be provided.
> > +
> > +      SGIs described by interrupt specifiers with type 4 (SGI) must fall
> > +      within one of these ranges. SGIs(0-7) reserved by non-secure world
> > +      for internal IPIs must not be listed here. "sgi" must be in the
> > +      range [8-15], "span" must be in the range [1-8], and the range must
> > +      not extend past SGI 15.
> > +    $ref: /schemas/types.yaml#/definitions/uint32-matrix
> > +    items:
> 
> As a matrix, you need:
> 
> items:
>   items:
>     - ...
>     - ...
> 
> However, given this is at most 8 entries, I would just do an array:
> 
> minItems: 1
> maxItems: 8
> uniqueItems: true
> items:
>   minimum: 8
>   maximum: 15
>

Makes sense.

> Unless we need more flexibility in GICv5?
>

IIUC, there are not SGIs in GICv5 and we may need to use one software PPI
as a replacement for SGIs. LPIs are used for IPIs.

I am assuming Marc will soon post his opinion/rejection on this series 😉
based on some offline discussion we had with respect to how it fits with
GICv5.

> Is there an example we can stick this property into so it gets tested?
>

Not sure if [1] serves as an example or you are looking for something else.

-- 
Regards,
Sudeep

[1] https://lore.kernel.org/all/20260412-b4-ffa_ns_sgi_gicv3-v1-5-af61243eb405@kernel.org/

Re: [PATCH 1/5] dt-bindings: interrupt-controller: Add support for secure donated SGIs

[Rob Herring]

On Thu, Apr 16, 2026 at 8:09 AM Sudeep Holla <sudeep.holla@kernel.org> wrote:
>
> On Thu, Apr 16, 2026 at 07:11:46AM -0500, Rob Herring wrote:
> > On Sun, Apr 12, 2026 at 06:04:37PM +0100, Sudeep Holla wrote:
> > > In GICv3, SGI security is defined by interrupt grouping and configuration
> > > rather than by SGI number alone. Linux conventionally reserves SGIs 0-7
> > > for non-secure internal kernel IPIs, while higher SGIs is assumed to be
> > > owned/stolen by the Secure world unless explicitly made available.
> > >
> > > Document secure donated SGI interrupt specifiers for the GICv3 binding.
> > > It describes "arm,secure-donated-ns-sgi-ranges" for SGIs donated by the
> > > secure world to non-secure software. It excludes SGIs 0-7, which are
> > > already used by the kernel for internal IPI purposes.
> > >
> > > Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
> > > ---
> > >  .../bindings/interrupt-controller/arm,gic-v3.yaml  | 27 +++++++++++++++++++++-
> > >  include/dt-bindings/interrupt-controller/arm-gic.h |  1 +
> > >  2 files changed, 27 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/Documentation/devicetree/bindings/interrupt-controller/arm,gic-v3.yaml b/Documentation/devicetree/bindings/interrupt-controller/arm,gic-v3.yaml
> > > index bfd30aae682b..664727d071c9 100644
> > > --- a/Documentation/devicetree/bindings/interrupt-controller/arm,gic-v3.yaml
> > > +++ b/Documentation/devicetree/bindings/interrupt-controller/arm,gic-v3.yaml
> > > @@ -45,17 +45,24 @@ description: |
> > >
> > >        The 1st cell is the interrupt type; 0 for SPI interrupts, 1 for PPI
> > >        interrupts, 2 for interrupts in the Extended SPI range, 3 for the
> > > -      Extended PPI range. Other values are reserved for future use.
> > > +      Extended PPI range, and 4 for SGI interrupts. Other values are
> > > +      reserved for future use.
> > >
> > >        The 2nd cell contains the interrupt number for the interrupt type.
> > >        SPI interrupts are in the range [0-987]. PPI interrupts are in the
> > >        range [0-15]. Extended SPI interrupts are in the range [0-1023].
> > >        Extended PPI interrupts are in the range [0-127].
> > >
> > > +      SGI interrupts are in the range [8-15] which overlaps with the SGIs
> > > +      assigned to/reserved for the secure world but donated to the non
> > > +      secure world to use. Refer "arm,secure-donated-ns-sgi-ranges" for
> > > +      more details.
> > > +
> > >        The 3rd cell is the flags, encoded as follows:
> > >        bits[3:0] trigger type and level flags.
> > >          1 = edge triggered
> > >          4 = level triggered
> > > +      SGIs are edge triggered and must be described as such.
> > >
> > >        The 4th cell is a phandle to a node describing a set of CPUs this
> > >        interrupt is affine to. The interrupt must be a PPI, and the node
> > > @@ -136,6 +143,24 @@ description: |
> > >        - $ref: /schemas/types.yaml#/definitions/uint32
> > >        - $ref: /schemas/types.yaml#/definitions/uint64
> > >
> > > +  arm,secure-donated-ns-sgi-ranges:
> > > +    description:
> > > +      A list of pairs <sgi span>, where "sgi" is the first SGI INTID of a
> > > +      range donated by the secure side to non-secure software, and "span" is
> > > +      the size of that range. Multiple ranges can be provided.
> > > +
> > > +      SGIs described by interrupt specifiers with type 4 (SGI) must fall
> > > +      within one of these ranges. SGIs(0-7) reserved by non-secure world
> > > +      for internal IPIs must not be listed here. "sgi" must be in the
> > > +      range [8-15], "span" must be in the range [1-8], and the range must
> > > +      not extend past SGI 15.
> > > +    $ref: /schemas/types.yaml#/definitions/uint32-matrix
> > > +    items:
> >
> > As a matrix, you need:
> >
> > items:
> >   items:
> >     - ...
> >     - ...
> >
> > However, given this is at most 8 entries, I would just do an array:
> >
> > minItems: 1
> > maxItems: 8
> > uniqueItems: true
> > items:
> >   minimum: 8
> >   maximum: 15
> >
>
> Makes sense.
>
> > Unless we need more flexibility in GICv5?
> >
>
> IIUC, there are not SGIs in GICv5 and we may need to use one software PPI
> as a replacement for SGIs. LPIs are used for IPIs.
>
> I am assuming Marc will soon post his opinion/rejection on this series 😉
> based on some offline discussion we had with respect to how it fits with
> GICv5.
>
> > Is there an example we can stick this property into so it gets tested?
> >
>
> Not sure if [1] serves as an example or you are looking for something else.

In the binding example, but don't add a whole new example for it.

Did [1] pass validation? If it did, it shouldn't have and I need to
investigate. If you didn't run it, then that would be the reason I
want it in the binding example.

Rob

Re: [PATCH 1/5] dt-bindings: interrupt-controller: Add support for secure donated SGIs

[Sudeep Holla]

On Thu, Apr 16, 2026 at 09:02:27AM -0500, Rob Herring wrote:
> On Thu, Apr 16, 2026 at 8:09 AM Sudeep Holla <sudeep.holla@kernel.org> wrote:
> >
> > On Thu, Apr 16, 2026 at 07:11:46AM -0500, Rob Herring wrote:
> > > On Sun, Apr 12, 2026 at 06:04:37PM +0100, Sudeep Holla wrote:
> > > > In GICv3, SGI security is defined by interrupt grouping and configuration
> > > > rather than by SGI number alone. Linux conventionally reserves SGIs 0-7
> > > > for non-secure internal kernel IPIs, while higher SGIs is assumed to be
> > > > owned/stolen by the Secure world unless explicitly made available.
> > > >
> > > > Document secure donated SGI interrupt specifiers for the GICv3 binding.
> > > > It describes "arm,secure-donated-ns-sgi-ranges" for SGIs donated by the
> > > > secure world to non-secure software. It excludes SGIs 0-7, which are
> > > > already used by the kernel for internal IPI purposes.
> > > >
> > > > Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
> > > > ---
> > > >  .../bindings/interrupt-controller/arm,gic-v3.yaml  | 27 +++++++++++++++++++++-
> > > >  include/dt-bindings/interrupt-controller/arm-gic.h |  1 +
> > > >  2 files changed, 27 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/Documentation/devicetree/bindings/interrupt-controller/arm,gic-v3.yaml b/Documentation/devicetree/bindings/interrupt-controller/arm,gic-v3.yaml
> > > > index bfd30aae682b..664727d071c9 100644
> > > > --- a/Documentation/devicetree/bindings/interrupt-controller/arm,gic-v3.yaml
> > > > +++ b/Documentation/devicetree/bindings/interrupt-controller/arm,gic-v3.yaml
> > > > @@ -45,17 +45,24 @@ description: |
> > > >
> > > >        The 1st cell is the interrupt type; 0 for SPI interrupts, 1 for PPI
> > > >        interrupts, 2 for interrupts in the Extended SPI range, 3 for the
> > > > -      Extended PPI range. Other values are reserved for future use.
> > > > +      Extended PPI range, and 4 for SGI interrupts. Other values are
> > > > +      reserved for future use.
> > > >
> > > >        The 2nd cell contains the interrupt number for the interrupt type.
> > > >        SPI interrupts are in the range [0-987]. PPI interrupts are in the
> > > >        range [0-15]. Extended SPI interrupts are in the range [0-1023].
> > > >        Extended PPI interrupts are in the range [0-127].
> > > >
> > > > +      SGI interrupts are in the range [8-15] which overlaps with the SGIs
> > > > +      assigned to/reserved for the secure world but donated to the non
> > > > +      secure world to use. Refer "arm,secure-donated-ns-sgi-ranges" for
> > > > +      more details.
> > > > +
> > > >        The 3rd cell is the flags, encoded as follows:
> > > >        bits[3:0] trigger type and level flags.
> > > >          1 = edge triggered
> > > >          4 = level triggered
> > > > +      SGIs are edge triggered and must be described as such.
> > > >
> > > >        The 4th cell is a phandle to a node describing a set of CPUs this
> > > >        interrupt is affine to. The interrupt must be a PPI, and the node
> > > > @@ -136,6 +143,24 @@ description: |
> > > >        - $ref: /schemas/types.yaml#/definitions/uint32
> > > >        - $ref: /schemas/types.yaml#/definitions/uint64
> > > >
> > > > +  arm,secure-donated-ns-sgi-ranges:
> > > > +    description:
> > > > +      A list of pairs <sgi span>, where "sgi" is the first SGI INTID of a
> > > > +      range donated by the secure side to non-secure software, and "span" is
> > > > +      the size of that range. Multiple ranges can be provided.
> > > > +
> > > > +      SGIs described by interrupt specifiers with type 4 (SGI) must fall
> > > > +      within one of these ranges. SGIs(0-7) reserved by non-secure world
> > > > +      for internal IPIs must not be listed here. "sgi" must be in the
> > > > +      range [8-15], "span" must be in the range [1-8], and the range must
> > > > +      not extend past SGI 15.
> > > > +    $ref: /schemas/types.yaml#/definitions/uint32-matrix
> > > > +    items:
> > >
> > > As a matrix, you need:
> > >
> > > items:
> > >   items:
> > >     - ...
> > >     - ...
> > >
> > > However, given this is at most 8 entries, I would just do an array:
> > >
> > > minItems: 1
> > > maxItems: 8
> > > uniqueItems: true
> > > items:
> > >   minimum: 8
> > >   maximum: 15
> > >
> >
> > Makes sense.
> >
> > > Unless we need more flexibility in GICv5?
> > >
> >
> > IIUC, there are not SGIs in GICv5 and we may need to use one software PPI
> > as a replacement for SGIs. LPIs are used for IPIs.
> >
> > I am assuming Marc will soon post his opinion/rejection on this series 😉
> > based on some offline discussion we had with respect to how it fits with
> > GICv5.
> >
> > > Is there an example we can stick this property into so it gets tested?
> > >
> >
> > Not sure if [1] serves as an example or you are looking for something else.
> 
> In the binding example, but don't add a whole new example for it.
> 
> Did [1] pass validation? If it did, it shouldn't have and I need to
> investigate. If you didn't run it, then that would be the reason I
> want it in the binding example.
>

By validation, do you mean `dtbs_check` ? If so, yes I didn't see any
warnings. But it is likely that I might have missed some flags as I was
doing `dtbs_check` and `dt_bindings_check` after very long time. I will
check again. But the commands did produce warnings in other files.

-- 
Regards,
Sudeep

[PATCH 2/5] irqchip/gic-v3: Support secure-donated non-secure SGIs

[Sudeep Holla]

Parse secure-donated SGI ranges from the firmware, reject invalid
interrupt specifiers, and allow devicetree consumers to map only the
SGIs explicitly donated by the secure side to non-secure software.

Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
---
 drivers/irqchip/irq-gic-v3.c | 86 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 86 insertions(+)

diff --git a/drivers/irqchip/irq-gic-v3.c b/drivers/irqchip/irq-gic-v3.c
index 20f13b686ab2..cc7720d9fb0e 100644
--- a/drivers/irqchip/irq-gic-v3.c
+++ b/drivers/irqchip/irq-gic-v3.c
@@ -35,6 +35,8 @@
 #include <asm/smp_plat.h>
 #include <asm/virt.h>
 
+#include <dt-bindings/interrupt-controller/arm-gic.h>
+
 #include "irq-gic-common.h"
 
 static u8 dist_prio_irq __ro_after_init = GICV3_PRIO_IRQ;
@@ -65,6 +67,7 @@ struct gic_chip_data {
 	u64			flags;
 	bool			has_rss;
 	unsigned int		ppi_nr;
+	u16			donated_sgi_mask;
 	struct partition_affinity *parts;
 	unsigned int		nr_parts;
 };
@@ -95,6 +98,7 @@ static bool nmi_support_forbidden;
  * with hwirq IDs, is simplified by accounting for all 16.
  */
 #define SGI_NR		16
+#define GIC_SGI_IPI_NR	8
 
 /*
  * The behaviours of RPR and PMR registers differ depending on the value of
@@ -119,6 +123,74 @@ static bool nmi_support_forbidden;
  */
 static DEFINE_STATIC_KEY_FALSE(supports_pseudo_nmis);
 
+static bool gic_sgi_is_donated_to_ns(unsigned int sgi)
+{
+	return sgi < SGI_NR && (gic_data.donated_sgi_mask & BIT(sgi));
+}
+
+static int __init gic_of_init_donated_sgi_ranges(struct device_node *node)
+{
+	const char *propname = "arm,secure-donated-ns-sgi-ranges";
+	int count, i;
+	u32 *ranges;
+	u16 mask = 0;
+
+	count = of_property_count_u32_elems(node, propname);
+	if (count < 0) {
+		if (count == -EINVAL)
+			return 0;
+
+		pr_err("%pOF: unable to read %s\n", node, propname);
+		return count;
+	}
+
+	if (!count)
+		return 0;
+
+	if (count % 2) {
+		pr_err("%pOF: %s must contain <sgi span> pairs\n",
+		       node, propname);
+		return -EINVAL;
+	}
+
+	ranges = kcalloc(count, sizeof(*ranges), GFP_KERNEL);
+	if (!ranges)
+		return -ENOMEM;
+
+	if (of_property_read_u32_array(node, propname, ranges, count)) {
+		pr_err("%pOF: unable to read %s\n", node, propname);
+		kfree(ranges);
+		return -EINVAL;
+	}
+
+	for (i = 0; i < count; i += 2) {
+		u32 sgi = ranges[i];
+		u32 span = ranges[i + 1];
+		u32 end;
+
+		if (sgi < GIC_SGI_IPI_NR || sgi >= SGI_NR || !span || span > 8) {
+			pr_err("%pOF: invalid SGI range <%u %u> in %s\n",
+			       node, sgi, span, propname);
+			kfree(ranges);
+			return -EINVAL;
+		}
+
+		end = sgi + span;
+		if (end > SGI_NR) {
+			pr_err("%pOF: SGI range <%u %u> exceeds SGI space in %s\n",
+			       node, sgi, span, propname);
+			kfree(ranges);
+			return -EINVAL;
+		}
+
+		mask |= GENMASK(end - 1, sgi);
+	}
+
+	kfree(ranges);
+	gic_data.donated_sgi_mask = mask;
+	return 0;
+}
+
 static u32 gic_get_pribits(void)
 {
 	u32 pribits;
@@ -1614,6 +1686,12 @@ static int gic_irq_domain_translate(struct irq_domain *d,
 		case 3:			/* EPPI */
 			*hwirq = fwspec->param[1] + EPPI_BASE_INTID;
 			break;
+		case GIC_SGI:		/* SGI */
+			if (!gic_sgi_is_donated_to_ns(fwspec->param[1]))
+				return -EINVAL;
+
+			*hwirq = fwspec->param[1];
+			break;
 		case GIC_IRQ_TYPE_LPI:	/* LPI */
 			*hwirq = fwspec->param[1];
 			break;
@@ -1623,6 +1701,10 @@ static int gic_irq_domain_translate(struct irq_domain *d,
 
 		*type = fwspec->param[2] & IRQ_TYPE_SENSE_MASK;
 
+		if (fwspec->param[0] == GIC_SGI &&
+		    *type != IRQ_TYPE_EDGE_RISING)
+			return -EINVAL;
+
 		/*
 		 * Make it clear that broken DTs are... broken.
 		 */
@@ -2239,6 +2321,10 @@ static int __init gic_of_init(struct device_node *node, struct device_node *pare
 
 	gic_enable_of_quirks(node, gic_quirks, &gic_data);
 
+	err = gic_of_init_donated_sgi_ranges(node);
+	if (err)
+		goto out_unmap_rdist;
+
 	err = gic_init_bases(dist_phys_base, dist_base, rdist_regs,
 			     nr_redist_regions, redist_stride, &node->fwnode);
 	if (err)

-- 
2.43.0

[PATCH 3/5] dt-bindings: firmware: Add Arm FF-A binding

[Sudeep Holla]

Document the FF-A firmware device node.

Describes the "arm,ffa" compatible and requires the standard interrupts
property.

Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
---
 .../devicetree/bindings/firmware/arm,ffa.yaml      | 42 ++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/Documentation/devicetree/bindings/firmware/arm,ffa.yaml b/Documentation/devicetree/bindings/firmware/arm,ffa.yaml
new file mode 100644
index 000000000000..150f394b3327
--- /dev/null
+++ b/Documentation/devicetree/bindings/firmware/arm,ffa.yaml
@@ -0,0 +1,42 @@
+# SPDX-License-Identifier: (GPL-2.0 OR BSD-2-Clause)
+%YAML 1.2
+---
+$id: http://devicetree.org/schemas/firmware/arm,ffa.yaml#
+$schema: http://devicetree.org/meta-schemas/core.yaml#
+
+title: Arm Firmware Framework for A-profile
+
+maintainers:
+  - Sudeep Holla <sudeep.holla@kernel.org>
+
+description: |
+  Arm Firmware Framework for A-profile (FF-A) firmware device node
+  describing the   notification interrupt exposed to the normal world.
+
+properties:
+  $nodename:
+    const: ffa
+
+  compatible:
+    const: arm,ffa
+
+  interrupts:
+    description:
+      Per-CPU notification interrupt used by the normal world FF-A partition.
+    maxItems: 1
+
+required:
+  - compatible
+  - interrupts
+
+additionalProperties: false
+
+examples:
+  - |
+    #include <dt-bindings/interrupt-controller/arm-gic.h>
+    #include <dt-bindings/interrupt-controller/irq.h>
+
+    ffa {
+        compatible = "arm,ffa";
+        interrupts = <GIC_SGI 8 IRQ_TYPE_EDGE_RISING>;
+    };

-- 
2.43.0

[PATCH 4/5] firmware: arm_ffa: Use device node interrupts property for IRQ lookup

[Sudeep Holla]

Use the standard interrupts property from the arm,ffa node instead of
synthesizing a GIC mapping directly.

Requires the "arm,ffa" device node to describe exactly one interrupt,
validate that its affinity spans cpu_possible_mask so the interrupt is
per-CPU, and then cross-check the mapped hwirq against the interrupt
ID returned by FFA_FEATURES.

This removes the FF-A driver's direct arm,gic-v3 lookup and raw
irq_create_of_mapping() usage while still keeping the DT description in
sync with the firmware-reported interrupt.

Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
---
 drivers/firmware/arm_ffa/driver.c | 53 +++++++++++++++++++++++++++++----------
 1 file changed, 40 insertions(+), 13 deletions(-)

diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
index f2f94d4d533e..7a3800a55dc1 100644
--- a/drivers/firmware/arm_ffa/driver.c
+++ b/drivers/firmware/arm_ffa/driver.c
@@ -1821,6 +1821,45 @@ static void ffa_sched_recv_irq_work_fn(struct work_struct *work)
 	ffa_notification_info_get();
 }
 
+static int ffa_dt_map_irq(int intid)
+{
+	struct device_node *ffa __free(device_node) = NULL;
+	const struct cpumask *affinity;
+	struct irq_data *irqd;
+	int count, irq;
+
+	ffa = of_find_compatible_node(NULL, NULL, "arm,ffa");
+	if (!ffa)
+		return -ENXIO;
+
+	count = of_irq_count(ffa);
+	if (count <= 0)
+		return count ? count : -ENXIO;
+
+	if (count != 1) {
+		pr_err("FF-A currently supports exactly one interrupt\n");
+		return -EINVAL;
+	}
+
+	affinity = of_irq_get_affinity(ffa, 0);
+	if (!affinity || !cpumask_equal(affinity, cpu_possible_mask)) {
+		pr_err("FF-A currently supports only SGIs/PPIs\n");
+		return -EINVAL;
+	}
+
+	irq = of_irq_get(ffa, 0);
+	if (irq <= 0)
+		return irq ? irq : -ENXIO;
+
+	irqd = irq_get_irq_data(irq);
+	if (!irqd || irqd_to_hwirq(irqd) != intid) {
+		irq_dispose_mapping(irq);
+		return -EINVAL;
+	}
+
+	return irq;
+}
+
 static int ffa_irq_map(u32 id)
 {
 	char *err_str;
@@ -1842,19 +1881,7 @@ static int ffa_irq_map(u32 id)
 	}
 
 	if (acpi_disabled) {
-		struct of_phandle_args oirq = {};
-		struct device_node *gic;
-
-		/* Only GICv3 supported currently with the device tree */
-		gic = of_find_compatible_node(NULL, NULL, "arm,gic-v3");
-		if (!gic)
-			return -ENXIO;
-
-		oirq.np = gic;
-		oirq.args_count = 1;
-		oirq.args[0] = intid;
-		irq = irq_create_of_mapping(&oirq);
-		of_node_put(gic);
+		irq = ffa_dt_map_irq(intid);
 #ifdef CONFIG_ACPI
 	} else {
 		irq = acpi_register_gsi(NULL, intid, ACPI_EDGE_SENSITIVE,

-- 
2.43.0

[PATCH 5/5] arm64: dts: arm: fvp-base-revc: Add FF-A notification interrupt

[Sudeep Holla]

Add an arm,ffa firmware node describing the FF-A notification
interrupt on SGI 8.

Also mark SGI 8 as donated to the non-secure world in the GICv3
node so the interrupt specifier is accepted by the donated-SGI DT
support.

Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
---
 arch/arm64/boot/dts/arm/fvp-base-revc.dts | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/arch/arm64/boot/dts/arm/fvp-base-revc.dts b/arch/arm64/boot/dts/arm/fvp-base-revc.dts
index 68a69f17e93d..87189b32e38d 100644
--- a/arch/arm64/boot/dts/arm/fvp-base-revc.dts
+++ b/arch/arm64/boot/dts/arm/fvp-base-revc.dts
@@ -40,6 +40,11 @@ psci {
 		method = "smc";
 	};
 
+	ffa {
+		compatible = "arm,ffa";
+		interrupts = <GIC_SGI 8 IRQ_TYPE_EDGE_RISING>;
+	};
+
 	cpus {
 		#address-cells = <2>;
 		#size-cells = <0>;
@@ -224,6 +229,7 @@ gic: interrupt-controller@2f000000 {
 		#interrupt-cells = <3>;
 		#address-cells = <2>;
 		#size-cells = <2>;
+		arm,secure-donated-ns-sgi-ranges = <8 1>;
 		ranges;
 		interrupt-controller;
 		reg = <0x0 0x2f000000 0 0x10000>,	// GICD

-- 
2.43.0