On 12/6/23 3:51 AM, Manorit Chawdhry wrote:
The following commits adds the configuration of firewalls required to
protect ATF and OP-TEE memory region from non-secure reads and
writes using master and slave firewalls present in our K3 SOCs.
Signed-off-by: Manorit Chawdhry <m-chawd...@ti.com>
---
arch/arm/dts/k3-j721e-binman.dtsi | 196 ++++++++++++++++++++++++++++++++++++++
1 file changed, 196 insertions(+)
diff --git a/arch/arm/dts/k3-j721e-binman.dtsi
b/arch/arm/dts/k3-j721e-binman.dtsi
index 5ddb474e3a41..f428aa81a6c1 100644
--- a/arch/arm/dts/k3-j721e-binman.dtsi
+++ b/arch/arm/dts/k3-j721e-binman.dtsi
@@ -146,6 +146,202 @@
fit {
images {
+ atf {
+ ti-secure {
+ auth-in-place = <0xa02>;
+
+ firewall-257-0 {
+ /* cpu_0_cpu_0_msmc
Background Firewall */
+ id = <257>;
+ region = <0>;
+ control = <(FWCTRL_EN |
FWCTRL_LOCK |
+
FWCTRL_BG | FWCTRL_CACHE)>;
+ permissions = <((FWPRIVID_ALL
<< FWPRIVID_SHIFT) |
+
FWPERM_SECURE_PRIV_RWCD |
+
FWPERM_SECURE_USER_RWCD |
+
FWPERM_NON_SECURE_PRIV_RWCD |
+
FWPERM_NON_SECURE_USER_RWCD)>;
+ start_address = <0x0
0x0>;
+ end_address = <0xff
0xffffffff>;
+ };
+
+ firewall-257-1 {
+ /* cpu_0_cpu_0_msmc
Foreground Firewall */
+ id = <257>;
+ region = <1>;
+ control = <(FWCTRL_EN |
FWCTRL_LOCK |
+
FWCTRL_CACHE)>;
+ permissions =
<((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+
FWPERM_SECURE_PRIV_RWCD |
+
FWPERM_SECURE_USER_RWCD)>;
+ start_address = <0x0
0x70000000>;
7 levels of indentation, impressive :)
This start address should always match CONFIG_K3_ATF_LOAD_ADDR, any way
you can just use that here?
Also this seems like a lot to add for each SoC, and much of it looks similar
(at least for Jacinto class devices), could be an opportunity for templating.
Andrew
+ end_address = <0x0
0x7001ffff>;
+ };