Hi Andrew,
On 10:23-20231206, Andrew Davis wrote:
> On 12/6/23 3:51 AM, Manorit Chawdhry wrote:
> > The following commits adds the configuration of firewalls required to
> > protect ATF and OP-TEE memory region from non-secure reads and
> > writes using master and slave firewalls present in our K3 SOCs.
> >
> > Signed-off-by: Manorit Chawdhry <m-chawd...@ti.com>
> > ---
> > arch/arm/dts/k3-j721e-binman.dtsi | 196
> > ++++++++++++++++++++++++++++++++++++++
> > 1 file changed, 196 insertions(+)
> >
> > diff --git a/arch/arm/dts/k3-j721e-binman.dtsi
> > b/arch/arm/dts/k3-j721e-binman.dtsi
> > index 5ddb474e3a41..f428aa81a6c1 100644
> > --- a/arch/arm/dts/k3-j721e-binman.dtsi
> > +++ b/arch/arm/dts/k3-j721e-binman.dtsi
> > @@ -146,6 +146,202 @@
> > fit {
> > images {
> > + atf {
> > + ti-secure {
> > + auth-in-place = <0xa02>;
> > +
> > + firewall-257-0 {
> > + /* cpu_0_cpu_0_msmc
> > Background Firewall */
> > + id = <257>;
> > + region = <0>;
> > + control = <(FWCTRL_EN |
> > FWCTRL_LOCK |
> > +
> > FWCTRL_BG | FWCTRL_CACHE)>;
> > + permissions =
> > <((FWPRIVID_ALL << FWPRIVID_SHIFT) |
> > +
> > FWPERM_SECURE_PRIV_RWCD |
> > +
> > FWPERM_SECURE_USER_RWCD |
> > +
> > FWPERM_NON_SECURE_PRIV_RWCD |
> > +
> > FWPERM_NON_SECURE_USER_RWCD)>;
> > + start_address = <0x0
> > 0x0>;
> > + end_address = <0xff
> > 0xffffffff>;
> > + };
> > +
> > + firewall-257-1 {
> > + /* cpu_0_cpu_0_msmc
> > Foreground Firewall */
> > + id = <257>;
> > + region = <1>;
> > + control = <(FWCTRL_EN |
> > FWCTRL_LOCK |
> > +
> > FWCTRL_CACHE)>;
> > + permissions =
> > <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
> > +
> > FWPERM_SECURE_PRIV_RWCD |
> > +
> > FWPERM_SECURE_USER_RWCD)>;
> > + start_address = <0x0
> > 0x70000000>;
>
> 7 levels of indentation, impressive :)
Couldn't figure out a better way..
>
> This start address should always match CONFIG_K3_ATF_LOAD_ADDR, any way
> you can just use that here?
I am hesitant to use that tbh... slave firewalls are also being
configured and changing the ATF address just directly and thinking
everything can work as is is not the way firewalling is going forward
with, any other better suggestion as to how I can handle that?
>
> Also this seems like a lot to add for each SoC, and much of it looks similar
> (at least for Jacinto class devices), could be an opportunity for templating.
>
Just talked to Neha about this, have some insights and will try them for
next revision if they work well. Thanks!
Regards,
Manorit
> Andrew
>
> > + end_address = <0x0
> > 0x7001ffff>;
> > + };
