[U-Boot] [PATCH v5 7/7] efi_loader: Declare secure memory as reserved

york sun york.sun at nxp.com
Sat Oct 15 18:58:13 CEST 2016


On 10/15/2016 03:03 AM, Alexander Graf wrote:
> Some systems may implemente TrustZone (EL3) in U-Boot. Those systems
> reserve some memory that U-Boot is aware of as secure.
>
> For those systems, mask out that secure memory in the EFI memory map,
> as it's not usable from EL2 or EL1.
>
> Signed-off-by: Alexander Graf <agraf at suse.de>
>
> ---
>
> v4 -> v5:
>
>   - Use gd->arch.secure_ram
> ---
>  lib/efi_loader/efi_memory.c | 15 +++++++++++++++
>  1 file changed, 15 insertions(+)
>
> diff --git a/lib/efi_loader/efi_memory.c b/lib/efi_loader/efi_memory.c
> index 95aa590..4966e48 100644
> --- a/lib/efi_loader/efi_memory.c
> +++ b/lib/efi_loader/efi_memory.c
> @@ -474,5 +474,20 @@ int efi_memory_init(void)
>  	efi_bounce_buffer = (void*)(uintptr_t)efi_bounce_buffer_addr;
>  #endif
>
> +#ifdef CONFIG_SYS_MEM_RESERVE_SECURE
> +	/* Declare secure ram as reserved */
> +        if (gd->arch.secure_ram & MEM_RESERVE_SECURE_SECURED) {
> +		uint64_t secure_start = gd->arch.secure_ram;
> +		uint64_t secure_pages = CONFIG_SYS_MEM_RESERVE_SECURE;
> +
> +		secure_start &= MEM_RESERVE_SECURE_ADDR_MASK;
> +		secure_start &= ~EFI_PAGE_MASK;
> +		secure_pages = (secure_pages + EFI_PAGE_MASK) >> EFI_PAGE_SHIFT;
> +
> +		efi_add_memory_map(secure_start, secure_pages,
> +				   EFI_RESERVED_MEMORY_TYPE, false);
> +        }
> +#endif
> +
>  	return 0;
>  }
>

Alex,

Do you see any issue without this patch? The secure memory is not 
visible to OS. gd->ram_size is reduced to hide the secure memory.

York


More information about the U-Boot mailing list