[U-Boot] [PATCH 0/5] Secure EMIF firewall and memory reservation on DRA7xx/AM57x devices

Daniel Allred d-allred at ti.com
Fri Sep 2 07:40:19 CEST 2016 

These patches to add secure memory reservations and EMIF firewall config to SDRAM
init code. The reservation and firewall config is done using PPA installed HAL APIs,
so they are not common to all platforms (so they are put in omap5 path instead of
omap-common).

With these patches applied, a secure memory reservation can be specified with the
following configs:

    CONFIG_TI_SECURE_EMIF_REGION_START - start location of region. If it is
        not specified, then the region will be placed at the end of the SDRAM.
    CONFIG_TI_SECURE_EMIF_TOTAL_REGION_SIZE - total size of complete region
    CONFIG_TI_SECURE_EMIF_PROTECTED_REGION_SIZE - size (less than total) made
        secure using secure firewalls. The secured region begins at the start
        location (it comes first), and anything left over will be non-secure
        but still reserved from use by u-boot and the kernel

The secure_emif_reserve() API will make use of the above configs to make
a part of the SDRAM secure, with the lowest enforcing priority, giving access
to the ARM TrustZone world only. The secure_emif_firewall_setup() API is
also introduced. This API allows setting other EMIF firewall regions with
particular permissions (for other cores, etc). The current code does not
use this API, but it exists to help satisfy particular system requirements
that users might need.

After all the configuration is done, the secure_emif_firewall_lock() API
should be called to make the previous two APIs stop working. This is important
in order to prevent a later compromise of public supervisor code from being
able to modify the EMIF firewalls. This API is in the code, so any use of the
secure_emif_firewall_setup() API must be inserted before the lock API is called.

Daniel Allred (5):
  ti: omap5: Add Kconfig options for secure EMIF reservations
  arm: omap5: secure API for EMIF memory reservations
  ARM: DRA7: Add secure emif setup calls
  ti_omap5_common: mark region of DRAM protected on HS parts
  ARM: omap5: add fdt secure dram reservation fixup

 arch/arm/cpu/armv7/omap-common/emif-common.c |  15 ++++
 arch/arm/cpu/armv7/omap5/Kconfig             |  26 ++++++
 arch/arm/cpu/armv7/omap5/Makefile            |   1 +
 arch/arm/cpu/armv7/omap5/fdt.c               |  64 +++++++++++++-
 arch/arm/cpu/armv7/omap5/sec-fxns.c          | 126 +++++++++++++++++++++++++++
 arch/arm/include/asm/omap_sec_common.h       |  24 +++++
 include/configs/ti_omap5_common.h            |   8 ++
 7 files changed, 262 insertions(+), 2 deletions(-)
 create mode 100644 arch/arm/cpu/armv7/omap5/sec-fxns.c

-- 
2.7.4

More information about the U-Boot mailing list