[PATCH v6 4/8] binman: j721e: Add firewall configurations
Andrew Davis
afd at ti.com
Wed Dec 6 17:23:21 CET 2023
On 12/6/23 3:51 AM, Manorit Chawdhry wrote:
> The following commits adds the configuration of firewalls required to
> protect ATF and OP-TEE memory region from non-secure reads and
> writes using master and slave firewalls present in our K3 SOCs.
>
> Signed-off-by: Manorit Chawdhry <m-chawdhry at ti.com>
> ---
> arch/arm/dts/k3-j721e-binman.dtsi | 196 ++++++++++++++++++++++++++++++++++++++
> 1 file changed, 196 insertions(+)
>
> diff --git a/arch/arm/dts/k3-j721e-binman.dtsi b/arch/arm/dts/k3-j721e-binman.dtsi
> index 5ddb474e3a41..f428aa81a6c1 100644
> --- a/arch/arm/dts/k3-j721e-binman.dtsi
> +++ b/arch/arm/dts/k3-j721e-binman.dtsi
> @@ -146,6 +146,202 @@
>
> fit {
> images {
> + atf {
> + ti-secure {
> + auth-in-place = <0xa02>;
> +
> + firewall-257-0 {
> + /* cpu_0_cpu_0_msmc Background Firewall */
> + id = <257>;
> + region = <0>;
> + control = <(FWCTRL_EN | FWCTRL_LOCK |
> + FWCTRL_BG | FWCTRL_CACHE)>;
> + permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) |
> + FWPERM_SECURE_PRIV_RWCD |
> + FWPERM_SECURE_USER_RWCD |
> + FWPERM_NON_SECURE_PRIV_RWCD |
> + FWPERM_NON_SECURE_USER_RWCD)>;
> + start_address = <0x0 0x0>;
> + end_address = <0xff 0xffffffff>;
> + };
> +
> + firewall-257-1 {
> + /* cpu_0_cpu_0_msmc Foreground Firewall */
> + id = <257>;
> + region = <1>;
> + control = <(FWCTRL_EN | FWCTRL_LOCK |
> + FWCTRL_CACHE)>;
> + permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
> + FWPERM_SECURE_PRIV_RWCD |
> + FWPERM_SECURE_USER_RWCD)>;
> + start_address = <0x0 0x70000000>;
7 levels of indentation, impressive :)
This start address should always match CONFIG_K3_ATF_LOAD_ADDR, any way
you can just use that here?
Also this seems like a lot to add for each SoC, and much of it looks similar
(at least for Jacinto class devices), could be an opportunity for templating.
Andrew
> + end_address = <0x0 0x7001ffff>;
> + };
More information about the U-Boot
mailing list