[PATCH v6 4/8] binman: j721e: Add firewall configurations

Manorit Chawdhry m-chawdhry at ti.com
Thu Dec 7 08:27:06 CET 2023 

Hi Andrew,

On 10:23-20231206, Andrew Davis wrote:
> On 12/6/23 3:51 AM, Manorit Chawdhry wrote:
> > The following commits adds the configuration of firewalls required to
> > protect ATF and OP-TEE memory region from non-secure reads and
> > writes using master and slave firewalls present in our K3 SOCs.
> > 
> > Signed-off-by: Manorit Chawdhry <m-chawdhry at ti.com>
> > ---
> >   arch/arm/dts/k3-j721e-binman.dtsi | 196 ++++++++++++++++++++++++++++++++++++++
> >   1 file changed, 196 insertions(+)
> > 
> > diff --git a/arch/arm/dts/k3-j721e-binman.dtsi b/arch/arm/dts/k3-j721e-binman.dtsi
> > index 5ddb474e3a41..f428aa81a6c1 100644
> > --- a/arch/arm/dts/k3-j721e-binman.dtsi
> > +++ b/arch/arm/dts/k3-j721e-binman.dtsi
> > @@ -146,6 +146,202 @@
> >   		fit {
> >   			images {
> > +				atf {
> > +					ti-secure {
> > +						auth-in-place = <0xa02>;
> > +
> > +						firewall-257-0 {
> > +							/* cpu_0_cpu_0_msmc Background Firewall */
> > +							id = <257>;
> > +							region = <0>;
> > +							control = <(FWCTRL_EN | FWCTRL_LOCK |
> > +										FWCTRL_BG | FWCTRL_CACHE)>;
> > +							permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) |
> > +											FWPERM_SECURE_PRIV_RWCD |
> > +											FWPERM_SECURE_USER_RWCD |
> > +											FWPERM_NON_SECURE_PRIV_RWCD |
> > +											FWPERM_NON_SECURE_USER_RWCD)>;
> > +							start_address = <0x0 0x0>;
> > +							end_address = <0xff 0xffffffff>;
> > +						};
> > +
> > +						firewall-257-1 {
> > +							/* cpu_0_cpu_0_msmc Foreground Firewall */
> > +							id = <257>;
> > +							region = <1>;
> > +							control = <(FWCTRL_EN | FWCTRL_LOCK |
> > +										FWCTRL_CACHE)>;
> > +							permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
> > +											FWPERM_SECURE_PRIV_RWCD |
> > +											FWPERM_SECURE_USER_RWCD)>;
> > +							start_address = <0x0 0x70000000>;
> 
> 7 levels of indentation, impressive :)

Couldn't figure out a better way..

> 
> This start address should always match CONFIG_K3_ATF_LOAD_ADDR, any way
> you can just use that here?

I am hesitant to use that tbh... slave firewalls are also being
configured and changing the ATF address just directly and thinking
everything can work as is is not the way firewalling is going forward
with, any other better suggestion as to how I can handle that?

> 
> Also this seems like a lot to add for each SoC, and much of it looks similar
> (at least for Jacinto class devices), could be an opportunity for templating.
> 

Just talked to Neha about this, have some insights and will try them for
next revision if they work well. Thanks!

Regards,
Manorit

> Andrew
> 
> > +							end_address = <0x0 0x7001ffff>;
> > +						};

More information about the U-Boot mailing list