[RFC PATCH 2/2] binman: j721e: Add firewall configurations for atf
Manorit Chawdhry
m-chawdhry at ti.com
Tue Sep 5 10:21:35 CEST 2023
The following commits adds the configuration of firewalls required to
protect ATF and OP-TEE memory region from non-secure reads and
writes using master and slave firewalls present in our K3 SOCs.
Signed-off-by: Manorit Chawdhry <m-chawdhry at ti.com>
---
arch/arm/dts/k3-j721e-binman.dtsi | 161 ++++++++++++++++++++++++++++++++++++++
1 file changed, 161 insertions(+)
diff --git a/arch/arm/dts/k3-j721e-binman.dtsi b/arch/arm/dts/k3-j721e-binman.dtsi
index 4f566c21a9af..0569a592597e 100644
--- a/arch/arm/dts/k3-j721e-binman.dtsi
+++ b/arch/arm/dts/k3-j721e-binman.dtsi
@@ -330,6 +330,73 @@
ti-secure {
content = <&atf>;
keyfile = "custMpk.pem";
+ auth_in_place = <0xa02>;
+
+ // cpu_0_cpu_0_msmc Background Firewall - 0
+ firewall-0 {
+ id = <257>;
+ region = <0>;
+ control = <0x31a>;
+ permissions = <0xc3ffff>;
+ start_address = <0x0 0x0>;
+ end_address = <0xff 0xffffffff>;
+ };
+
+ // cpu_0_cpu_0_msmc Foreground Firewall
+ firewall-1 {
+ id = <257>;
+ region = <1>;
+ control = <0x1a>;
+ permissions = <0x0100ff>;
+ start_address = <0x0 0x70000000>;
+ end_address = <0x0 0x7001ffff>;
+ };
+
+ // dru_0_msmc Background Firewall - 0
+ firewall-4 {
+ id = <284>;
+ region = <0>;
+ control = <0x31a>;
+ permissions = <0xc3ffff>;
+ start_address = <0x0 0x0>;
+ end_address = <0xff 0xffffffff>;
+ };
+
+ // dru_0_msmc Foreground Firewall
+ firewall-5 {
+ id = <284>;
+ region = <1>;
+ control = <0x1a>;
+ permissions = <0x0100ff>;
+ start_address = <0x0 0x70000000>;
+ end_address = <0x0 0x7001ffff>;
+ };
+
+ // Slave Background Firewall - 0
+ // Already configured by secure entity
+
+ // Slave Foreground Firewall
+ firewall-7 {
+ id = <4760>;
+ region = <1>;
+ control = <0x1a>;
+ permissions = <0x0100ff>;
+ start_address = <0x0 0x70000000>;
+ end_address = <0x0 0x7001ffff>;
+ };
+
+ // Slave Background Firewall - 0
+ // Already configured by secure entity
+
+ // Slave Foreground Firewall
+ firewall-9 {
+ id = <4761>;
+ region = <1>;
+ control = <0x1a>;
+ permissions = <0x0100ff>;
+ start_address = <0x0 0x70000000>;
+ end_address = <0x0 0x7001ffff>;
+ };
};
atf: atf-bl31 {
};
@@ -346,6 +413,100 @@
ti-secure {
content = <&tee>;
keyfile = "custMpk.pem";
+ auth_in_place = <0xa02>;
+
+ // cpu_0_cpu_0_msmc Background Firewall - 0
+ // configured during ATF Firewalling
+
+ // cpu_0_cpu_0_msmc Foreground Firewall - 1
+ // configured during ATF Firewalling
+
+ // cpu_0_cpu_0_msmc Foreground Firewall - 2
+ firewall-1 {
+ id = <257>;
+ region = <2>;
+ control = <0x1a>;
+ permissions = <0x0100ff>;
+ start_address = <0x0 0x9e800000>;
+ end_address = <0x0 0x9fffffff>;
+ };
+
+ // dru_0_msmc Background Firewall - 0
+ // configured during ATF Firewalling
+
+ // dru_0_msmc Foreground Firewall - 1
+ // configured during ATF Firewalling
+
+ // dru_0_msmc Foreground Firewall - 2
+ firewall-5 {
+ id = <284>;
+ region = <2>;
+ control = <0x1a>;
+ permissions = <0x0100ff>;
+ start_address = <0x0 0x9e800000>;
+ end_address = <0x0 0x9fffffff>;
+ };
+
+ // Slave Background Firewall - 0
+ firewall-6 {
+ id = <4762>;
+ region = <0>;
+ control = <0x31a>;
+ permissions = <0xc3ffff>;
+ start_address = <0x0 0x80000000>;
+ end_address = <0x0 0xffffffff>;
+ };
+
+ // Slave Background Firewall - 1
+ firewall-7 {
+ id = <4762>;
+ region = <1>;
+ control = <0x31a>;
+ permissions = <0xc3ffff>;
+ start_address = <0x8 0x0>;
+ end_address = <0xf 0xffffffff>;
+ };
+
+ // Slave Foreground Firewall
+ firewall-8 {
+ id = <4762>;
+ region = <2>;
+ control = <0x1a>;
+ permissions = <0x0100ff>;
+ start_address = <0x0 0x9e800000>;
+ end_address = <0x0 0x9fffffff>;
+ };
+
+ // Slave Background Firewall - 0
+ firewall-9 {
+ id = <4763>;
+ region = <0>;
+ control = <0x31a>;
+ permissions = <0xc3ffff>;
+ start_address = <0x0 0x80000000>;
+ end_address = <0x0 0xffffffff>;
+ };
+
+ // Slave Background Firewall - 1
+ firewall-10 {
+ id = <4763>;
+ region = <1>;
+ control = <0x31a>;
+ permissions = <0xc3ffff>;
+ start_address = <0x8 0x0>;
+ end_address = <0xf 0xffffffff>;
+ };
+
+ // Slave Foreground Firewall
+ firewall-11 {
+ id = <4763>;
+ region = <2>;
+ control = <0x1a>;
+ permissions = <0x0100ff>;
+ start_address = <0x0 0x9e800000>;
+ end_address = <0x0 0x9fffffff>;
+ };
+
};
tee: tee-os {
};
--
2.41.0
More information about the U-Boot
mailing list