[RFC PATCH 2/2] binman: j721e: Add firewall configurations for atf

Manorit Chawdhry m-chawdhry at ti.com
Tue Sep 5 10:21:35 CEST 2023


The following commits adds the configuration of firewalls required to
protect ATF and OP-TEE memory region from non-secure reads and
writes using master and slave firewalls present in our K3 SOCs.

Signed-off-by: Manorit Chawdhry <m-chawdhry at ti.com>
---
 arch/arm/dts/k3-j721e-binman.dtsi | 161 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 161 insertions(+)

diff --git a/arch/arm/dts/k3-j721e-binman.dtsi b/arch/arm/dts/k3-j721e-binman.dtsi
index 4f566c21a9af..0569a592597e 100644
--- a/arch/arm/dts/k3-j721e-binman.dtsi
+++ b/arch/arm/dts/k3-j721e-binman.dtsi
@@ -330,6 +330,73 @@
 					ti-secure {
 						content = <&atf>;
 						keyfile = "custMpk.pem";
+						auth_in_place = <0xa02>;
+
+						// cpu_0_cpu_0_msmc Background Firewall - 0
+						firewall-0 {
+							id = <257>;
+							region = <0>;
+							control = <0x31a>;
+							permissions = <0xc3ffff>;
+							start_address = <0x0 0x0>;
+							end_address = <0xff 0xffffffff>;
+						};
+
+						// cpu_0_cpu_0_msmc Foreground Firewall
+						firewall-1 {
+							id = <257>;
+							region = <1>;
+							control = <0x1a>;
+							permissions = <0x0100ff>;
+							start_address = <0x0 0x70000000>;
+							end_address = <0x0 0x7001ffff>;
+						};
+
+						// dru_0_msmc Background Firewall - 0
+						firewall-4 {
+							id = <284>;
+							region = <0>;
+							control = <0x31a>;
+							permissions = <0xc3ffff>;
+							start_address = <0x0 0x0>;
+							end_address = <0xff 0xffffffff>;
+						};
+
+						// dru_0_msmc Foreground Firewall
+						firewall-5 {
+							id = <284>;
+							region = <1>;
+							control = <0x1a>;
+							permissions = <0x0100ff>;
+							start_address = <0x0 0x70000000>;
+							end_address = <0x0 0x7001ffff>;
+						};
+
+						// Slave Background Firewall - 0
+						// Already configured by secure entity
+
+						// Slave Foreground Firewall
+						firewall-7 {
+							id = <4760>;
+							region = <1>;
+							control = <0x1a>;
+							permissions = <0x0100ff>;
+							start_address = <0x0 0x70000000>;
+							end_address = <0x0 0x7001ffff>;
+						};
+
+						// Slave Background Firewall - 0
+						// Already configured by secure entity
+
+						// Slave Foreground Firewall
+						firewall-9 {
+							id = <4761>;
+							region = <1>;
+							control = <0x1a>;
+							permissions = <0x0100ff>;
+							start_address = <0x0 0x70000000>;
+							end_address = <0x0 0x7001ffff>;
+						};
 					};
 					atf: atf-bl31 {
 					};
@@ -346,6 +413,100 @@
 					ti-secure {
 						content = <&tee>;
 						keyfile = "custMpk.pem";
+						auth_in_place = <0xa02>;
+
+						// cpu_0_cpu_0_msmc Background Firewall - 0
+						// configured during ATF Firewalling
+
+						// cpu_0_cpu_0_msmc Foreground Firewall - 1
+						// configured during ATF Firewalling
+
+						// cpu_0_cpu_0_msmc Foreground Firewall - 2
+						firewall-1 {
+							id = <257>;
+							region = <2>;
+							control = <0x1a>;
+							permissions = <0x0100ff>;
+							start_address = <0x0 0x9e800000>;
+							end_address = <0x0 0x9fffffff>;
+						};
+
+						// dru_0_msmc Background Firewall - 0
+						// configured during ATF Firewalling
+
+						// dru_0_msmc Foreground Firewall - 1
+						// configured during ATF Firewalling
+
+						// dru_0_msmc Foreground Firewall - 2
+						firewall-5 {
+							id = <284>;
+							region = <2>;
+							control = <0x1a>;
+							permissions = <0x0100ff>;
+							start_address = <0x0 0x9e800000>;
+							end_address = <0x0 0x9fffffff>;
+						};
+
+						// Slave Background Firewall - 0
+						firewall-6 {
+							id = <4762>;
+							region = <0>;
+							control = <0x31a>;
+							permissions = <0xc3ffff>;
+							start_address = <0x0 0x80000000>;
+							end_address = <0x0 0xffffffff>;
+						};
+
+						// Slave Background Firewall - 1
+						firewall-7 {
+							id = <4762>;
+							region = <1>;
+							control = <0x31a>;
+							permissions = <0xc3ffff>;
+							start_address = <0x8 0x0>;
+							end_address = <0xf 0xffffffff>;
+						};
+
+						// Slave Foreground Firewall
+						firewall-8 {
+							id = <4762>;
+							region = <2>;
+							control = <0x1a>;
+							permissions = <0x0100ff>;
+							start_address = <0x0 0x9e800000>;
+							end_address = <0x0 0x9fffffff>;
+						};
+
+						// Slave Background Firewall - 0
+						firewall-9 {
+							id = <4763>;
+							region = <0>;
+							control = <0x31a>;
+							permissions = <0xc3ffff>;
+							start_address = <0x0 0x80000000>;
+							end_address = <0x0 0xffffffff>;
+						};
+
+						// Slave Background Firewall - 1
+						firewall-10 {
+							id = <4763>;
+							region = <1>;
+							control = <0x31a>;
+							permissions = <0xc3ffff>;
+							start_address = <0x8 0x0>;
+							end_address = <0xf 0xffffffff>;
+						};
+
+						// Slave Foreground Firewall
+						firewall-11 {
+							id = <4763>;
+							region = <2>;
+							control = <0x1a>;
+							permissions = <0x0100ff>;
+							start_address = <0x0 0x9e800000>;
+							end_address = <0x0 0x9fffffff>;
+						};
+
 					};
 					tee: tee-os {
 					};

-- 
2.41.0



More information about the U-Boot mailing list