[PATCH v7 4/9] arm: dts: k3-binman: Add k3-security.h and include it in k3-binman.dtsi

Andrew Davis afd at ti.com
Tue Jan 2 16:13:16 CET 2024 

On 12/29/23 4:46 AM, Manorit Chawdhry wrote:
> For readability during configuring firewalls, adding k3-security.h file
> and including it in k3-binman.dtsi to be accessible across K3 SoCs
> 
> Reviewed-by: Simon Glass <sjg at chromium.org>
> Signed-off-by: Manorit Chawdhry <m-chawdhry at ti.com>
> ---
>   arch/arm/dts/k3-binman.dtsi | 49 ++++++++++++++++++++++++++++++++++++++
>   arch/arm/dts/k3-security.h  | 58 +++++++++++++++++++++++++++++++++++++++++++++
>   2 files changed, 107 insertions(+)
> 
> diff --git a/arch/arm/dts/k3-binman.dtsi b/arch/arm/dts/k3-binman.dtsi
> index cd9926a01696..758c8bf6ea16 100644
> --- a/arch/arm/dts/k3-binman.dtsi
> +++ b/arch/arm/dts/k3-binman.dtsi
> @@ -3,6 +3,8 @@
>    * Copyright (C) 2022-2023 Texas Instruments Incorporated - https://www.ti.com/
>    */
>   
> +#include "k3-security.h"
> +
>   / {
>   	binman: binman {
>   		multiple-images;
> @@ -437,6 +439,53 @@
>   			};
>   		};
>   	};
> +	firewall_bg_1: template-5 {
> +		control = <(FWCTRL_EN | FWCTRL_LOCK |
> +					FWCTRL_BG | FWCTRL_CACHE)>;
> +		permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) |
> +						FWPERM_SECURE_PRIV_RWCD |
> +						FWPERM_SECURE_USER_RWCD |
> +						FWPERM_NON_SECURE_PRIV_RWCD |
> +						FWPERM_NON_SECURE_USER_RWCD)>;
> +		start_address = <0x0 0x0>;
> +		end_address = <0xff 0xffffffff>;
> +	};
> +	firewall_bg_3: template-6 {
> +		insert-template = <&firewall_bg_1>;
> +		permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) |
> +						FWPERM_SECURE_PRIV_RWCD |
> +						FWPERM_SECURE_USER_RWCD |
> +						FWPERM_NON_SECURE_PRIV_RWCD |
> +						FWPERM_NON_SECURE_USER_RWCD)>,
> +					  <((FWPRIVID_ALL << FWPRIVID_SHIFT) |
> +						FWPERM_SECURE_PRIV_RWCD |
> +						FWPERM_SECURE_USER_RWCD |
> +						FWPERM_NON_SECURE_PRIV_RWCD |
> +						FWPERM_NON_SECURE_USER_RWCD)>,
> +					  <((FWPRIVID_ALL << FWPRIVID_SHIFT) |
> +						FWPERM_SECURE_PRIV_RWCD |
> +						FWPERM_SECURE_USER_RWCD |
> +						FWPERM_NON_SECURE_PRIV_RWCD |
> +						FWPERM_NON_SECURE_USER_RWCD)>;
> +	};
> +	firewall_armv8_atf_fg: template-7 {
> +		control = <(FWCTRL_EN | FWCTRL_LOCK |
> +					FWCTRL_CACHE)>;
> +		permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
> +						FWPERM_SECURE_PRIV_RWCD |
> +						FWPERM_SECURE_USER_RWCD)>;
> +		start_address = <0x0 0x70000000>;

Still don't like hardcoding the ATF firewall location here, especially
since it is dynamic and we have a var for this: CONFIG_K3_ATF_LOAD_ADDR.

Not a blocker, for now..,

Reviewed-by: Andrew Davis <afd at ti.com>

> +		end_address = <0x0 0x7001ffff>;
> +	};
> +	firewall_armv8_optee_fg: template-8 {
> +		control = <(FWCTRL_EN | FWCTRL_LOCK |
> +					FWCTRL_CACHE)>;
> +		permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
> +						FWPERM_SECURE_PRIV_RWCD |
> +						FWPERM_SECURE_USER_RWCD)>;
> +		start_address = <0x0 0x9e800000>;
> +		end_address = <0x0 0x9fffffff>;
> +	};
>   
>   };
>   
> diff --git a/arch/arm/dts/k3-security.h b/arch/arm/dts/k3-security.h
> new file mode 100644
> index 000000000000..33609caa8fb5
> --- /dev/null
> +++ b/arch/arm/dts/k3-security.h
> @@ -0,0 +1,58 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +/*
> + * Copyright (C) 2023 Texas Instruments Incorporated - https://www.ti.com/
> + */
> +
> +#ifndef DTS_ARM64_TI_K3_FIREWALL_H
> +#define DTS_ARM64_TI_K3_FIREWALL_H
> +
> +#define FWPRIVID_ALL    0xc3
> +#define FWPRIVID_ARMV8  1
> +#define FWPRIVID_SHIFT  16
> +
> +#define FWCTRL_EN     0xA
> +#define FWCTRL_LOCK   (1 << 4)
> +#define FWCTRL_BG     (1 << 8)
> +#define FWCTRL_CACHE  (1 << 9)
> +
> +#define FWPERM_SECURE_PRIV_WRITE      (1 << 0)
> +#define FWPERM_SECURE_PRIV_READ       (1 << 1)
> +#define FWPERM_SECURE_PRIV_CACHEABLE  (1 << 2)
> +#define FWPERM_SECURE_PRIV_DEBUG      (1 << 3)
> +
> +#define FWPERM_SECURE_PRIV_RWCD       (FWPERM_SECURE_PRIV_READ | \
> +									   FWPERM_SECURE_PRIV_WRITE | \
> +									   FWPERM_SECURE_PRIV_CACHEABLE | \
> +									   FWPERM_SECURE_PRIV_DEBUG)
> +
> +#define FWPERM_SECURE_USER_WRITE      (1 << 4)
> +#define FWPERM_SECURE_USER_READ       (1 << 5)
> +#define FWPERM_SECURE_USER_CACHEABLE  (1 << 6)
> +#define FWPERM_SECURE_USER_DEBUG      (1 << 7)
> +
> +#define FWPERM_SECURE_USER_RWCD       (FWPERM_SECURE_USER_READ | \
> +									   FWPERM_SECURE_USER_WRITE | \
> +									   FWPERM_SECURE_USER_CACHEABLE | \
> +									   FWPERM_SECURE_USER_DEBUG)
> +
> +#define FWPERM_NON_SECURE_PRIV_WRITE      (1 << 8)
> +#define FWPERM_NON_SECURE_PRIV_READ       (1 << 9)
> +#define FWPERM_NON_SECURE_PRIV_CACHEABLE  (1 << 10)
> +#define FWPERM_NON_SECURE_PRIV_DEBUG      (1 << 11)
> +
> +#define FWPERM_NON_SECURE_PRIV_RWCD       (FWPERM_NON_SECURE_PRIV_READ | \
> +										   FWPERM_NON_SECURE_PRIV_WRITE | \
> +										   FWPERM_NON_SECURE_PRIV_CACHEABLE | \
> +										   FWPERM_NON_SECURE_PRIV_DEBUG)
> +
> +#define FWPERM_NON_SECURE_USER_WRITE      (1 << 12)
> +#define FWPERM_NON_SECURE_USER_READ       (1 << 13)
> +#define FWPERM_NON_SECURE_USER_CACHEABLE  (1 << 14)
> +#define FWPERM_NON_SECURE_USER_DEBUG      (1 << 15)
> +
> +#define FWPERM_NON_SECURE_USER_RWCD       (FWPERM_NON_SECURE_USER_READ | \
> +										   FWPERM_NON_SECURE_USER_WRITE | \
> +										   FWPERM_NON_SECURE_USER_CACHEABLE | \
> +										   FWPERM_NON_SECURE_USER_DEBUG)
> +
> +#endif
>

More information about the U-Boot mailing list