[PATCH v2 7/7] arm: mach-k3: r5: common: Add support to boot HSM M4 core

Beleswar Prasad Padhi b-padhi at ti.com
Tue May 6 16:36:06 CEST 2025 

Hi Andrew,

On 5/6/2025 4:36 PM, Andrew Davis wrote:
> On 5/6/25 5:42 AM, Beleswar Padhi wrote:
>> The tispl.bin fit image is packed with the HSM firmware image. Populate
>> the "os" info of the image so that it can be detected and used to load
>> the HSM core. Further, invoke the load and boot of HSM core at R5 SPL
>> stage. Boot flow for HSM M4 core is as below:
>>
>> 1. Request control of HSM M4F remote processor.
>> 2. Assert Reset on the HSM M4F remote processor.
>> 3. For HS devices, Request Secure Entity to Authenticate and Load HSM
>>     firmware into core's internal SRAM memory region. For GP devices,
>>     load the unsigned firmware manually.
>> 4. Deassert Reset on the HSM M4F remote processor.
>> 5. Release control of HSM M4F remote processor.
>>
>> Signed-off-by: Beleswar Padhi <b-padhi at ti.com>
>> ---
>> v2: Changelog:
>> 1. Hang system boot if HSM firmware failed to boot.
>> 2. __maybe_unused to decrease preprocessor usage.
>> 3. Better error messages with return code.
>> 4. Added Error case in if-elseif-else ladder.
>>
>> Note:
>> #define PROC_ID_HSM_M4F seems to have extra tab in the diff/patch.
>> But when patch gets applied in file, all of them have consistent
>> tabs.
>>
>> Link to v1:
>> https://lore.kernel.org/all/18e01808-499d-4690-995a-45ac5fd727d9@ti.com
>>
>>   arch/arm/mach-k3/r5/common.c | 84 +++++++++++++++++++++++++++++++++++-
>>   1 file changed, 83 insertions(+), 1 deletion(-)
>>
>> diff --git a/arch/arm/mach-k3/r5/common.c b/arch/arm/mach-k3/r5/common.c
>> index 81fc67a0023..1aa3869cec2 100644
>> --- a/arch/arm/mach-k3/r5/common.c
>> +++ b/arch/arm/mach-k3/r5/common.c
>> @@ -15,9 +15,14 @@
>>   #include <spl.h>
>>   #include <remoteproc.h>
>>   #include <elf.h>
>> +#include <cpu_func.h>
>>     #include "../common.h"
>>   +#define PROC_BOOT_CTRL_RESET_FLAG_HSM_M4    0x00000001
>> +#define HSM_SRAM0_0_ADDR            0x43C00000
>> +#define PROC_ID_HSM_M4F                0x00000080
>> +
>>   #if IS_ENABLED(CONFIG_SYS_K3_SPL_ATF)
>>   enum {
>>       IMAGE_ID_ATF,
>> @@ -27,6 +32,7 @@ enum {
>>       IMAGE_ID_TIFSSTUB_HS,
>>       IMAGE_ID_TIFSSTUB_FS,
>>       IMAGE_ID_T,
>
> The above line looks to be a typo, must have been meant to be 
> IMAGE_ID_TIFSSTUB_GP.
>
> I know this series didn't introduce this typo, but could you fix it in 
> this series
> since you touch lines around it and use it in patch [6/7]. That way we 
> don't get
> any merge conflicts if fixed in standalone patch.


Sure, I will fix that in PATCH 6/7.

>
>> +    IMAGE_ID_HSM,
>>       IMAGE_AMT,
>>   };
>>   @@ -39,6 +45,7 @@ static const char *image_os_match[IMAGE_AMT] = {
>>       "tifsstub-hs",
>>       "tifsstub-fs",
>>       "tifsstub-gp",
>> +    "hsm",
>>   };
>>   #endif
>>   @@ -136,6 +143,73 @@ void release_resources_for_core_shutdown(void)
>>       }
>>   }
>>   +static int __maybe_unused boot_hsm_core(void)
>> +{
>> +    struct ti_sci_handle *ti_sci = get_ti_sci_handle();
>> +    struct ti_sci_proc_ops *proc_ops = &ti_sci->ops.proc_ops;
>> +    u64 hsm_image_addr;
>> +    u32 hsm_image_size;
>> +    int device_type, ret;
>> +
>> +    hsm_image_addr = (u64)fit_image_info[IMAGE_ID_HSM].load;
>> +    hsm_image_size = (u32)fit_image_info[IMAGE_ID_HSM].image_len;
>> +
>> +    /* Request Control of Remote Processor */
>> +    ret = proc_ops->proc_request(ti_sci, PROC_ID_HSM_M4F);
>> +    if (ret) {
>> +        printf("Unable to request HSM processor control: %d\n", ret);
>> +        return ret;
>> +    }
>> +
>> +    /* Put the remote processor into reset */
>> +    ret = proc_ops->set_proc_boot_ctrl(ti_sci, PROC_ID_HSM_M4F,
>> +                       PROC_BOOT_CTRL_RESET_FLAG_HSM_M4, 0);
>> +    if (ret) {
>> +        printf("Unable to Halt HSM core: %d\n", ret);
>> +        goto release_proc_ctrl;
>> +    }
>> +
>> +    /*
>> +     * Load the HSM firmware into core's internal memory.
>> +     *
>> +     * In case of HS device types, request secure entity to 
>> authenticate and
>> +     * load the HSM firmware into the core memory.
>> +     * In case of GP device types, copy the HSM firmware into the core
>> +     * memory manually.
>> +     */
>> +    device_type = get_device_type();
>> +    if (device_type == K3_DEVICE_TYPE_HS_SE ||
>> +        device_type == K3_DEVICE_TYPE_HS_FS) {
>> +        ret = proc_ops->proc_auth_boot_image(ti_sci, &hsm_image_addr,
>> +                             &hsm_image_size);
>
> Could you use ti_secure_image_post_process() here? It should be able 
> to replace
> a bunch of the surrounding code too. If it returns without modifying 
> &size the
> you can go down the GP path.
>
> ti_secure_image_post_process() also flushes the image out of caches 
> before
> the TI-SCI call, without that there are cases where the image will not be
> readable by the TIFS core.


Thanks, that's cleaner, will do. Will wait for more reviews before 
re-spinning.

Thanks,
Beleswar

>
> Andrew
>
>> +        if (ret) {
>> +            printf("Unable to Authenticate and Boot HSM image; ret = 
>> %d\n",
>> +                   ret);
>> +            goto release_proc_ctrl;
>> +        }
>> +    } else if (device_type == K3_DEVICE_TYPE_GP) {
>> +        debug("Loading HSM GP binary into SRAM0_0\n");
>> +        memcpy((void *)HSM_SRAM0_0_ADDR, (void *)(u32)hsm_image_addr,
>> +               hsm_image_size);
>> +        flush_dcache_range(HSM_SRAM0_0_ADDR,
>> +                   HSM_SRAM0_0_ADDR + hsm_image_size);
>> +    } else {
>> +        printf("Invalid Device Type\n");
>> +        return -EINVAL;
>> +    }
>> +
>> +    /* Release the reset from the remote processor*/
>> +    ret = proc_ops->set_proc_boot_ctrl(ti_sci, PROC_ID_HSM_M4F, 0,
>> +                       PROC_BOOT_CTRL_RESET_FLAG_HSM_M4);
>> +    if (ret)
>> +        printf("Unable to Run HSM core: %d\n", ret);
>> +
>> +release_proc_ctrl:
>> +    /* Release Control of Remote Processor */
>> +    proc_ops->proc_release(ti_sci, PROC_ID_HSM_M4F);
>> +    return ret;
>> +}
>> +
>>   void __noreturn jump_to_image_no_args(struct spl_image_info 
>> *spl_image)
>>   {
>>       typedef void __noreturn (*image_entry_noargs_t)(void);
>> @@ -157,6 +231,14 @@ void __noreturn jump_to_image_no_args(struct 
>> spl_image_info *spl_image)
>>                        &loadaddr);
>>       }
>>   +#if IS_ENABLED(CONFIG_K3_HSM_FW)
>> +    ret = boot_hsm_core();
>> +    if (ret)
>> +        panic("HSM core failed to boot, %d\n", ret);
>> +    else
>> +        printf("Successfully booted HSM core\n");
>> +#endif
>> +
>>       /*
>>        * It is assumed that remoteproc device 1 is the corresponding
>>        * Cortex-A core which runs ATF. Make sure DT reflects the same.
>> @@ -388,7 +470,7 @@ void board_fit_image_post_process(const void 
>> *fit, int node, void **p_image,
>>        * Only DM and the DTBs are being authenticated here,
>>        * rest will be authenticated when A72 cluster is up
>>        */
>> -    if ((i != IMAGE_ID_ATF) && (i != IMAGE_ID_OPTEE)) {
>> +    if (i != IMAGE_ID_ATF && i != IMAGE_ID_OPTEE && i != 
>> IMAGE_ID_HSM) {
>>           ti_secure_image_check_binary(p_image, p_size);
>>           ti_secure_image_post_process(p_image, p_size);
>>       } else {

More information about the U-Boot mailing list