[PATCH 20/20] arm: dts: k3-j7200: Extend firewall for ATF region to TIFS
Richard GENOUD
richard.genoud at bootlin.com
Mon Jun 1 09:44:47 CEST 2026
Le 30/04/2026 à 19:28, Andrew Davis a écrit :
> On 4/30/26 3:44 AM, Richard Genoud (TI) wrote:
>> From: Prasanth Babu Mantena <p-mantena at ti.com>
>>
>> Extend the access to SRAM region of ATF to TIFS as well. This is
>> needed for TIFS for encryption and decryption of ATF as a part of
>> low power mode sequence. TIFS encrypts the ATF while entering into
>> low power mode and decrypts it back while resuming back.
>> So, giving permissions for TIFS to access this region.
>>
>> Signed-off-by: Prasanth Babu Mantena <p-mantena at ti.com>
>> ---
>> arch/arm/dts/k3-binman.dtsi | 18 ++++++++++++++++--
>> arch/arm/dts/k3-j7200-binman.dtsi | 4 ++--
>> arch/arm/dts/k3-security.h | 1 +
>> 3 files changed, 19 insertions(+), 4 deletions(-)
>>
>> diff --git a/arch/arm/dts/k3-binman.dtsi b/arch/arm/dts/k3-binman.dtsi
>> index 0fd93f9536a2..4ffd8ec9e1c1 100644
>> --- a/arch/arm/dts/k3-binman.dtsi
>> +++ b/arch/arm/dts/k3-binman.dtsi
>> @@ -479,7 +479,21 @@
>> start_address = <0x0 CONFIG_K3_ATF_LOAD_ADDR>;
>> end_address = <0x0 (CONFIG_K3_ATF_LOAD_ADDR + 0x1ffff)>;
>> };
>> - firewall_armv8_optee_fg: template-8 {
>> + firewall_armv8_atf_tifs_fg: template-8 {
>> + control = <(FWCTRL_EN | FWCTRL_LOCK |
>> + FWCTRL_CACHE)>;
>> + permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
>> + FWPERM_SECURE_PRIV_RWCD |
>> + FWPERM_SECURE_USER_RWCD)>,
>> + <((FWPRIVID_TIFS << FWPRIVID_SHIFT) |
>> + FWPERM_SECURE_PRIV_RWCD |
>> + FWPERM_SECURE_USER_RWCD |
>> + FWPERM_NON_SECURE_PRIV_RWCD |
>> + FWPERM_NON_SECURE_USER_RWCD)>;
>> + start_address = <0x0 0x70000000>;
>
> Should this be using CONFIG_K3_ATF_LOAD_ADDR like the other templates?
Yes definitely.
>
> Might be easier to just update the existing `firewall_armv8_atf_fg`
> template to also always allow TIFS. TIFS is the security root and
> if it really wanted to it could just update firewalls to let itself
> in, not like anything is really protected from TIFS to begin with.
> (if we are not locking the firewalls that is)
Indeed, I'll change that.
Thanks!
>
> Andrew
>
>> + end_address = <0x0 0x7001ffff>;
>> + };
>> + firewall_armv8_optee_fg: template-9 {
>> control = <(FWCTRL_EN | FWCTRL_LOCK |
>> FWCTRL_CACHE)>;
>> permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
>> @@ -489,7 +503,7 @@
>> end_address = <0x0 (CONFIG_K3_OPTEE_LOAD_ADDR + 0x17fffff)>;
>> };
>> - ti_falcon_template: template-9 {
>> + ti_falcon_template: template-10 {
>> filename = "tifalcon.bin";
>> pad-byte = <0xff>;
>> diff --git a/arch/arm/dts/k3-j7200-binman.dtsi b/arch/arm/dts/k3-
>> j7200-binman.dtsi
>> index c2b86339d593..68ce4aa0ff12 100644
>> --- a/arch/arm/dts/k3-j7200-binman.dtsi
>> +++ b/arch/arm/dts/k3-j7200-binman.dtsi
>> @@ -259,7 +259,7 @@
>> firewall-4760-1 {
>> /* nb_slv0__mem0 Foreground Firewall */
>> - insert-template = <&firewall_armv8_atf_fg>;
>> + insert-template =
>> <&firewall_armv8_atf_tifs_fg>;
>> id = <4760>;
>> region = <1>;
>> };
>> @@ -272,7 +272,7 @@
>> firewall-4761-1 {
>> /* nb_slv1__mem0 Foreground Firewall */
>> - insert-template = <&firewall_armv8_atf_fg>;
>> + insert-template =
>> <&firewall_armv8_atf_tifs_fg>;
>> id = <4761>;
>> region = <1>;
>> };
>> diff --git a/arch/arm/dts/k3-security.h b/arch/arm/dts/k3-security.h
>> index 33609caa8fb5..3e066bca6ad7 100644
>> --- a/arch/arm/dts/k3-security.h
>> +++ b/arch/arm/dts/k3-security.h
>> @@ -7,6 +7,7 @@
>> #define DTS_ARM64_TI_K3_FIREWALL_H
>> #define FWPRIVID_ALL 0xc3
>> +#define FWPRIVID_TIFS 0xca
>> #define FWPRIVID_ARMV8 1
>> #define FWPRIVID_SHIFT 16
>
More information about the U-Boot
mailing list