[PATCH v3 5/7] arm: socfpga: n5x: switch firewall setup to driver model

Mon Jun 8 03:27:39 CEST 2026

Move the system manager and L3 interconnect firewall configuration from
a dedicated firewall_setup() function to the driver model, using
uclass_get_device_by_name(). This removes hardcoded firewall setup in
SPL and relies on the driver model, making the code more maintainable
and aligned with upstream practices.

With spl_n5x.c migrated, no in-tree SoC64 SPL file calls
firewall_setup() directly any longer. Remove the function and its
private helpers from firewall.c, drop firewall.c from the Makefile,
remove the now-unused declaration from firewall.h, and drop the stale
firewall.h include from spl_n5x.c.

Signed-off-by: Tien Fong Chee <tien.fong.chee at altera.com>
Signed-off-by: Chen Huei Lok <chen.huei.lok at altera.com>
---

Changes in v3:
- Extend to fully remove the now-dead firewall_setup() implementation:
  delete arch/arm/mach-socfpga/firewall.c, remove firewall.o from
  Makefile, remove the void firewall_setup(void) declaration from
  firewall.h, drop the now-unused struct socfpga_firwall_l4_per,
  socfpga_firwall_l4_sys, FIREWALL_L4_DISABLE_ALL, and
  FIREWALL_BRIDGE_DISABLE_ALL from firewall.h, remove stale
  #include <asm/arch/firewall.h> from spl_n5x.c

 arch/arm/mach-socfpga/Makefile                |   1 -
 arch/arm/mach-socfpga/firewall.c              | 107 ------------------
 arch/arm/mach-socfpga/include/mach/firewall.h |  69 -----------
 arch/arm/mach-socfpga/spl_n5x.c               |  13 ++-
 4 files changed, 11 insertions(+), 179 deletions(-)
 delete mode 100644 arch/arm/mach-socfpga/firewall.c

diff --git a/arch/arm/mach-socfpga/Makefile b/arch/arm/mach-socfpga/Makefile
index 962dce67c64..5e57d23657c 100644
--- a/arch/arm/mach-socfpga/Makefile
+++ b/arch/arm/mach-socfpga/Makefile
@@ -114,7 +114,6 @@ obj-y	+= wrap_pinmux_config.o
 obj-y	+= wrap_sdram_config.o
 endif
 ifdef CONFIG_ARCH_SOCFPGA_SOC64
-obj-y	+= firewall.o
 obj-y	+= spl_soc64.o
 endif
 ifdef CONFIG_ARCH_SOCFPGA_ARRIA10
diff --git a/arch/arm/mach-socfpga/firewall.c b/arch/arm/mach-socfpga/firewall.c
deleted file mode 100644
index 4dec47b8e96..00000000000
--- a/arch/arm/mach-socfpga/firewall.c
+++ /dev/null
@@ -1,107 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-/*
- * Copyright (C) 2016-2019 Intel Corporation <www.intel.com>
- *
- */
-
-#include <mach/base_addr_soc64.h>
-#include <asm/io.h>
-#include <asm/arch/firewall.h>
-#include <asm/arch/system_manager.h>
-
-static void firewall_l4_per_disable(void)
-{
-	const struct socfpga_firwall_l4_per *firwall_l4_per_base =
-		(struct socfpga_firwall_l4_per *)SOCFPGA_FIREWALL_L4_PER;
-	u32 i;
-	const u32 *addr[] = {
-			&firwall_l4_per_base->nand,
-			&firwall_l4_per_base->nand_data,
-			&firwall_l4_per_base->usb0,
-			&firwall_l4_per_base->usb1,
-			&firwall_l4_per_base->spim0,
-			&firwall_l4_per_base->spim1,
-			&firwall_l4_per_base->emac0,
-			&firwall_l4_per_base->emac1,
-			&firwall_l4_per_base->emac2,
-			&firwall_l4_per_base->sdmmc,
-			&firwall_l4_per_base->gpio0,
-			&firwall_l4_per_base->gpio1,
-			&firwall_l4_per_base->i2c0,
-			&firwall_l4_per_base->i2c1,
-			&firwall_l4_per_base->i2c2,
-			&firwall_l4_per_base->i2c3,
-			&firwall_l4_per_base->i2c4,
-			&firwall_l4_per_base->timer0,
-			&firwall_l4_per_base->timer1,
-			&firwall_l4_per_base->uart0,
-			&firwall_l4_per_base->uart1
-			};
-
-	/*
-	 * The following lines of code will enable non-secure access
-	 * to nand, usb, spi, emac, sdmmc, gpio, i2c, timers and uart. This
-	 * is needed as most OS run in non-secure mode. Thus we need to
-	 * enable non-secure access to these peripherals in order for the
-	 * OS to use these peripherals.
-	 */
-	for (i = 0; i < ARRAY_SIZE(addr); i++)
-		writel(FIREWALL_L4_DISABLE_ALL, addr[i]);
-}
-
-static void firewall_l4_sys_disable(void)
-{
-	const struct socfpga_firwall_l4_sys *firwall_l4_sys_base =
-		(struct socfpga_firwall_l4_sys *)SOCFPGA_FIREWALL_L4_SYS;
-	u32 i;
-	const u32 *addr[] = {
-			&firwall_l4_sys_base->dma_ecc,
-			&firwall_l4_sys_base->emac0rx_ecc,
-			&firwall_l4_sys_base->emac0tx_ecc,
-			&firwall_l4_sys_base->emac1rx_ecc,
-			&firwall_l4_sys_base->emac1tx_ecc,
-			&firwall_l4_sys_base->emac2rx_ecc,
-			&firwall_l4_sys_base->emac2tx_ecc,
-			&firwall_l4_sys_base->nand_ecc,
-			&firwall_l4_sys_base->nand_read_ecc,
-			&firwall_l4_sys_base->nand_write_ecc,
-			&firwall_l4_sys_base->ocram_ecc,
-			&firwall_l4_sys_base->sdmmc_ecc,
-			&firwall_l4_sys_base->usb0_ecc,
-			&firwall_l4_sys_base->usb1_ecc,
-			&firwall_l4_sys_base->clock_manager,
-			&firwall_l4_sys_base->io_manager,
-			&firwall_l4_sys_base->reset_manager,
-			&firwall_l4_sys_base->system_manager,
-			&firwall_l4_sys_base->watchdog0,
-			&firwall_l4_sys_base->watchdog1,
-			&firwall_l4_sys_base->watchdog2,
-			&firwall_l4_sys_base->watchdog3
-		};
-
-	for (i = 0; i < ARRAY_SIZE(addr); i++)
-		writel(FIREWALL_L4_DISABLE_ALL, addr[i]);
-}
-
-static void firewall_bridge_disable(void)
-{
-	/* disable lwsocf2fpga and soc2fpga bridge security */
-	writel(FIREWALL_BRIDGE_DISABLE_ALL, SOCFPGA_FIREWALL_SOC2FPGA);
-	writel(FIREWALL_BRIDGE_DISABLE_ALL, SOCFPGA_FIREWALL_LWSOC2FPGA);
-}
-
-void firewall_setup(void)
-{
-	firewall_l4_per_disable();
-	firewall_l4_sys_disable();
-	firewall_bridge_disable();
-
-	/* disable SMMU security */
-	writel(FIREWALL_L4_DISABLE_ALL, SOCFPGA_FIREWALL_TCU);
-
-	/* enable non-secure interface to DMA330 DMA and peripherals */
-	writel(SYSMGR_DMA_IRQ_NS | SYSMGR_DMA_MGR_NS,
-	       socfpga_get_sysmgr_addr() + SYSMGR_SOC64_DMA);
-	writel(SYSMGR_DMAPERIPH_ALL_NS,
-	       socfpga_get_sysmgr_addr() + SYSMGR_SOC64_DMA_PERIPH);
-}
diff --git a/arch/arm/mach-socfpga/include/mach/firewall.h b/arch/arm/mach-socfpga/include/mach/firewall.h
index b47b577ae75..8f3b7d90ad1 100644
--- a/arch/arm/mach-socfpga/include/mach/firewall.h
+++ b/arch/arm/mach-socfpga/include/mach/firewall.h
@@ -10,73 +10,6 @@
 
 #include <linux/bitops.h>
 
-struct socfpga_firwall_l4_per {
-	u32	nand;		/* 0x00 */
-	u32	nand_data;
-	u32	_pad_0x8;
-	u32	usb0;
-	u32	usb1;		/* 0x10 */
-	u32	_pad_0x14;
-	u32	_pad_0x18;
-	u32	spim0;
-	u32	spim1;		/* 0x20 */
-	u32	spis0;
-	u32	spis1;
-	u32	emac0;
-	u32	emac1;		/* 0x30 */
-	u32	emac2;
-	u32	_pad_0x38;
-	u32	_pad_0x3c;
-	u32	sdmmc;		/* 0x40 */
-	u32	gpio0;
-	u32	gpio1;
-	u32	_pad_0x4c;
-	u32	i2c0;		/* 0x50 */
-	u32	i2c1;
-	u32	i2c2;
-	u32	i2c3;
-	u32	i2c4;		/* 0x60 */
-	u32	timer0;
-	u32	timer1;
-	u32	uart0;
-	u32	uart1;		/* 0x70 */
-};
-
-struct socfpga_firwall_l4_sys {
-	u32	_pad_0x00;		/* 0x00 */
-	u32	_pad_0x04;
-	u32	dma_ecc;
-	u32	emac0rx_ecc;
-	u32	emac0tx_ecc;		/* 0x10 */
-	u32	emac1rx_ecc;
-	u32	emac1tx_ecc;
-	u32	emac2rx_ecc;
-	u32	emac2tx_ecc;		/* 0x20 */
-	u32	_pad_0x24;
-	u32	_pad_0x28;
-	u32	nand_ecc;
-	u32	nand_read_ecc;		/* 0x30 */
-	u32	nand_write_ecc;
-	u32	ocram_ecc;
-	u32	_pad_0x3c;
-	u32	sdmmc_ecc;		/* 0x40 */
-	u32	usb0_ecc;
-	u32	usb1_ecc;
-	u32	clock_manager;
-	u32	_pad_0x50;		/* 0x50 */
-	u32	io_manager;
-	u32	reset_manager;
-	u32	system_manager;
-	u32	osc0_timer;		/* 0x60 */
-	u32	osc1_timer;
-	u32	watchdog0;
-	u32	watchdog1;
-	u32	watchdog2;		/* 0x70 */
-	u32	watchdog3;
-};
-
-#define FIREWALL_L4_DISABLE_ALL		(BIT(0) | BIT(24) | BIT(16))
-#define FIREWALL_BRIDGE_DISABLE_ALL	(~0)
 
 /* Cache coherency unit (CCU) registers */
 #define CCU_CPU0_MPRT_ADBASE_DDRREG		0x4400
@@ -149,6 +82,4 @@ struct socfpga_firwall_l4_sys {
 	writel(data, SOCFPGA_FW_MPU_DDR_SCR_ADDRESS + (reg))
 #endif
 
-void firewall_setup(void);
-
 #endif /* _FIREWALL_H_ */
diff --git a/arch/arm/mach-socfpga/spl_n5x.c b/arch/arm/mach-socfpga/spl_n5x.c
index a49be837921..0a8dd6d0fee 100644
--- a/arch/arm/mach-socfpga/spl_n5x.c
+++ b/arch/arm/mach-socfpga/spl_n5x.c
@@ -5,7 +5,6 @@
  */
 
 #include <asm/arch/clock_manager.h>
-#include <asm/arch/firewall.h>
 #include <asm/arch/mailbox_s10.h>
 #include <asm/arch/misc.h>
 #include <asm/arch/reset_manager.h>
@@ -69,7 +68,17 @@ void board_init_f(ulong dummy)
 	print_reset_info();
 	cm_print_clock_quick_summary();
 
-	firewall_setup();
+	ret = uclass_get_device_by_name(UCLASS_NOP, "socfpga-system-mgr-firewall", &dev);
+	if (ret) {
+		printf("System manager firewall configuration failed: %d\n", ret);
+		hang();
+	}
+
+	ret = uclass_get_device_by_name(UCLASS_NOP, "socfpga-l3interconnect-firewall", &dev);
+	if (ret) {
+		printf("L3 interconnect firewall configuration failed: %d\n", ret);
+		hang();
+	}
 
 	ret = uclass_get_device(UCLASS_CACHE, 0, &dev);
 	if (ret) {
-- 
2.43.7

