[{"id":3684863,"web_url":"http://patchwork.ozlabs.org/comment/3684863/","msgid":"","list_archive_url":null,"date":"2026-04-30T17:28:47","subject":"Re: [PATCH 20/20] arm: dts: k3-j7200: Extend firewall for ATF region\n to TIFS","submitter":{"id":67226,"url":"http://patchwork.ozlabs.org/api/people/67226/","name":"Andrew Davis","email":"afd@ti.com"},"content":"On 4/30/26 3:44 AM, Richard Genoud (TI) wrote:\n> From: Prasanth Babu Mantena \n> \n> Extend the access to SRAM region of ATF to TIFS as well. This is\n> needed for TIFS for encryption and decryption of ATF as a part of\n> low power mode sequence. TIFS encrypts the ATF while entering into\n> low power mode and decrypts it back while resuming back.\n> So, giving permissions for TIFS to access this region.\n> \n> Signed-off-by: Prasanth Babu Mantena \n> ---\n> arch/arm/dts/k3-binman.dtsi | 18 ++++++++++++++++--\n> arch/arm/dts/k3-j7200-binman.dtsi | 4 ++--\n> arch/arm/dts/k3-security.h | 1 +\n> 3 files changed, 19 insertions(+), 4 deletions(-)\n> \n> diff --git a/arch/arm/dts/k3-binman.dtsi b/arch/arm/dts/k3-binman.dtsi\n> index 0fd93f9536a2..4ffd8ec9e1c1 100644\n> --- a/arch/arm/dts/k3-binman.dtsi\n> +++ b/arch/arm/dts/k3-binman.dtsi\n> @@ -479,7 +479,21 @@\n> \t\tstart_address = <0x0 CONFIG_K3_ATF_LOAD_ADDR>;\n> \t\tend_address = <0x0 (CONFIG_K3_ATF_LOAD_ADDR + 0x1ffff)>;\n> \t};\n> -\tfirewall_armv8_optee_fg: template-8 {\n> +\tfirewall_armv8_atf_tifs_fg: template-8 {\n> +\t\tcontrol = <(FWCTRL_EN | FWCTRL_LOCK |\n> +\t\t\t\t\tFWCTRL_CACHE)>;\n> +\t\tpermissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |\n> +\t\t\t\t\t\tFWPERM_SECURE_PRIV_RWCD |\n> +\t\t\t\t\t\tFWPERM_SECURE_USER_RWCD)>,\n> +\t\t\t\t\t<((FWPRIVID_TIFS << FWPRIVID_SHIFT) |\n> +\t\t\t\t\t\tFWPERM_SECURE_PRIV_RWCD |\n> +\t\t\t\t\t\tFWPERM_SECURE_USER_RWCD |\n> +\t\t\t\t\t\tFWPERM_NON_SECURE_PRIV_RWCD |\n> +\t\t\t\t\t\tFWPERM_NON_SECURE_USER_RWCD)>;\n> +\t\tstart_address = <0x0 0x70000000>;\n\nShould this be using CONFIG_K3_ATF_LOAD_ADDR like the other templates?\n\nMight be easier to just update the existing `firewall_armv8_atf_fg`\ntemplate to also always allow TIFS. TIFS is the security root and\nif it really wanted to it could just update firewalls to let itself\nin, not like anything is really protected from TIFS to begin with.\n(if we are not locking the firewalls that is)\n\nAndrew\n\n> +\t\tend_address = <0x0 0x7001ffff>;\n> +\t};\n> +\tfirewall_armv8_optee_fg: template-9 {\n> \t\tcontrol = <(FWCTRL_EN | FWCTRL_LOCK |\n> \t\t\t\t\tFWCTRL_CACHE)>;\n> \t\tpermissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |\n> @@ -489,7 +503,7 @@\n> \t\tend_address = <0x0 (CONFIG_K3_OPTEE_LOAD_ADDR + 0x17fffff)>;\n> \t};\n> \n> -\tti_falcon_template: template-9 {\n> +\tti_falcon_template: template-10 {\n> \t\tfilename = \"tifalcon.bin\";\n> \t\tpad-byte = <0xff>;\n> \n> diff --git a/arch/arm/dts/k3-j7200-binman.dtsi b/arch/arm/dts/k3-j7200-binman.dtsi\n> index c2b86339d593..68ce4aa0ff12 100644\n> --- a/arch/arm/dts/k3-j7200-binman.dtsi\n> +++ b/arch/arm/dts/k3-j7200-binman.dtsi\n> @@ -259,7 +259,7 @@\n> \n> \t\t\t\t\t\tfirewall-4760-1 {\n> \t\t\t\t\t\t\t/* nb_slv0__mem0 Foreground Firewall */\n> -\t\t\t\t\t\t\tinsert-template = <&firewall_armv8_atf_fg>;\n> +\t\t\t\t\t\t\tinsert-template = <&firewall_armv8_atf_tifs_fg>;\n> \t\t\t\t\t\t\tid = <4760>;\n> \t\t\t\t\t\t\tregion = <1>;\n> \t\t\t\t\t\t};\n> @@ -272,7 +272,7 @@\n> \n> \t\t\t\t\t\tfirewall-4761-1 {\n> \t\t\t\t\t\t\t/* nb_slv1__mem0 Foreground Firewall */\n> -\t\t\t\t\t\t\tinsert-template = <&firewall_armv8_atf_fg>;\n> +\t\t\t\t\t\t\tinsert-template = <&firewall_armv8_atf_tifs_fg>;\n> \t\t\t\t\t\t\tid = <4761>;\n> \t\t\t\t\t\t\tregion = <1>;\n> \t\t\t\t\t\t};\n> diff --git a/arch/arm/dts/k3-security.h b/arch/arm/dts/k3-security.h\n> index 33609caa8fb5..3e066bca6ad7 100644\n> --- a/arch/arm/dts/k3-security.h\n> +++ b/arch/arm/dts/k3-security.h\n> @@ -7,6 +7,7 @@\n> #define DTS_ARM64_TI_K3_FIREWALL_H\n> \n> #define FWPRIVID_ALL 0xc3\n> +#define FWPRIVID_TIFS 0xca\n> #define FWPRIVID_ARMV8 1\n> #define FWPRIVID_SHIFT 16\n>","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=ti.com header.i=@ti.com header.a=rsa-sha256\n header.s=selector1 header.b=f4JgkP9o;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=quarantine dis=none) header.from=ti.com","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=ti.com header.i=@ti.com header.b=\"f4JgkP9o\";\n\tdkim-atps=neutral","phobos.denx.de;\n dmarc=pass (p=quarantine dis=none) header.from=ti.com","phobos.denx.de; spf=pass smtp.mailfrom=afd@ti.com"],"Received":["from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g61PF17wBz1yHZ\n\tfor ; Fri, 01 May 2026 03:29:05 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id 19532803C6;\n\tThu, 30 Apr 2026 19:29:02 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id 0248C83693; Thu, 30 Apr 2026 19:29:01 +0200 (CEST)","from BL2PR02CU003.outbound.protection.outlook.com\n (mail-eastusazlp17011000f.outbound.protection.outlook.com\n [IPv6:2a01:111:f403:c100::f])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id CF64F80086\n for ; Thu, 30 Apr 2026 19:28:57 +0200 (CEST)","from BN0PR04CA0122.namprd04.prod.outlook.com (2603:10b6:408:ed::7)\n by DM6PR10MB4283.namprd10.prod.outlook.com (2603:10b6:5:219::23) with\n Microsoft SMTP Server (version=TLS1_2,\n cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9870.20; Thu, 30 Apr\n 2026 17:28:54 +0000","from BN1PEPF0000468B.namprd05.prod.outlook.com\n (2603:10b6:408:ed:cafe::95) by BN0PR04CA0122.outlook.office365.com\n (2603:10b6:408:ed::7) with Microsoft SMTP Server (version=TLS1_3,\n cipher=TLS_AES_256_GCM_SHA384) id 15.20.9870.21 via Frontend Transport; Thu,\n 30 Apr 2026 17:28:53 +0000","from lewvzet201.ext.ti.com (198.47.23.195) by\n BN1PEPF0000468B.mail.protection.outlook.com (10.167.243.136) with Microsoft\n SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id\n 15.20.9870.22 via Frontend Transport; Thu, 30 Apr 2026 17:28:53 +0000","from DLEE206.ent.ti.com (157.170.170.90) by lewvzet201.ext.ti.com\n (10.4.14.104) with Microsoft SMTP Server (version=TLS1_2,\n cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Thu, 30 Apr\n 2026 12:28:52 -0500","from DLEE209.ent.ti.com (157.170.170.98) by DLEE206.ent.ti.com\n (157.170.170.90) with Microsoft SMTP Server (version=TLS1_2,\n cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Thu, 30 Apr\n 2026 12:28:48 -0500","from lelvem-mr06.itg.ti.com (10.180.75.8) by DLEE209.ent.ti.com\n (157.170.170.98) with Microsoft SMTP Server (version=TLS1_2,\n cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20 via Frontend\n Transport; Thu, 30 Apr 2026 12:28:48 -0500","from [10.249.42.149] ([10.249.42.149])\n by lelvem-mr06.itg.ti.com (8.18.1/8.18.1) with ESMTP id 63UHSlg01596095;\n Thu, 30 Apr 2026 12:28:47 -0500"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-1.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,\n DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_SPF_HELO,\n RCVD_IN_DNSWL_BLOCKED,SPF_HELO_PASS,T_SPF_PERMERROR autolearn=no\n autolearn_force=no version=3.4.2","ARC-Seal":"i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;\n b=L+dlYI5gNIkHdtIY/Z6YGLquzczaZSQB+pq2OFPKVGB+2eGUAMTLs+lcqqNCeYBy2Zgt6dQW3fGF/7RbT+aAx9Z++rDM6Azdd7NJ+/evm+Upcp9yywabwmuvIs1XWqbe1zZuefyfnch0cAtnvjinpMHX387c8pTPtMAkX/d6PrBI98gGWtnvP4n/5+oLw41XykWmcJS0gRUTE9Ptv83QPiudshlJfHBxdpHzRIszdrYQgRaNBM+5niIgmq3KUh1WhfSz8jGcFYglxWU8DHsMaSUvlZiNCCr0Zw1qY0/yeU1Nu9FNgIaY/g5CG6Y2H8NiiS0pBSp1W7yz9TX6dCFSEA==","ARC-Message-Signature":"i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;\n s=arcselector10001;\n h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;\n bh=jFpJtU6flT8fQxqopAvSINQwpn0byQXGVPRtO8rSLuk=;\n b=QqvY429YDB4sBCkduNZdkmed1DNSpDC5QlgcRW//8ueXUhiNw9RRWlnVDEPdwV5xIPBxBOWUw2Lo15HClrzSHuXg5vlka4XKSUQCvvkA3vK7JN42jQ7FfpaOgHekyWwl0Z+jWYPCkp3OHrMUW/zlMZ8YiVOxsjcJhXZz1cu0X5Sd1ek4d0hTfp/xNyJ2kFu6aJ6OQiHmDPUfp+4TwvkZE9pxNbLoYmsgniXl652kmmdTUjxNT6Qg0jhR08zLNBYcnK0uJOhBcp2VNdEwsgicglBU7tgzlyJIoKRcV+hjwIKW78kFTbRUr4LMhzOY+dUynYxyvCL37XVrgyHF5bqazw==","ARC-Authentication-Results":"i=1; mx.microsoft.com 1; spf=pass (sender ip is\n 198.47.23.195) smtp.rcpttodomain=lists.denx.de smtp.mailfrom=ti.com;\n dmarc=pass (p=quarantine sp=none pct=100) action=none header.from=ti.com;\n dkim=none (message not signed); arc=none (0)","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=ti.com; s=selector1;\n h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;\n bh=jFpJtU6flT8fQxqopAvSINQwpn0byQXGVPRtO8rSLuk=;\n b=f4JgkP9oJYMWS2Osq9G2MtqLSZODWVibfkkFIhfK1aohvmGRuE4OeEM9I/A8pUa/ttrOtqLxLd2yitknE8XglFrEmqnGzHv89z21tA3tBw/6BudfrM676powKrwAKffsvd/sTA7spwKQ5ea7JdU4LwGcEfs8okT12QaJtTNnKEg=","X-MS-Exchange-Authentication-Results":"spf=pass (sender IP is 198.47.23.195)\n smtp.mailfrom=ti.com; dkim=none (message not signed) header.d=none;\n dmarc=pass\n action=none header.from=ti.com;","Received-SPF":"Pass (protection.outlook.com: domain of ti.com designates\n 198.47.23.195 as permitted sender) receiver=protection.outlook.com;\n client-ip=198.47.23.195; helo=lewvzet201.ext.ti.com; pr=C","Message-ID":"","Date":"Thu, 30 Apr 2026 12:28:47 -0500","MIME-Version":"1.0","User-Agent":"Mozilla Thunderbird","Subject":"Re: [PATCH 20/20] arm: dts: k3-j7200: Extend firewall for ATF region\n to TIFS","To":"\"Richard Genoud (TI)\" , Tom Rini\n , Manorit Chawdhry , Apurva Nandan\n , Vignesh Raghavendra , Bryan Brattlof\n , Vaishnav Achath , Jayesh Choudhary\n , Simon Glass , Alper Nebi Yasak\n ","CC":"Markus Schneider-Pargmann , Udit Kumar\n , Abhash Kumar , Thomas Richard\n , Gregory CLEMENT ,\n Thomas Petazzoni , ","References":"<20260430084414.1354490-1-richard.genoud@bootlin.com>\n <20260430084414.1354490-21-richard.genoud@bootlin.com>","Content-Language":"en-US","From":"Andrew Davis ","In-Reply-To":"<20260430084414.1354490-21-richard.genoud@bootlin.com>","Content-Type":"text/plain; charset=\"UTF-8\"; format=flowed","Content-Transfer-Encoding":"7bit","X-C2ProcessedOrg":"333ef613-75bf-4e12-a4b1-8e3623f5dcea","X-EOPAttributedMessage":"0","X-MS-PublicTrafficType":"Email","X-MS-TrafficTypeDiagnostic":"BN1PEPF0000468B:EE_|DM6PR10MB4283:EE_","X-MS-Office365-Filtering-Correlation-Id":"64c490d7-f40e-4880-6add-08dea6ddf36c","X-MS-Exchange-SenderADCheck":"1","X-MS-Exchange-AntiSpam-Relay":"0","X-Microsoft-Antispam":"BCL:0;\n ARA:13230040|36860700016|82310400026|1800799024|376014|921020|56012099003|22082099003|18002099003;","X-Microsoft-Antispam-Message-Info":"\n bl23ntVJGlgXD6p7B02l1H+B7RGzfPyt2qmjlERbe1LZTwAbyIGh3RW24taGS0WwhppcVp6Ir9I0pbHzRTfV5LLPMymf9vSyvs4oTfrXRn2uTnSVuJ/Ek6z9PZ0M2ScTPa0gmkd9G99c4P824QR05GHiSKIY7MVqiqq7uaEkTgXdd2M0DMZ+Xjy7aVpFVjWiIQRuwtOjEj1dOugQfgn8g6I14WD13NVBUJPaDu670yEYaWbzRrfWMWd4mRxjMdSlVC2+3pJ/rbtujFR06mpBojz+4qxjVv/fJHkf1xaAdugPcM0UTBHThUBJL/XXwHPSDxoaDYpYxEr6jHtE6MGo+XdCjHSY8xC3lpe8W3GEsJ0g7g2j8/OQChAoUluCZytVzU6KyBPJEYv0jSIyNGLE3BoX/7ngQoD8ffF1P0rA4AfwjMOC43VppL4k8PeblzZcgPxGDKMXyqFnyTzaHt/at1tnQmtF+Pqe3Shd2LvVqX8mfAl4J0ree7GCfANj3sgZra9WSjWcLx+rhRNmf76w8u0cTSkqeYy9/Waqtfrk/xmj6d4OvYupLPw68XNj/w2JVlMge83flKWci1ocdqd5QljHSb1dSmKSrOj4zRJ1xZ6BL0i16KNyhcmNVGeLAL7EhdQMK3G45eWg6Z95jxYHmajEByk/CEyEbriSguzsAl8SDgzkskXUtabf+frTdlB4z5dFVdQXGch4hNImKVEYnTiImpf2t4qi0ZK7lkAw+2XDBxsgGUkw1U/xqMnVUPkqGw/uAiIq3GiD5nk++pq56A==","X-Forefront-Antispam-Report":"CIP:198.47.23.195; CTRY:US; LANG:en; SCL:1; SRV:;\n IPV:NLI; SFV:NSPM; H:lewvzet201.ext.ti.com; PTR:InfoDomainNonexistent;\n CAT:NONE;\n SFS:(13230040)(36860700016)(82310400026)(1800799024)(376014)(921020)(56012099003)(22082099003)(18002099003);\n DIR:OUT; SFP:1101;","X-MS-Exchange-AntiSpam-MessageData-ChunkCount":"1","X-MS-Exchange-AntiSpam-MessageData-0":"\n drPmxSoR3EuaNFPGYrxHyfsDF4N3iKBOy8zluXwUk3rFWhUZQONZqdryDL2VyD0b18A8AckR+MfOH08+tDCYzDZw7MHz4P5ZOGEatvDa7ZchUjUEOnQcGk3vBPpQpdYYcyFOSBqojj2ZOcC6dUcdf/ZfbwBfAEqwONd4zlcz6WdOWjGrGYO/Pq7kNIPDS5dwFJ+e7CJmFudmxGIrE/dUdIkk2FvOxPJAYdLcwvuabiS0XxsMYqvD+aQgdK4qsktnUBAsofjF2D8WL03TqSZHu5EQbBcofkcO1F6JIanfxxnqicjPYzQZRMCvFky+sCk2MsrJDiJXOwsKVTXeSYt09g//7WNmigoct6Je0Qnaoe2ADwpVlB9WClocjQSVSsRowmQWX5WTy9WJ/UanBug68/hJtS3MSr3ZZ7RmbDf/4saqyu9KtSmVc/2qjDhOeLCx","X-OriginatorOrg":"ti.com","X-MS-Exchange-CrossTenant-OriginalArrivalTime":"30 Apr 2026 17:28:53.3988 (UTC)","X-MS-Exchange-CrossTenant-Network-Message-Id":"\n 64c490d7-f40e-4880-6add-08dea6ddf36c","X-MS-Exchange-CrossTenant-Id":"e5b49634-450b-4709-8abb-1e2b19b982b7","X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp":"\n TenantId=e5b49634-450b-4709-8abb-1e2b19b982b7; Ip=[198.47.23.195];\n Helo=[lewvzet201.ext.ti.com]","X-MS-Exchange-CrossTenant-AuthSource":"\n BN1PEPF0000468B.namprd05.prod.outlook.com","X-MS-Exchange-CrossTenant-AuthAs":"Anonymous","X-MS-Exchange-CrossTenant-FromEntityHeader":"HybridOnPrem","X-MS-Exchange-Transport-CrossTenantHeadersStamped":"DM6PR10MB4283","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" ","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"}}]