@@ -177,6 +177,102 @@
ti-secure {
content = <&atf>;
keyfile = "custMpk.pem";
+ auth_in_place = <0xa02>;
+
+ firewall-257-0 {
+ /* cpu_0_cpu_0_msmc Background Firewall */
+ id = <257>;
+ region = <0>;
+ control = <(FWCTRL_EN | FWCTRL_LOCK |
+ FWCTRL_BG | FWCTRL_CACHE)>;
+ permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) |
+ FWPERM_SECURE_PRIV_RWCD |
+ FWPERM_SECURE_USER_RWCD |
+ FWPERM_NON_SECURE_PRIV_RWCD |
+ FWPERM_NON_SECURE_USER_RWCD)>;
+ start_address = <0x0 0x0>;
+ end_address = <0xff 0xffffffff>;
+ };
+
+ firewall-257-1 {
+ /* cpu_0_cpu_0_msmc Foreground Firewall */
+ id = <257>;
+ region = <1>;
+ control = <(FWCTRL_EN | FWCTRL_LOCK |
+ FWCTRL_CACHE)>;
+ permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+ FWPERM_SECURE_PRIV_RWCD |
+ FWPERM_SECURE_USER_RWCD)>;
+ start_address = <0x0 0x70000000>;
+ end_address = <0x0 0x7001ffff>;
+ };
+
+ firewall-284-0 {
+ /* dru_0_msmc Background Firewall */
+ id = <284>;
+ region = <0>;
+ control = <(FWCTRL_EN | FWCTRL_LOCK |
+ FWCTRL_BG | FWCTRL_CACHE)>;
+ permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) |
+ FWPERM_SECURE_PRIV_RWCD |
+ FWPERM_SECURE_USER_RWCD |
+ FWPERM_NON_SECURE_PRIV_RWCD |
+ FWPERM_NON_SECURE_USER_RWCD)>;
+ start_address = <0x0 0x0>;
+ end_address = <0xff 0xffffffff>;
+ };
+
+ firewall-284-1 {
+ /* dru_0_msmc Foreground Firewall */
+ id = <284>;
+ region = <1>;
+ control = <(FWCTRL_EN | FWCTRL_LOCK |
+ FWCTRL_CACHE)>;
+ permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+ FWPERM_SECURE_PRIV_RWCD |
+ FWPERM_SECURE_USER_RWCD)>;
+ start_address = <0x0 0x70000000>;
+ end_address = <0x0 0x7001ffff>;
+ };
+
+ /* firewall-5140-0 {
+ * nb_slv0__mem0 Background Firewall
+ * Already configured by the secure entity
+ * };
+ */
+
+ firewall-5140-1 {
+ /* nb_slv0__mem0 Foreground Firewall */
+ id = <5140>;
+ region = <1>;
+ control = <(FWCTRL_EN | FWCTRL_LOCK |
+ FWCTRL_CACHE)>;
+ permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+ FWPERM_SECURE_PRIV_RWCD |
+ FWPERM_SECURE_USER_RWCD)>;
+ start_address = <0x0 0x70000000>;
+ end_address = <0x0 0x7001ffff>;
+ };
+
+ /* firewall-5140-0 {
+ * nb_slv1__mem0 Background Firewall
+ * Already configured by the secure entity
+ * };
+ */
+
+ firewall-5141-1 {
+ /* nb_slv1__mem0 Foreground Firewall */
+ id = <5141>;
+ region = <1>;
+ control = <(FWCTRL_EN | FWCTRL_LOCK |
+ FWCTRL_CACHE)>;
+ permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+ FWPERM_SECURE_PRIV_RWCD |
+ FWPERM_SECURE_USER_RWCD)>;
+ start_address = <0x0 0x70000000>;
+ end_address = <0x0 0x7001ffff>;
+ };
+
};
atf: atf-bl31 {
};
@@ -193,6 +289,118 @@
ti-secure {
content = <&tee>;
keyfile = "custMpk.pem";
+ auth_in_place = <0xa02>;
+
+ firewall-257-2 {
+ /* cpu_0_cpu_0_msmc Foreground Firewall */
+ id = <257>;
+ region = <2>;
+ control = <(FWCTRL_EN | FWCTRL_LOCK |
+ FWCTRL_CACHE)>;
+ permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+ FWPERM_SECURE_PRIV_RWCD |
+ FWPERM_SECURE_USER_RWCD)>;
+ start_address = <0x0 0x9e800000>;
+ end_address = <0x0 0x9fffffff>;
+ };
+
+ firewall-284-2 {
+ /* dru_0_msmc Foreground Firewall */
+ id = <284>;
+ region = <2>;
+ control = <(FWCTRL_EN | FWCTRL_LOCK |
+ FWCTRL_CACHE)>;
+ permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+ FWPERM_SECURE_PRIV_RWCD |
+ FWPERM_SECURE_USER_RWCD)>;
+ start_address = <0x0 0x9e800000>;
+ end_address = <0x0 0x9fffffff>;
+ };
+
+ firewall-5142-0 {
+ /* nb_slv2__mem0 Background Firewall - 0 */
+ id = <5142>;
+ region = <0>;
+ control = <(FWCTRL_EN | FWCTRL_LOCK |
+ FWCTRL_BG | FWCTRL_CACHE)>;
+ permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) |
+ FWPERM_SECURE_PRIV_RWCD |
+ FWPERM_SECURE_USER_RWCD |
+ FWPERM_NON_SECURE_PRIV_RWCD |
+ FWPERM_NON_SECURE_USER_RWCD)>;
+ start_address = <0x0 0x0>;
+ end_address = <0xff 0xffffffff>;
+ };
+
+ firewall-5142-1 {
+ /* nb_slv2__mem0 Foreground Firewall */
+ id = <5142>;
+ region = <1>;
+ control = <(FWCTRL_EN | FWCTRL_LOCK |
+ FWCTRL_CACHE)>;
+ permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+ FWPERM_SECURE_PRIV_RWCD |
+ FWPERM_SECURE_USER_RWCD)>;
+ start_address = <0x0 0x9e800000>;
+ end_address = <0x0 0x9fffffff>;
+ };
+
+ firewall-5143-0 {
+ /* nb_slv3__mem0 Background Firewall - 0 */
+ id = <5143>;
+ region = <0>;
+ control = <(FWCTRL_EN | FWCTRL_LOCK |
+ FWCTRL_BG | FWCTRL_CACHE)>;
+ permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) |
+ FWPERM_SECURE_PRIV_RWCD |
+ FWPERM_SECURE_USER_RWCD |
+ FWPERM_NON_SECURE_PRIV_RWCD |
+ FWPERM_NON_SECURE_USER_RWCD)>;
+ start_address = <0x0 0x0>;
+ end_address = <0xff 0xffffffff>;
+ };
+
+ firewall-5143-1 {
+ /* nb_slv3__mem0 Foreground Firewall */
+ id = <5143>;
+ region = <1>;
+ control = <(FWCTRL_EN | FWCTRL_LOCK |
+ FWCTRL_CACHE)>;
+ permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+ FWPERM_SECURE_PRIV_RWCD |
+ FWPERM_SECURE_USER_RWCD)>;
+ start_address = <0x0 0x9e800000>;
+ end_address = <0x0 0x9fffffff>;
+ };
+
+ firewall-5144-0 {
+ /* nb_slv4__mem0 Background Firewall - 0 */
+ id = <5144>;
+ region = <0>;
+ control = <(FWCTRL_EN | FWCTRL_LOCK |
+ FWCTRL_BG | FWCTRL_CACHE)>;
+ permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) |
+ FWPERM_SECURE_PRIV_RWCD |
+ FWPERM_SECURE_USER_RWCD |
+ FWPERM_NON_SECURE_PRIV_RWCD |
+ FWPERM_NON_SECURE_USER_RWCD)>;
+ start_address = <0x0 0x0>;
+ end_address = <0xff 0xffffffff>;
+ };
+
+ firewall-5144-1 {
+ /* nb_slv4__mem0 Foreground Firewall */
+ id = <5144>;
+ region = <1>;
+ control = <(FWCTRL_EN | FWCTRL_LOCK |
+ FWCTRL_CACHE)>;
+ permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+ FWPERM_SECURE_PRIV_RWCD |
+ FWPERM_SECURE_USER_RWCD)>;
+ start_address = <0x0 0x9e800000>;
+ end_address = <0x0 0x9fffffff>;
+ };
+
};
tee: tee-os {
};
The following commits adds the configuration of firewalls required to protect ATF and OP-TEE memory region from non-secure reads and writes using master and slave firewalls present in our K3 SOCs. Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com> --- arch/arm/dts/k3-j721s2-binman.dtsi | 208 +++++++++++++++++++++++++++++++++++++ 1 file changed, 208 insertions(+)