From patchwork Wed Oct 11 06:24:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Manorit Chawdhry X-Patchwork-Id: 1846283 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=ti.com header.i=@ti.com header.a=rsa-sha256 header.s=ti-com-17Q1 header.b=YkZereXe; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4S52pv0brvz1yqN for ; Wed, 11 Oct 2023 17:26:31 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id EDA8586C2F; Wed, 11 Oct 2023 08:25:24 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=quarantine dis=none) header.from=ti.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; unprotected) header.d=ti.com header.i=@ti.com header.b="YkZereXe"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 26464864E7; Wed, 11 Oct 2023 08:25:18 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_MSPIKE_H2, SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from lelv0143.ext.ti.com (lelv0143.ext.ti.com [198.47.23.248]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id D507486B37 for ; Wed, 11 Oct 2023 08:25:13 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=quarantine dis=none) header.from=ti.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=m-chawdhry@ti.com Received: from fllv0034.itg.ti.com ([10.64.40.246]) by lelv0143.ext.ti.com (8.15.2/8.15.2) with ESMTP id 39B6PAYq077392; Wed, 11 Oct 2023 01:25:10 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ti.com; s=ti-com-17Q1; t=1697005510; bh=5oiccmulfV64GeDOKPrzvj/LcoVP+7ZcY6ksjtrBVro=; h=From:Date:Subject:References:In-Reply-To:To:CC; b=YkZereXeHam7/4LvGqmqQu3muDemBW6O5iWIoZlDzJLuzZJXcv22vaOLDocdR1fZm RVBuVPpOOqdmNv/C1mZI6UvVcXPvfN/qeORj76z7lXVQAmNDF6Q+qqyT9JF+/Da3wA 8ymsF2/1nMSkH+VujtSAd4RxIxX163TejtTLiu1U= Received: from DLEE104.ent.ti.com (dlee104.ent.ti.com [157.170.170.34]) by fllv0034.itg.ti.com (8.15.2/8.15.2) with ESMTPS id 39B6PAnG018788 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 11 Oct 2023 01:25:10 -0500 Received: from DLEE114.ent.ti.com (157.170.170.25) by DLEE104.ent.ti.com (157.170.170.34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2507.23; Wed, 11 Oct 2023 01:25:09 -0500 Received: from lelv0326.itg.ti.com (10.180.67.84) by DLEE114.ent.ti.com (157.170.170.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2507.23 via Frontend Transport; Wed, 11 Oct 2023 01:25:09 -0500 Received: from [127.0.1.1] (ileaxei01-snat2.itg.ti.com [10.180.69.6]) by lelv0326.itg.ti.com (8.15.2/8.15.2) with ESMTP id 39B6P2l3005599; Wed, 11 Oct 2023 01:25:06 -0500 From: Manorit Chawdhry Date: Wed, 11 Oct 2023 11:54:58 +0530 Subject: [PATCH v4 1/8] binman: ti-secure: Add support for firewalling entities MIME-Version: 1.0 Message-ID: <20231011-binman-firewalling-v4-1-a08085d300e9@ti.com> References: <20231011-binman-firewalling-v4-0-a08085d300e9@ti.com> In-Reply-To: <20231011-binman-firewalling-v4-0-a08085d300e9@ti.com> To: Simon Glass , Alper Nebi Yasak , Neha Malcom Francis , Andrew Davis , Vignesh Raghavendra CC: , Udit Kumar , Praneeth Bajjuri , Kamlesh Gurudasani , Nishanth Menon , Manorit Chawdhry X-Mailer: b4 0.13-dev X-Developer-Signature: v=1; a=ed25519-sha256; t=1697005502; l=9118; i=m-chawdhry@ti.com; s=20230324; h=from:subject:message-id; bh=ZlZB1S0jDsKMwKEkDZkg+uvntPLAD/dE+G87IHk/CRg=; b=XWN78g858YOVb2yhe0O1fPWeAPy0Ead4Raw1q7tK3sOzl+S/WUxNNBtnxWZLFu2vRTkMATJ3v a0Gh77krEvkByu0q+8bvXLy6Becf1iGcy7q642bUwkHhABe5R7a0rGb X-Developer-Key: i=m-chawdhry@ti.com; a=ed25519; pk=Z51yAzxWCcDqKRLHiDBrUxIdXbB21R89ms8xgECdiak= X-EXCLAIMER-MD-CONFIG: e1e8a2fd-e40a-4ac6-ac9b-f7e9cc9ee180 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean We can now firewall entities while loading them through our secure entity TIFS, the required information should be present in the certificate that is being parsed by TIFS. The following commit adds the support to enable the certificates to be generated if the firewall configurations are present in the binman dtsi nodes. Signed-off-by: Manorit Chawdhry Reviewed-by: Simon Glass --- tools/binman/btool/openssl.py | 16 +++++++- tools/binman/etype/ti_secure.py | 90 +++++++++++++++++++++++++++++++++++++++++ tools/binman/etype/x509_cert.py | 3 +- 3 files changed, 106 insertions(+), 3 deletions(-) diff --git a/tools/binman/btool/openssl.py b/tools/binman/btool/openssl.py index aad3b61ae27c..dff439df211f 100644 --- a/tools/binman/btool/openssl.py +++ b/tools/binman/btool/openssl.py @@ -82,7 +82,7 @@ imageSize = INTEGER:{len(indata)} return self.run_cmd(*args) def x509_cert_sysfw(self, cert_fname, input_fname, key_fname, sw_rev, - config_fname, req_dist_name_dict): + config_fname, req_dist_name_dict, firewall_cert_data): """Create a certificate to be booted by system firmware Args: @@ -94,6 +94,13 @@ imageSize = INTEGER:{len(indata)} req_dist_name_dict (dict): Dictionary containing key-value pairs of req_distinguished_name section extensions, must contain extensions for C, ST, L, O, OU, CN and emailAddress + firewall_cert_data (dict): + - auth_in_place (int): The Priv ID for copying as the + specific host in firewall protected region + - num_firewalls (int): The number of firewalls in the + extended certificate + - certificate (str): Extended firewall certificate with + the information for the firewall configurations. Returns: str: Tool output @@ -121,6 +128,7 @@ basicConstraints = CA:true 1.3.6.1.4.1.294.1.3 = ASN1:SEQUENCE:swrv 1.3.6.1.4.1.294.1.34 = ASN1:SEQUENCE:sysfw_image_integrity 1.3.6.1.4.1.294.1.35 = ASN1:SEQUENCE:sysfw_image_load +1.3.6.1.4.1.294.1.37 = ASN1:SEQUENCE:firewall [ swrv ] swrv = INTEGER:{sw_rev} @@ -132,7 +140,11 @@ imageSize = INTEGER:{len(indata)} [ sysfw_image_load ] destAddr = FORMAT:HEX,OCT:00000000 -authInPlace = INTEGER:2 +authInPlace = INTEGER:{hex(firewall_cert_data['auth_in_place'])} + +[ firewall ] +numFirewallRegions = INTEGER:{firewall_cert_data['num_firewalls']} +{firewall_cert_data['certificate']} ''', file=outf) args = ['req', '-new', '-x509', '-key', key_fname, '-nodes', '-outform', 'DER', '-out', cert_fname, '-config', config_fname, diff --git a/tools/binman/etype/ti_secure.py b/tools/binman/etype/ti_secure.py index d939dce57139..76649b07b1b8 100644 --- a/tools/binman/etype/ti_secure.py +++ b/tools/binman/etype/ti_secure.py @@ -7,9 +7,40 @@ from binman.entry import EntryArg from binman.etype.x509_cert import Entry_x509_cert +from dataclasses import dataclass from dtoc import fdt_util +@dataclass +class Firewall(): + id: int + region: int + control : int + permissions: list[hex] + start_address: str + end_address: str + + def __post_init__(self): + for key, val in self.__dict__.items(): + if val is None: + raise Exception(f"{key} can't be None in firewall node") + + def get_certificate(self) -> str: + unique_identifier = f"{self.id}{self.region}" + cert = f""" +firewallID{unique_identifier} = INTEGER:{self.id} +region{unique_identifier} = INTEGER:{self.region} +control{unique_identifier} = INTEGER:{hex(self.control)} +nPermissionRegs{unique_identifier} = INTEGER:{len(self.permissions)} +""" + for index, permission in enumerate(self.permissions): + cert += f"""permissions{unique_identifier}{index} = INTEGER:{hex(permission)} +""" + cert += f"""startAddress{unique_identifier} = FORMAT:HEX,OCT:{self.start_address:02x} +endAddress{unique_identifier} = FORMAT:HEX,OCT:{self.end_address:02x} +""" + return cert + class Entry_ti_secure(Entry_x509_cert): """Entry containing a TI x509 certificate binary @@ -17,6 +48,11 @@ class Entry_ti_secure(Entry_x509_cert): - content: List of phandles to entries to sign - keyfile: Filename of file containing key to sign binary with - sha: Hash function to be used for signing + - auth-in-place: This is an integer field that contains two pieces + of information + Lower Byte - Remains 0x02 as per our use case + ( 0x02: Move the authenticated binary back to the header ) + Upper Byte - The Host ID of the core owning the firewall Output files: - input. - input file passed to openssl @@ -25,6 +61,35 @@ class Entry_ti_secure(Entry_x509_cert): - cert. - output file generated by openssl (which is used as the entry contents) + Depending on auth-in-place information in the inputs, we read the + firewall nodes that describe the configurations of firewall that TIFS + will be doing after reading the certificate. + + The syntax of the firewall nodes are as such: + + firewall-257-0 { + id = <257>; /* The ID of the firewall being configured */ + region = <0>; /* Region number to configure */ + + control = /* The control register */ + <(FWCTRL_EN | FWCTRL_LOCK | FWCTRL_BG | FWCTRL_CACHE)>; + + permissions = /* The permission registers */ + <((FWPRIVID_ALL << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD | + FWPERM_NON_SECURE_PRIV_RWCD | + FWPERM_NON_SECURE_USER_RWCD)>; + + /* More defines can be found in k3-security.h */ + + start_address = /* The Start Address of the firewall */ + <0x0 0x0>; + end_address = /* The End Address of the firewall */ + <0xff 0xffffffff>; + }; + + openssl signs the provided data, using the TI templated config file and writes the signature in this entry. This allows verification that the data is genuine. @@ -32,11 +97,20 @@ class Entry_ti_secure(Entry_x509_cert): def __init__(self, section, etype, node): super().__init__(section, etype, node) self.openssl = None + self.firewall_cert_data: dict = { + 'auth_in_place': 0x02, + 'num_firewalls': 0, + 'certificate': '', + } def ReadNode(self): super().ReadNode() self.key_fname = self.GetEntryArgsOrProps([ EntryArg('keyfile', str)], required=True)[0] + auth_in_place = fdt_util.GetInt(self._node, 'auth-in-place') + if auth_in_place: + self.firewall_cert_data['auth_in_place'] = auth_in_place + self.ReadFirewallNode() self.sha = fdt_util.GetInt(self._node, 'sha', 512) self.req_dist_name = {'C': 'US', 'ST': 'TX', @@ -46,6 +120,22 @@ class Entry_ti_secure(Entry_x509_cert): 'CN': 'TI Support', 'emailAddress': 'support@ti.com'} + def ReadFirewallNode(self): + self.firewall_cert_data['certificate'] = "" + self.firewall_cert_data['num_firewalls'] = 0 + for node in self._node.subnodes: + if 'firewall' in node.name: + firewall = Firewall( + fdt_util.GetInt(node, 'id'), + fdt_util.GetInt(node, 'region'), + fdt_util.GetInt(node, 'control'), + fdt_util.GetPhandleList(node, 'permissions'), + fdt_util.GetInt64(node, 'start_address'), + fdt_util.GetInt64(node, 'end_address'), + ) + self.firewall_cert_data['num_firewalls'] += 1 + self.firewall_cert_data['certificate'] += firewall.get_certificate() + def GetCertificate(self, required): """Get the contents of this entry diff --git a/tools/binman/etype/x509_cert.py b/tools/binman/etype/x509_cert.py index d028cfe38cd9..9e1cf479023b 100644 --- a/tools/binman/etype/x509_cert.py +++ b/tools/binman/etype/x509_cert.py @@ -98,7 +98,8 @@ class Entry_x509_cert(Entry_collection): key_fname=self.key_fname, config_fname=config_fname, sw_rev=self.sw_rev, - req_dist_name_dict=self.req_dist_name) + req_dist_name_dict=self.req_dist_name, + firewall_cert_data=self.firewall_cert_data) elif type == 'rom': stdout = self.openssl.x509_cert_rom( cert_fname=output_fname, From patchwork Wed Oct 11 06:24:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Manorit Chawdhry X-Patchwork-Id: 1846284 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=ti.com header.i=@ti.com header.a=rsa-sha256 header.s=ti-com-17Q1 header.b=iXIYrnGC; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4S52q4470Lz1yqN for ; Wed, 11 Oct 2023 17:26:40 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 676EC86C02; Wed, 11 Oct 2023 08:25:25 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=quarantine dis=none) header.from=ti.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; unprotected) header.d=ti.com header.i=@ti.com header.b="iXIYrnGC"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 057C486C27; Wed, 11 Oct 2023 08:25:22 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS, SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from fllv0016.ext.ti.com (fllv0016.ext.ti.com [198.47.19.142]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 72A9F864E7 for ; Wed, 11 Oct 2023 08:25:19 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=quarantine dis=none) header.from=ti.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=m-chawdhry@ti.com Received: from fllv0034.itg.ti.com ([10.64.40.246]) by fllv0016.ext.ti.com (8.15.2/8.15.2) with ESMTP id 39B6PD5h110144; Wed, 11 Oct 2023 01:25:13 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ti.com; s=ti-com-17Q1; t=1697005513; bh=kimNi34Ytpb9o6uoBBBpHUmVi66VlUdGAdjEtQqCnmQ=; h=From:Date:Subject:References:In-Reply-To:To:CC; b=iXIYrnGCwwleLiJxgk4hYHJ7unh8eC3rhHPaGk8Gb3RbX5ssrUxSPQNEY9gw6a2L9 iXA0l+1ppVIz6bj0APpDOmyB1zqOJIoCd34Z7XtQZk2yTF0Evh2FhSqL0LJo/e7DWS E5fpOKWG21X5o8I1JRZ4VihnMyQKhTSsQSKl5ias= Received: from DFLE107.ent.ti.com (dfle107.ent.ti.com [10.64.6.28]) by fllv0034.itg.ti.com (8.15.2/8.15.2) with ESMTPS id 39B6PD6A018839 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 11 Oct 2023 01:25:13 -0500 Received: from DFLE113.ent.ti.com (10.64.6.34) by DFLE107.ent.ti.com (10.64.6.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2507.23; Wed, 11 Oct 2023 01:25:13 -0500 Received: from lelv0326.itg.ti.com (10.180.67.84) by DFLE113.ent.ti.com (10.64.6.34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2507.23 via Frontend Transport; Wed, 11 Oct 2023 01:25:13 -0500 Received: from [127.0.1.1] (ileaxei01-snat2.itg.ti.com [10.180.69.6]) by lelv0326.itg.ti.com (8.15.2/8.15.2) with ESMTP id 39B6P2l4005599; Wed, 11 Oct 2023 01:25:10 -0500 From: Manorit Chawdhry Date: Wed, 11 Oct 2023 11:54:59 +0530 Subject: [PATCH v4 2/8] binman: ftest: Add test for ti-secure firewall node MIME-Version: 1.0 Message-ID: <20231011-binman-firewalling-v4-2-a08085d300e9@ti.com> References: <20231011-binman-firewalling-v4-0-a08085d300e9@ti.com> In-Reply-To: <20231011-binman-firewalling-v4-0-a08085d300e9@ti.com> To: Simon Glass , Alper Nebi Yasak , Neha Malcom Francis , Andrew Davis , Vignesh Raghavendra CC: , Udit Kumar , Praneeth Bajjuri , Kamlesh Gurudasani , Nishanth Menon , Manorit Chawdhry X-Mailer: b4 0.13-dev X-Developer-Signature: v=1; a=ed25519-sha256; t=1697005502; l=3579; i=m-chawdhry@ti.com; s=20230324; h=from:subject:message-id; bh=BWB9JxrPKzTO7l1lN+Z3be6vDtnpu88xqc7ymxEF3/A=; b=dI3FHm4CSDTwppDGkgSu9XZOTL08FQ9gPzghD2kTynAImMmB1Ig4PAjSPFXAXx0hIhlXKQKl1 /wLObCCsdXzC3hZyyhjz/atxT3MMtnP3ufnOUc52SVB92sMZ/EoP5xC X-Developer-Key: i=m-chawdhry@ti.com; a=ed25519; pk=Z51yAzxWCcDqKRLHiDBrUxIdXbB21R89ms8xgECdiak= X-EXCLAIMER-MD-CONFIG: e1e8a2fd-e40a-4ac6-ac9b-f7e9cc9ee180 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Add test for TI firewalling node in ti-secure. Signed-off-by: Manorit Chawdhry Reviewed-by: Simon Glass --- tools/binman/ftest.py | 22 +++++++++++++++++ tools/binman/test/319_ti_secure_firewall.dts | 28 ++++++++++++++++++++++ .../320_ti_secure_firewall_missing_property.dts | 28 ++++++++++++++++++++++ 3 files changed, 78 insertions(+) diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py index 8e419645a6d5..2e306e7ebc96 100644 --- a/tools/binman/ftest.py +++ b/tools/binman/ftest.py @@ -7030,6 +7030,28 @@ fdt fdtmap Extract the devicetree blob from the fdtmap entry_args=entry_args)[0] self.assertGreater(len(data), len(TI_UNSECURE_DATA)) + def testPackTiSecureFirewall(self): + """Test that an image with a TI secured binary can be created""" + keyfile = self.TestFile('key.key') + entry_args = { + 'keyfile': keyfile, + } + data_no_firewall = self._DoReadFileDtb('296_ti_secure.dts', + entry_args=entry_args)[0] + data_firewall = self._DoReadFileDtb('319_ti_secure_firewall.dts', + entry_args=entry_args)[0] + self.assertGreater(len(data_firewall),len(data_no_firewall)) + + def testPackTiSecureFirewallMissingProperty(self): + """Test that an image with a TI secured binary can be created""" + keyfile = self.TestFile('key.key') + entry_args = { + 'keyfile': keyfile, + } + data_firewall = self._DoReadFileDtb('320_ti_secure_firewall_missing_property.dts', + entry_args=entry_args)[0] + self.assertRegex("can't be None in firewall node", str(e.exception)) + def testPackTiSecureMissingTool(self): """Test that an image with a TI secured binary (non-functional) can be created when openssl is missing""" diff --git a/tools/binman/test/319_ti_secure_firewall.dts b/tools/binman/test/319_ti_secure_firewall.dts new file mode 100644 index 000000000000..7ec407fa67ba --- /dev/null +++ b/tools/binman/test/319_ti_secure_firewall.dts @@ -0,0 +1,28 @@ +// SPDX-License-Identifier: GPL-2.0+ + +/dts-v1/; + +/ { + #address-cells = <1>; + #size-cells = <1>; + + binman { + ti-secure { + content = <&unsecure_binary>; + auth-in-place = <0xa02>; + + firewall-0-2 { + id = <0>; + region = <2>; + control = <0x31a>; + permissions = <0xc3ffff>; + start_address = <0x0 0x9e800000>; + end_address = <0x0 0x9fffffff>; + }; + + }; + unsecure_binary: blob-ext { + filename = "ti_unsecure.bin"; + }; + }; +}; diff --git a/tools/binman/test/320_ti_secure_firewall_missing_property.dts b/tools/binman/test/320_ti_secure_firewall_missing_property.dts new file mode 100644 index 000000000000..8e995ffa4776 --- /dev/null +++ b/tools/binman/test/320_ti_secure_firewall_missing_property.dts @@ -0,0 +1,28 @@ +// SPDX-License-Identifier: GPL-2.0+ + +/dts-v1/; + +/ { + #address-cells = <1>; + #size-cells = <1>; + + binman { + ti-secure { + content = <&unsecure_binary>; + auth-in-place = <0xa02>; + + firewall-0-2 { + // id = <0>; + region = <2>; + control = <0x31a>; + permissions = <0xc3ffff>; + start_address = <0x0 0x9e800000>; + end_address = <0x0 0x9fffffff>; + }; + + }; + unsecure_binary: blob-ext { + filename = "ti_unsecure.bin"; + }; + }; +}; From patchwork Wed Oct 11 06:25:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Manorit Chawdhry X-Patchwork-Id: 1846285 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=ti.com header.i=@ti.com header.a=rsa-sha256 header.s=ti-com-17Q1 header.b=hgkTi26L; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4S52qP2P8Pz1yqN for ; Wed, 11 Oct 2023 17:26:57 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 330DC86C4D; Wed, 11 Oct 2023 08:25:31 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=quarantine dis=none) header.from=ti.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; unprotected) header.d=ti.com header.i=@ti.com header.b="hgkTi26L"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 5EE9986B6D; Wed, 11 Oct 2023 08:25:25 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_MSPIKE_H2, SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from lelv0142.ext.ti.com (lelv0142.ext.ti.com [198.47.23.249]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 10B5B86BDB for ; Wed, 11 Oct 2023 08:25:19 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=quarantine dis=none) header.from=ti.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=m-chawdhry@ti.com Received: from fllv0034.itg.ti.com ([10.64.40.246]) by lelv0142.ext.ti.com (8.15.2/8.15.2) with ESMTP id 39B6PHkQ057280; Wed, 11 Oct 2023 01:25:17 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ti.com; s=ti-com-17Q1; t=1697005517; bh=9AuZ6/0gix8eIC6umK91Jz7JwIZ5ZHW7ypJKCZ++/RQ=; h=From:Date:Subject:References:In-Reply-To:To:CC; b=hgkTi26LI5Ypp8thkJlFvAKN0yHUgPs+5fp6kL4RBoun74ltozcgD9QXUAM/nOsSj jy3SMls0hxhPND0ptLYtxW0gtF18Gvdo1CYSDCwqD13cZt2JTH6bEoZLZ7d3aVRIIY CK8UseizNGY/5uZK+h2Tx0TRoSsj54anM25a71RU= Received: from DLEE100.ent.ti.com (dlee100.ent.ti.com [157.170.170.30]) by fllv0034.itg.ti.com (8.15.2/8.15.2) with ESMTPS id 39B6PHaC018967 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 11 Oct 2023 01:25:17 -0500 Received: from DLEE115.ent.ti.com (157.170.170.26) by DLEE100.ent.ti.com (157.170.170.30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2507.23; Wed, 11 Oct 2023 01:25:17 -0500 Received: from lelv0326.itg.ti.com (10.180.67.84) by DLEE115.ent.ti.com (157.170.170.26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2507.23 via Frontend Transport; Wed, 11 Oct 2023 01:25:16 -0500 Received: from [127.0.1.1] (ileaxei01-snat2.itg.ti.com [10.180.69.6]) by lelv0326.itg.ti.com (8.15.2/8.15.2) with ESMTP id 39B6P2l5005599; Wed, 11 Oct 2023 01:25:13 -0500 From: Manorit Chawdhry Date: Wed, 11 Oct 2023 11:55:00 +0530 Subject: [PATCH v4 3/8] binman: k3: Add k3-security.h and include it in k3-binman.dtsi MIME-Version: 1.0 Message-ID: <20231011-binman-firewalling-v4-3-a08085d300e9@ti.com> References: <20231011-binman-firewalling-v4-0-a08085d300e9@ti.com> In-Reply-To: <20231011-binman-firewalling-v4-0-a08085d300e9@ti.com> To: Simon Glass , Alper Nebi Yasak , Neha Malcom Francis , Andrew Davis , Vignesh Raghavendra CC: , Udit Kumar , Praneeth Bajjuri , Kamlesh Gurudasani , Nishanth Menon , Manorit Chawdhry X-Mailer: b4 0.13-dev X-Developer-Signature: v=1; a=ed25519-sha256; t=1697005502; l=3106; i=m-chawdhry@ti.com; s=20230324; h=from:subject:message-id; bh=czR0WD4G/eRethcrUrXVWdCGjjqepaOKFWH/PkuK86Y=; b=hqgsPRF8hlpeMecGhWPT1+8Vr/I2A0OzjKfdAnoBHIy8dOcgmde+H6kbVdAKLD7Jp3FgtKThm +xfOyvwnLbmAp2Fw8ulkiCZfkLIfPtdbJcCm8bq8G8zEHUEk6W5p19O X-Developer-Key: i=m-chawdhry@ti.com; a=ed25519; pk=Z51yAzxWCcDqKRLHiDBrUxIdXbB21R89ms8xgECdiak= X-EXCLAIMER-MD-CONFIG: e1e8a2fd-e40a-4ac6-ac9b-f7e9cc9ee180 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean For readability during configuring firewalls, adding k3-security.h file and including it in k3-binman.dtsi to be accessible across K3 SoCs Reviewed-by: Simon Glass Signed-off-by: Manorit Chawdhry --- arch/arm/dts/k3-binman.dtsi | 2 ++ arch/arm/dts/k3-security.h | 58 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+) diff --git a/arch/arm/dts/k3-binman.dtsi b/arch/arm/dts/k3-binman.dtsi index 2ea2dd18a12b..71ffa998a59f 100644 --- a/arch/arm/dts/k3-binman.dtsi +++ b/arch/arm/dts/k3-binman.dtsi @@ -3,6 +3,8 @@ * Copyright (C) 2022-2023 Texas Instruments Incorporated - https://www.ti.com/ */ +#include "k3-security.h" + / { binman: binman { multiple-images; diff --git a/arch/arm/dts/k3-security.h b/arch/arm/dts/k3-security.h new file mode 100644 index 000000000000..33609caa8fb5 --- /dev/null +++ b/arch/arm/dts/k3-security.h @@ -0,0 +1,58 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright (C) 2023 Texas Instruments Incorporated - https://www.ti.com/ + */ + +#ifndef DTS_ARM64_TI_K3_FIREWALL_H +#define DTS_ARM64_TI_K3_FIREWALL_H + +#define FWPRIVID_ALL 0xc3 +#define FWPRIVID_ARMV8 1 +#define FWPRIVID_SHIFT 16 + +#define FWCTRL_EN 0xA +#define FWCTRL_LOCK (1 << 4) +#define FWCTRL_BG (1 << 8) +#define FWCTRL_CACHE (1 << 9) + +#define FWPERM_SECURE_PRIV_WRITE (1 << 0) +#define FWPERM_SECURE_PRIV_READ (1 << 1) +#define FWPERM_SECURE_PRIV_CACHEABLE (1 << 2) +#define FWPERM_SECURE_PRIV_DEBUG (1 << 3) + +#define FWPERM_SECURE_PRIV_RWCD (FWPERM_SECURE_PRIV_READ | \ + FWPERM_SECURE_PRIV_WRITE | \ + FWPERM_SECURE_PRIV_CACHEABLE | \ + FWPERM_SECURE_PRIV_DEBUG) + +#define FWPERM_SECURE_USER_WRITE (1 << 4) +#define FWPERM_SECURE_USER_READ (1 << 5) +#define FWPERM_SECURE_USER_CACHEABLE (1 << 6) +#define FWPERM_SECURE_USER_DEBUG (1 << 7) + +#define FWPERM_SECURE_USER_RWCD (FWPERM_SECURE_USER_READ | \ + FWPERM_SECURE_USER_WRITE | \ + FWPERM_SECURE_USER_CACHEABLE | \ + FWPERM_SECURE_USER_DEBUG) + +#define FWPERM_NON_SECURE_PRIV_WRITE (1 << 8) +#define FWPERM_NON_SECURE_PRIV_READ (1 << 9) +#define FWPERM_NON_SECURE_PRIV_CACHEABLE (1 << 10) +#define FWPERM_NON_SECURE_PRIV_DEBUG (1 << 11) + +#define FWPERM_NON_SECURE_PRIV_RWCD (FWPERM_NON_SECURE_PRIV_READ | \ + FWPERM_NON_SECURE_PRIV_WRITE | \ + FWPERM_NON_SECURE_PRIV_CACHEABLE | \ + FWPERM_NON_SECURE_PRIV_DEBUG) + +#define FWPERM_NON_SECURE_USER_WRITE (1 << 12) +#define FWPERM_NON_SECURE_USER_READ (1 << 13) +#define FWPERM_NON_SECURE_USER_CACHEABLE (1 << 14) +#define FWPERM_NON_SECURE_USER_DEBUG (1 << 15) + +#define FWPERM_NON_SECURE_USER_RWCD (FWPERM_NON_SECURE_USER_READ | \ + FWPERM_NON_SECURE_USER_WRITE | \ + FWPERM_NON_SECURE_USER_CACHEABLE | \ + FWPERM_NON_SECURE_USER_DEBUG) + +#endif From patchwork Wed Oct 11 06:25:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Manorit Chawdhry X-Patchwork-Id: 1846287 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=ti.com header.i=@ti.com header.a=rsa-sha256 header.s=ti-com-17Q1 header.b=T4l4MzZY; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4S52qk2zM2z1yqN for ; Wed, 11 Oct 2023 17:27:14 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 8339986C43; Wed, 11 Oct 2023 08:25:41 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=quarantine dis=none) header.from=ti.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; unprotected) header.d=ti.com header.i=@ti.com header.b="T4l4MzZY"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 53785864E7; Wed, 11 Oct 2023 08:25:29 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_MSPIKE_H2, SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from lelv0143.ext.ti.com (lelv0143.ext.ti.com [198.47.23.248]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 1109A86C4D for ; Wed, 11 Oct 2023 08:25:25 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=quarantine dis=none) header.from=ti.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=m-chawdhry@ti.com Received: from fllv0034.itg.ti.com ([10.64.40.246]) by lelv0143.ext.ti.com (8.15.2/8.15.2) with ESMTP id 39B6PLcK077410; Wed, 11 Oct 2023 01:25:21 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ti.com; s=ti-com-17Q1; t=1697005521; bh=vHGRVoBnmzwNU1owRZptyP3a9uKJZyC2YnIHqRajOGU=; h=From:Date:Subject:References:In-Reply-To:To:CC; b=T4l4MzZYjYl9JdYzMl0xInnH/Dbrv8hqV0E/oK8slePosOIQnCo9BkIuGIzLy5akP B7GLynUj4diTbUR0xXBwCwU3v1fb2m+n4z3X2Kg/VVUpAiLxbYSrwP9fnskhDqryD6 m1NT7hDkyAf0j9xCpDr6FvBIfKuOntBAg6i+sEJw= Received: from DLEE112.ent.ti.com (dlee112.ent.ti.com [157.170.170.23]) by fllv0034.itg.ti.com (8.15.2/8.15.2) with ESMTPS id 39B6PLUx018982 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 11 Oct 2023 01:25:21 -0500 Received: from DLEE104.ent.ti.com (157.170.170.34) by DLEE112.ent.ti.com (157.170.170.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2507.23; Wed, 11 Oct 2023 01:25:20 -0500 Received: from lelv0326.itg.ti.com (10.180.67.84) by DLEE104.ent.ti.com (157.170.170.34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2507.23 via Frontend Transport; Wed, 11 Oct 2023 01:25:20 -0500 Received: from [127.0.1.1] (ileaxei01-snat2.itg.ti.com [10.180.69.6]) by lelv0326.itg.ti.com (8.15.2/8.15.2) with ESMTP id 39B6P2l6005599; Wed, 11 Oct 2023 01:25:17 -0500 From: Manorit Chawdhry Date: Wed, 11 Oct 2023 11:55:01 +0530 Subject: [PATCH v4 4/8] binman: j721e: Add firewall configurations MIME-Version: 1.0 Message-ID: <20231011-binman-firewalling-v4-4-a08085d300e9@ti.com> References: <20231011-binman-firewalling-v4-0-a08085d300e9@ti.com> In-Reply-To: <20231011-binman-firewalling-v4-0-a08085d300e9@ti.com> To: Simon Glass , Alper Nebi Yasak , Neha Malcom Francis , Andrew Davis , Vignesh Raghavendra CC: , Udit Kumar , Praneeth Bajjuri , Kamlesh Gurudasani , Nishanth Menon , Manorit Chawdhry X-Mailer: b4 0.13-dev X-Developer-Signature: v=1; a=ed25519-sha256; t=1697005502; l=7023; i=m-chawdhry@ti.com; s=20230324; h=from:subject:message-id; bh=WfDSzBKUrla/edhquviIMsOsit/MtF3iIFJiY7g/gz0=; b=OMLAjYCBJCRdC7/u6/u/lBIRncuRvWbiHPvFlpb/sL0Kw7mjr11ttNtbdIYiUNwikryT0fgmr B+hV8N7zhCgDe04wfFuEro/JJL/EVQCTLjYo+WsZATbNjxNt6dwuwC8 X-Developer-Key: i=m-chawdhry@ti.com; a=ed25519; pk=Z51yAzxWCcDqKRLHiDBrUxIdXbB21R89ms8xgECdiak= X-EXCLAIMER-MD-CONFIG: e1e8a2fd-e40a-4ac6-ac9b-f7e9cc9ee180 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean The following commits adds the configuration of firewalls required to protect ATF and OP-TEE memory region from non-secure reads and writes using master and slave firewalls present in our K3 SOCs. Signed-off-by: Manorit Chawdhry --- arch/arm/dts/k3-j721e-binman.dtsi | 187 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 187 insertions(+) diff --git a/arch/arm/dts/k3-j721e-binman.dtsi b/arch/arm/dts/k3-j721e-binman.dtsi index 4f566c21a9af..acbec9dab421 100644 --- a/arch/arm/dts/k3-j721e-binman.dtsi +++ b/arch/arm/dts/k3-j721e-binman.dtsi @@ -330,6 +330,102 @@ ti-secure { content = <&atf>; keyfile = "custMpk.pem"; + auth-in-place = <0xa02>; + + firewall-257-0 { + /* cpu_0_cpu_0_msmc Background Firewall */ + id = <257>; + region = <0>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_BG | FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD | + FWPERM_NON_SECURE_PRIV_RWCD | + FWPERM_NON_SECURE_USER_RWCD)>; + start_address = <0x0 0x0>; + end_address = <0xff 0xffffffff>; + }; + + firewall-257-1 { + /* cpu_0_cpu_0_msmc Foreground Firewall */ + id = <257>; + region = <1>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD)>; + start_address = <0x0 0x70000000>; + end_address = <0x0 0x7001ffff>; + }; + + firewall-284-0 { + /* dru_0_msmc Background Firewall */ + id = <284>; + region = <0>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_BG | FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD | + FWPERM_NON_SECURE_PRIV_RWCD | + FWPERM_NON_SECURE_USER_RWCD)>; + start_address = <0x0 0x0>; + end_address = <0xff 0xffffffff>; + }; + + firewall-284-1 { + /* dru_0_msmc Foreground Firewall */ + id = <284>; + region = <1>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD)>; + start_address = <0x0 0x70000000>; + end_address = <0x0 0x7001ffff>; + }; + + /* firewall-4760-0 { + * nb_slv0__mem0 Background Firewall + * Already configured by the secure entity + * }; + */ + + firewall-4760-1 { + /* nb_slv0__mem0 Foreground Firewall */ + id = <4760>; + region = <1>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD)>; + start_address = <0x0 0x70000000>; + end_address = <0x0 0x7001ffff>; + }; + + /* firewall-4761-0 { + * nb_slv1__mem0 Background Firewall + * Already configured by the secure entity + * }; + */ + + firewall-4761-1 { + /* nb_slv1__mem0 Foreground Firewall */ + id = <4761>; + region = <1>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD)>; + start_address = <0x0 0x70000000>; + end_address = <0x0 0x7001ffff>; + }; + }; atf: atf-bl31 { }; @@ -346,6 +442,97 @@ ti-secure { content = <&tee>; keyfile = "custMpk.pem"; + auth-in-place = <0xa02>; + + /* cpu_0_cpu_0_msmc region 0 and 1 configured + * during ATF Firewalling + */ + + firewall-257-2 { + /* cpu_0_cpu_0_msmc Foreground Firewall */ + id = <257>; + region = <2>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD)>; + start_address = <0x0 0x9e800000>; + end_address = <0x0 0x9fffffff>; + }; + + /* dru_0_msmc region 0 and 1 configured + * during ATF Firewalling + */ + + firewall-284-2 { + /* dru_0_msmc Foreground Firewall */ + id = <284>; + region = <2>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD)>; + start_address = <0x0 0x9e800000>; + end_address = <0x0 0x9fffffff>; + }; + + firewall-4762-0 { + /* nb_slv2__mem0 Background Firewall */ + id = <4762>; + region = <0>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_BG | FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD | + FWPERM_NON_SECURE_PRIV_RWCD | + FWPERM_NON_SECURE_USER_RWCD)>; + start_address = <0x0 0x0>; + end_address = <0xff 0xffffffff>; + }; + + firewall-4762-1 { + /* nb_slv2__mem0 Foreground Firewall */ + id = <4762>; + region = <1>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD)>; + start_address = <0x0 0x9e800000>; + end_address = <0x0 0x9fffffff>; + }; + + firewall-4763-0 { + /* nb_slv3__mem0 Background Firewall */ + id = <4763>; + region = <0>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_BG | FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD | + FWPERM_NON_SECURE_PRIV_RWCD | + FWPERM_NON_SECURE_USER_RWCD)>; + start_address = <0x0 0x0>; + end_address = <0xff 0xffffffff>; + }; + + firewall-4763-1 { + /* nb_slv3__mem0 Foreground Firewall */ + id = <4763>; + region = <1>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD)>; + start_address = <0x0 0x9e800000>; + end_address = <0x0 0x9fffffff>; + }; }; tee: tee-os { }; From patchwork Wed Oct 11 06:25:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Manorit Chawdhry X-Patchwork-Id: 1846288 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=ti.com header.i=@ti.com header.a=rsa-sha256 header.s=ti-com-17Q1 header.b=g6SmPSiW; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4S52r61THCz1yqN for ; Wed, 11 Oct 2023 17:27:34 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id BAD9886B37; Wed, 11 Oct 2023 08:26:05 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=quarantine dis=none) header.from=ti.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; unprotected) header.d=ti.com header.i=@ti.com header.b="g6SmPSiW"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 9F82186C0B; Wed, 11 Oct 2023 08:26:02 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS, SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from fllv0015.ext.ti.com (fllv0015.ext.ti.com [198.47.19.141]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id AC05786C6E for ; Wed, 11 Oct 2023 08:25:55 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=quarantine dis=none) header.from=ti.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=m-chawdhry@ti.com Received: from lelv0265.itg.ti.com ([10.180.67.224]) by fllv0015.ext.ti.com (8.15.2/8.15.2) with ESMTP id 39B6POhj087248; Wed, 11 Oct 2023 01:25:24 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ti.com; s=ti-com-17Q1; t=1697005524; bh=QagRA/zX2pvuIOZ8gR4ihpksyz0Va+EGYEu02uKN11w=; h=From:Date:Subject:References:In-Reply-To:To:CC; b=g6SmPSiWREDcStvVgwmgvoEm6nR+9cyWxCkxQwREnHAvKo8zLfDeLyA/HM5X67VcZ uD5mJwMJW3chuXFEMc6msBkhLN+riPbhrycveNDN1MYLJqW3JlpPZV5LCa8KugIYyj mg4qS20pT0yRKu21d56AKKBYI2vq8jLLiSb9qY14= Received: from DFLE113.ent.ti.com (dfle113.ent.ti.com [10.64.6.34]) by lelv0265.itg.ti.com (8.15.2/8.15.2) with ESMTPS id 39B6POse024628 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 11 Oct 2023 01:25:24 -0500 Received: from DFLE100.ent.ti.com (10.64.6.21) by DFLE113.ent.ti.com (10.64.6.34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2507.23; Wed, 11 Oct 2023 01:25:24 -0500 Received: from lelv0326.itg.ti.com (10.180.67.84) by DFLE100.ent.ti.com (10.64.6.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2507.23 via Frontend Transport; Wed, 11 Oct 2023 01:25:24 -0500 Received: from [127.0.1.1] (ileaxei01-snat2.itg.ti.com [10.180.69.6]) by lelv0326.itg.ti.com (8.15.2/8.15.2) with ESMTP id 39B6P2l7005599; Wed, 11 Oct 2023 01:25:21 -0500 From: Manorit Chawdhry Date: Wed, 11 Oct 2023 11:55:02 +0530 Subject: [PATCH v4 5/8] binman: j721s2: Add firewall configurations MIME-Version: 1.0 Message-ID: <20231011-binman-firewalling-v4-5-a08085d300e9@ti.com> References: <20231011-binman-firewalling-v4-0-a08085d300e9@ti.com> In-Reply-To: <20231011-binman-firewalling-v4-0-a08085d300e9@ti.com> To: Simon Glass , Alper Nebi Yasak , Neha Malcom Francis , Andrew Davis , Vignesh Raghavendra CC: , Udit Kumar , Praneeth Bajjuri , Kamlesh Gurudasani , Nishanth Menon , Manorit Chawdhry X-Mailer: b4 0.13-dev X-Developer-Signature: v=1; a=ed25519-sha256; t=1697005502; l=7801; i=m-chawdhry@ti.com; s=20230324; h=from:subject:message-id; bh=kHpA1aXtxy5I2PdUkkiN244x3zDGrxJEaTHMX3G3mrk=; b=PobYGId0mwsLeSqvqqgfn0r7rNlrAD2P7NUY5Z8Wz4Zg7ICoXWJDkgIFUQLYXq8tsn6CEl7cY 1i5ZS1hvIEfCZKRqNJW84h5qXQG8rDIkIxU9aebT2SDQuYzqBCA1jVv X-Developer-Key: i=m-chawdhry@ti.com; a=ed25519; pk=Z51yAzxWCcDqKRLHiDBrUxIdXbB21R89ms8xgECdiak= X-EXCLAIMER-MD-CONFIG: e1e8a2fd-e40a-4ac6-ac9b-f7e9cc9ee180 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean The following commits adds the configuration of firewalls required to protect ATF and OP-TEE memory region from non-secure reads and writes using master and slave firewalls present in our K3 SOCs. Signed-off-by: Manorit Chawdhry --- arch/arm/dts/k3-j721s2-binman.dtsi | 208 +++++++++++++++++++++++++++++++++++++ 1 file changed, 208 insertions(+) diff --git a/arch/arm/dts/k3-j721s2-binman.dtsi b/arch/arm/dts/k3-j721s2-binman.dtsi index 5bca4e94ecf9..4d796631ddb3 100644 --- a/arch/arm/dts/k3-j721s2-binman.dtsi +++ b/arch/arm/dts/k3-j721s2-binman.dtsi @@ -177,6 +177,102 @@ ti-secure { content = <&atf>; keyfile = "custMpk.pem"; + auth-in-place = <0xa02>; + + firewall-257-0 { + /* cpu_0_cpu_0_msmc Background Firewall */ + id = <257>; + region = <0>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_BG | FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD | + FWPERM_NON_SECURE_PRIV_RWCD | + FWPERM_NON_SECURE_USER_RWCD)>; + start_address = <0x0 0x0>; + end_address = <0xff 0xffffffff>; + }; + + firewall-257-1 { + /* cpu_0_cpu_0_msmc Foreground Firewall */ + id = <257>; + region = <1>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD)>; + start_address = <0x0 0x70000000>; + end_address = <0x0 0x7001ffff>; + }; + + firewall-284-0 { + /* dru_0_msmc Background Firewall */ + id = <284>; + region = <0>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_BG | FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD | + FWPERM_NON_SECURE_PRIV_RWCD | + FWPERM_NON_SECURE_USER_RWCD)>; + start_address = <0x0 0x0>; + end_address = <0xff 0xffffffff>; + }; + + firewall-284-1 { + /* dru_0_msmc Foreground Firewall */ + id = <284>; + region = <1>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD)>; + start_address = <0x0 0x70000000>; + end_address = <0x0 0x7001ffff>; + }; + + /* firewall-5140-0 { + * nb_slv0__mem0 Background Firewall + * Already configured by the secure entity + * }; + */ + + firewall-5140-1 { + /* nb_slv0__mem0 Foreground Firewall */ + id = <5140>; + region = <1>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD)>; + start_address = <0x0 0x70000000>; + end_address = <0x0 0x7001ffff>; + }; + + /* firewall-5140-0 { + * nb_slv1__mem0 Background Firewall + * Already configured by the secure entity + * }; + */ + + firewall-5141-1 { + /* nb_slv1__mem0 Foreground Firewall */ + id = <5141>; + region = <1>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD)>; + start_address = <0x0 0x70000000>; + end_address = <0x0 0x7001ffff>; + }; + }; atf: atf-bl31 { }; @@ -193,6 +289,118 @@ ti-secure { content = <&tee>; keyfile = "custMpk.pem"; + auth-in-place = <0xa02>; + + firewall-257-2 { + /* cpu_0_cpu_0_msmc Foreground Firewall */ + id = <257>; + region = <2>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD)>; + start_address = <0x0 0x9e800000>; + end_address = <0x0 0x9fffffff>; + }; + + firewall-284-2 { + /* dru_0_msmc Foreground Firewall */ + id = <284>; + region = <2>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD)>; + start_address = <0x0 0x9e800000>; + end_address = <0x0 0x9fffffff>; + }; + + firewall-5142-0 { + /* nb_slv2__mem0 Background Firewall - 0 */ + id = <5142>; + region = <0>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_BG | FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD | + FWPERM_NON_SECURE_PRIV_RWCD | + FWPERM_NON_SECURE_USER_RWCD)>; + start_address = <0x0 0x0>; + end_address = <0xff 0xffffffff>; + }; + + firewall-5142-1 { + /* nb_slv2__mem0 Foreground Firewall */ + id = <5142>; + region = <1>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD)>; + start_address = <0x0 0x9e800000>; + end_address = <0x0 0x9fffffff>; + }; + + firewall-5143-0 { + /* nb_slv3__mem0 Background Firewall - 0 */ + id = <5143>; + region = <0>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_BG | FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD | + FWPERM_NON_SECURE_PRIV_RWCD | + FWPERM_NON_SECURE_USER_RWCD)>; + start_address = <0x0 0x0>; + end_address = <0xff 0xffffffff>; + }; + + firewall-5143-1 { + /* nb_slv3__mem0 Foreground Firewall */ + id = <5143>; + region = <1>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD)>; + start_address = <0x0 0x9e800000>; + end_address = <0x0 0x9fffffff>; + }; + + firewall-5144-0 { + /* nb_slv4__mem0 Background Firewall - 0 */ + id = <5144>; + region = <0>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_BG | FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD | + FWPERM_NON_SECURE_PRIV_RWCD | + FWPERM_NON_SECURE_USER_RWCD)>; + start_address = <0x0 0x0>; + end_address = <0xff 0xffffffff>; + }; + + firewall-5144-1 { + /* nb_slv4__mem0 Foreground Firewall */ + id = <5144>; + region = <1>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD)>; + start_address = <0x0 0x9e800000>; + end_address = <0x0 0x9fffffff>; + }; + }; tee: tee-os { }; From patchwork Wed Oct 11 06:25:03 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Manorit Chawdhry X-Patchwork-Id: 1846292 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=ti.com header.i=@ti.com header.a=rsa-sha256 header.s=ti-com-17Q1 header.b=cbf3mDB8; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4S52s01LJyz1yqN for ; Wed, 11 Oct 2023 17:28:20 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B7B1D86C66; Wed, 11 Oct 2023 08:26:18 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=quarantine dis=none) header.from=ti.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; unprotected) header.d=ti.com header.i=@ti.com header.b="cbf3mDB8"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id C324E86C66; Wed, 11 Oct 2023 08:26:09 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS, SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from fllv0015.ext.ti.com (fllv0015.ext.ti.com [198.47.19.141]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 35B7986C8C for ; Wed, 11 Oct 2023 08:25:56 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=quarantine dis=none) header.from=ti.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=m-chawdhry@ti.com Received: from lelv0265.itg.ti.com ([10.180.67.224]) by fllv0015.ext.ti.com (8.15.2/8.15.2) with ESMTP id 39B6PSdg087279; Wed, 11 Oct 2023 01:25:28 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ti.com; s=ti-com-17Q1; t=1697005528; bh=OjoQ13WsU96GKzEvCi87vwirQLJ0+aWk87yTfOakFi8=; h=From:Date:Subject:References:In-Reply-To:To:CC; b=cbf3mDB82Mps4cINxvhERQ/WpC/cC0/yf7xDFROheZFqP2G5lMZ4KE6ZxoFJXxdWT 6OEv6n0sAxtd+G1Hpj87tRJz0KzvMfziHjlvkfQFlXbbOkZ+6X17GqQU52JqQaAHH0 8xa4K7QkYKVEwPdxvhvORScJayxqXuzG9KQvcqpQ= Received: from DLEE114.ent.ti.com (dlee114.ent.ti.com [157.170.170.25]) by lelv0265.itg.ti.com (8.15.2/8.15.2) with ESMTPS id 39B6PSn5024662 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 11 Oct 2023 01:25:28 -0500 Received: from DLEE108.ent.ti.com (157.170.170.38) by DLEE114.ent.ti.com (157.170.170.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2507.23; Wed, 11 Oct 2023 01:25:28 -0500 Received: from lelv0326.itg.ti.com (10.180.67.84) by DLEE108.ent.ti.com (157.170.170.38) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2507.23 via Frontend Transport; Wed, 11 Oct 2023 01:25:28 -0500 Received: from [127.0.1.1] (ileaxei01-snat2.itg.ti.com [10.180.69.6]) by lelv0326.itg.ti.com (8.15.2/8.15.2) with ESMTP id 39B6P2l8005599; Wed, 11 Oct 2023 01:25:24 -0500 From: Manorit Chawdhry Date: Wed, 11 Oct 2023 11:55:03 +0530 Subject: [PATCH v4 6/8] binman: j7200: Add firewall configurations MIME-Version: 1.0 Message-ID: <20231011-binman-firewalling-v4-6-a08085d300e9@ti.com> References: <20231011-binman-firewalling-v4-0-a08085d300e9@ti.com> In-Reply-To: <20231011-binman-firewalling-v4-0-a08085d300e9@ti.com> To: Simon Glass , Alper Nebi Yasak , Neha Malcom Francis , Andrew Davis , Vignesh Raghavendra CC: , Udit Kumar , Praneeth Bajjuri , Kamlesh Gurudasani , Nishanth Menon , Manorit Chawdhry X-Mailer: b4 0.13-dev X-Developer-Signature: v=1; a=ed25519-sha256; t=1697005502; l=5559; i=m-chawdhry@ti.com; s=20230324; h=from:subject:message-id; bh=eaFamJ8A4sqggLVspnDdcs8xg4EB7GcJA5aU/13JaiA=; b=1hkDd+TCIC0qRvrEmOxnyger0Hc2zXkcWAxeaKsAv2+F+OjtlqElcJJRF6ORq4g2q/FHhCWtx yr++ipe6cUdCvDrNbr5WJacrd5qpwGhoxBdrwra+5smthAVWzNhiD+z X-Developer-Key: i=m-chawdhry@ti.com; a=ed25519; pk=Z51yAzxWCcDqKRLHiDBrUxIdXbB21R89ms8xgECdiak= X-EXCLAIMER-MD-CONFIG: e1e8a2fd-e40a-4ac6-ac9b-f7e9cc9ee180 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean The following commits adds the configuration of firewalls required to protect ATF and OP-TEE memory region from non-secure reads and writes using master and slave firewalls present in our K3 SOCs. Signed-off-by: Manorit Chawdhry --- arch/arm/dts/k3-j7200-binman.dtsi | 143 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 143 insertions(+) diff --git a/arch/arm/dts/k3-j7200-binman.dtsi b/arch/arm/dts/k3-j7200-binman.dtsi index 14f7dea65ee3..246f15c2dd5d 100644 --- a/arch/arm/dts/k3-j7200-binman.dtsi +++ b/arch/arm/dts/k3-j7200-binman.dtsi @@ -214,6 +214,74 @@ ti-secure { content = <&atf>; keyfile = "custMpk.pem"; + auth-in-place = <0xa02>; + + firewall-257-0 { + /* cpu_0_cpu_0_msmc Background Firewall */ + id = <257>; + region = <0>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_BG | FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD | + FWPERM_NON_SECURE_PRIV_RWCD | + FWPERM_NON_SECURE_USER_RWCD)>; + start_address = <0x0 0x0>; + end_address = <0xff 0xffffffff>; + }; + + firewall-257-1 { + /* cpu_0_cpu_0_msmc Foreground Firewall */ + id = <257>; + region = <1>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD)>; + start_address = <0x0 0x70000000>; + end_address = <0x0 0x7001ffff>; + }; + + /* firewall-4760-0 { + * nb_slv0__mem0 Background Firewall + * Already configured by the secure entity + * }; + */ + + firewall-4760-1 { + /* nb_slv0__mem0 Foreground Firewall */ + id = <4760>; + region = <1>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD)>; + start_address = <0x0 0x70000000>; + end_address = <0x0 0x7001ffff>; + }; + + /* firewall-4761-0 { + * nb_slv1__mem0 Background Firewall + * Already configured by the secure entity + * }; + */ + + firewall-4761-1 { + /* nb_slv1__mem0 Foreground Firewall */ + id = <4761>; + region = <1>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD)>; + start_address = <0x0 0x70000000>; + end_address = <0x0 0x7001ffff>; + }; + }; atf: atf-bl31 { }; @@ -230,6 +298,81 @@ ti-secure { content = <&tee>; keyfile = "custMpk.pem"; + auth-in-place = <0xa02>; + + /* cpu_0_cpu_0_msmc region 0 and 1 configured + * during ATF Firewalling + */ + + firewall-257-2 { + /* cpu_0_cpu_0_msmc Foreground Firewall */ + id = <257>; + region = <2>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD)>; + start_address = <0x0 0x9e800000>; + end_address = <0x0 0x9fffffff>; + }; + + firewall-4762-0 { + /* nb_slv2__mem0 Background Firewall - 0 */ + id = <4762>; + region = <0>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_BG | FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD | + FWPERM_NON_SECURE_PRIV_RWCD | + FWPERM_NON_SECURE_USER_RWCD)>; + start_address = <0x0 0x0>; + end_address = <0xff 0xffffffff>; + }; + + firewall-4762-1 { + /* nb_slv2__mem0 Foreground Firewall */ + id = <4762>; + region = <1>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD)>; + start_address = <0x0 0x9e800000>; + end_address = <0x0 0x9fffffff>; + }; + + firewall-4763-0 { + /* nb_slv3__mem0 Background Firewall - 0 */ + id = <4763>; + region = <0>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_BG | FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD | + FWPERM_NON_SECURE_PRIV_RWCD | + FWPERM_NON_SECURE_USER_RWCD)>; + start_address = <0x0 0x0>; + end_address = <0xff 0xffffffff>; + }; + + firewall-4763-1 { + /* nb_slv3__mem0 Foreground Firewall */ + id = <4763>; + region = <1>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD)>; + start_address = <0x0 0x9e800000>; + end_address = <0x0 0x9fffffff>; + }; + }; tee: tee-os { }; From patchwork Wed Oct 11 06:25:04 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Manorit Chawdhry X-Patchwork-Id: 1846291 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=ti.com header.i=@ti.com header.a=rsa-sha256 header.s=ti-com-17Q1 header.b=MjH1gcgJ; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4S52rl0V71z23jd for ; Wed, 11 Oct 2023 17:28:07 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id D474686C93; Wed, 11 Oct 2023 08:26:09 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=quarantine dis=none) header.from=ti.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; unprotected) header.d=ti.com header.i=@ti.com header.b="MjH1gcgJ"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 13A0686C0B; Wed, 11 Oct 2023 08:26:04 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS, SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from fllv0015.ext.ti.com (fllv0015.ext.ti.com [198.47.19.141]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 97B8486C9E for ; Wed, 11 Oct 2023 08:25:56 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=quarantine dis=none) header.from=ti.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=m-chawdhry@ti.com Received: from lelv0265.itg.ti.com ([10.180.67.224]) by fllv0015.ext.ti.com (8.15.2/8.15.2) with ESMTP id 39B6PWSe087294; Wed, 11 Oct 2023 01:25:32 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ti.com; s=ti-com-17Q1; t=1697005532; bh=N2HRLWI0TY5a7ZR3tSDK5QlPa2A14k510TKhF9cUv44=; h=From:Date:Subject:References:In-Reply-To:To:CC; b=MjH1gcgJVZ2QyIv05MUbEqZ4Nyg/NRjQlM32r44hfdD80wl2oJSCNEeszduKEtziE p2S1h8FEoAkDm0SnqHSGXBbKzAMdKqRwzxU+h06hblgPEHI6RT/dSGLqWx4rKHxWXb FSCZFaE1AxsqX61kcQeVox2S4VIGE8njSXr1LI1U= Received: from DFLE109.ent.ti.com (dfle109.ent.ti.com [10.64.6.30]) by lelv0265.itg.ti.com (8.15.2/8.15.2) with ESMTPS id 39B6PWf1024692 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 11 Oct 2023 01:25:32 -0500 Received: from DFLE114.ent.ti.com (10.64.6.35) by DFLE109.ent.ti.com (10.64.6.30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2507.23; Wed, 11 Oct 2023 01:25:32 -0500 Received: from lelv0326.itg.ti.com (10.180.67.84) by DFLE114.ent.ti.com (10.64.6.35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2507.23 via Frontend Transport; Wed, 11 Oct 2023 01:25:31 -0500 Received: from [127.0.1.1] (ileaxei01-snat2.itg.ti.com [10.180.69.6]) by lelv0326.itg.ti.com (8.15.2/8.15.2) with ESMTP id 39B6P2l9005599; Wed, 11 Oct 2023 01:25:28 -0500 From: Manorit Chawdhry Date: Wed, 11 Oct 2023 11:55:04 +0530 Subject: [PATCH v4 7/8] docs: k3: Cleanup FIT signature documentation MIME-Version: 1.0 Message-ID: <20231011-binman-firewalling-v4-7-a08085d300e9@ti.com> References: <20231011-binman-firewalling-v4-0-a08085d300e9@ti.com> In-Reply-To: <20231011-binman-firewalling-v4-0-a08085d300e9@ti.com> To: Simon Glass , Alper Nebi Yasak , Neha Malcom Francis , Andrew Davis , Vignesh Raghavendra CC: , Udit Kumar , Praneeth Bajjuri , Kamlesh Gurudasani , Nishanth Menon , Manorit Chawdhry X-Mailer: b4 0.13-dev X-Developer-Signature: v=1; a=ed25519-sha256; t=1697005502; l=13405; i=m-chawdhry@ti.com; s=20230324; h=from:subject:message-id; bh=a7EnJ8Z7C5XuaW4+Pi4/sd3z0dCwuWYDvI++dyNmkNE=; b=i0FjUbA9O8gM7B3I4B9Nt0K1nOt5tnVo9QhSCwLvn7E9/849ZG/Igfp4LT6jgxJzjlKA7ze+4 2kZEqYhEAYzAufZT2O309O9vuiATsx3h5lcmDPcktJtdfVsoMJZONXN X-Developer-Key: i=m-chawdhry@ti.com; a=ed25519; pk=Z51yAzxWCcDqKRLHiDBrUxIdXbB21R89ms8xgECdiak= X-EXCLAIMER-MD-CONFIG: e1e8a2fd-e40a-4ac6-ac9b-f7e9cc9ee180 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean The previous documentation had been very crude so refactor it to make it cleaner and concise. Signed-off-by: Manorit Chawdhry --- doc/board/ti/k3.rst | 271 +++++++++++++++++++++++++++++++++------------------- 1 file changed, 172 insertions(+), 99 deletions(-) diff --git a/doc/board/ti/k3.rst b/doc/board/ti/k3.rst index 8b5c1a88ed0f..c68cfd70caed 100644 --- a/doc/board/ti/k3.rst +++ b/doc/board/ti/k3.rst @@ -245,6 +245,8 @@ Building tiboot3.bin the final `tiboot3.bin` binary. (or the `sysfw.itb` if your device uses the split binary flow) +.. _k3_rst_include_start_build_steps_spl_r5: + .. k3_rst_include_start_build_steps_spl_r5 .. prompt:: bash @@ -309,6 +311,8 @@ use the `lite` option. finished, we can jump back into U-Boot again, this time running on a 64bit core in the main domain. +.. _k3_rst_include_start_build_steps_uboot: + .. k3_rst_include_start_build_steps_uboot .. prompt:: bash @@ -327,144 +331,213 @@ wakeup and main domain and to boot to the U-Boot prompt | `tispl.bin` for HS devices or `tispl.bin_unsigned` for GP devices | `u-boot.img` for HS devices or `u-boot.img_unsigned` for GP devices -Fit Signature Signing +FIT signature signing --------------------- -K3 Platforms have fit signature signing enabled by default on their primary -platforms. Here we'll take an example for creating fit image for J721e platform +K3 platforms have FIT signature signing enabled by default on their primary +platforms. Here we'll take an example for creating FIT Image for J721E platform and the same can be extended to other platforms -1. Describing FIT source +Pre-requisites: - .. code-block:: bash +* U-boot build (:ref:`U-boot build `) +* Linux Image and Linux DTB prebuilt + +Describing FIT source +^^^^^^^^^^^^^^^^^^^^^ + +FIT Image is a packed structure containing binary blobs and configurations. +The Kernel FIT Image that we have has Kernel Image, DTB and the DTBOs. It +supports packing multiple images and configurations that allow you to +choose any configuration at runtime to boot from. + +.. code-block:: /dts-v1/; / { - description = "Kernel fitImage for j721e-hs-evm"; - #address-cells = <1>; - - images { - kernel-1 { - description = "Linux kernel"; - data = /incbin/("Image"); - type = "kernel"; - arch = "arm64"; - os = "linux"; - compression = "none"; - load = <0x80080000>; - entry = <0x80080000>; - hash-1 { - algo = "sha512"; - }; - - }; - fdt-ti_k3-j721e-common-proc-board.dtb { - description = "Flattened Device Tree blob"; - data = /incbin/("k3-j721e-common-proc-board.dtb"); - type = "flat_dt"; - arch = "arm64"; - compression = "none"; - load = <0x83000000>; - hash-1 { - algo = "sha512"; - }; - - }; + description = "FIT Image description"; + #address-cells = <1>; + + images { + [image-1] + [image-2] + [fdt-1] + [fdt-2] + } + + configurations { + default = + [conf-1: image-1,fdt-1] + [conf-2: image-2,fdt-1] + } + } + +* Sample Images + +.. code-block:: + + kernel-1 { + description = "Linux kernel"; + data = /incbin/("linux.bin"); + type = "kernel"; + arch = "arm64"; + os = "linux"; + compression = "gzip"; + load = <0x81000000>; + entry = <0x81000000>; + hash-1 { + algo = "sha512"; }; - - configurations { - default = "conf-ti_k3-j721e-common-proc-board.dtb"; - conf-ti_k3-j721e-common-proc-board.dtb { - description = "Linux kernel, FDT blob"; - fdt = "fdt-ti_k3-j721e-common-proc-board.dtb"; - kernel = "kernel-1"; - signature-1 { - algo = "sha512,rsa4096"; - key-name-hint = "custMpk"; - sign-images = "kernel", "fdt"; - }; - }; + }; + fdt-ti_k3-j721e-common-proc-board.dtb { + description = "Flattened Device Tree blob"; + data = /incbin/("arch/arm64/boot/dts/ti/k3-j721e-common-proc-board.dtb"); + type = "flat_dt"; + arch = "arm64"; + compression = "none"; + load = <0x83000000>; + hash-1 { + algo = "sha512"; + }; + }; + # Optional images + fdt-ti_k3-j721e-evm-virt-mac-client.dtbo { + description = "Flattened Device Tree blob"; + data = /incbin/("arch/arm64/boot/dts/ti/k3-j721e-evm-virt-mac-client.dtbo"); + type = "flat_dt"; + arch = "arm64"; + compression = "none"; + load = <0x83080000>; + hash-1 { + algo = "sha512"; }; }; - You would require to change the '/incbin/' lines to point to the respective - files in your local machine and the key-name-hint also needs to be changed - if you are using some other key other than the TI dummy key that we are - using for this example. +.. note:: + + Change the path in data variables to point to the respective files in your + local machine. For e.g change "linux.bin" to "". + +For enabling usage of FIT signature, add the signature node to the +corresponding configuration node as follows. -2. Compile U-boot for the respective board +* Sample Configurations -.. include:: k3.rst - :start-after: .. k3_rst_include_start_build_steps_uboot - :end-before: .. k3_rst_include_end_build_steps_uboot +.. code-block:: + + conf-ti_k3-j721e-common-proc-board.dtb { + description = "Linux kernel, FDT blob"; + fdt = "fdt-ti_k3-j721e-common-proc-board.dtb"; + kernel = "kernel-1"; + signature-1 { + algo = "sha512,rsa4096"; + key-name-hint = "custMpk"; + sign-images = "kernel", "fdt"; + }; + }; + # Optional configurations + conf-ti_k3-j721e-evm-virt-mac-client.dtbo { + description = "FDTO blob"; + fdt = "fdt-ti_k3-j721e-evm-virt-mac-client.dtbo"; + + signature-1 { + algo = "sha512,rsa4096"; + key-name-hint = "custMpk"; + sign-images = "fdt"; + }; + }; + +Specify all images you need the signature to authenticate as a part of +sign-images. The key-name-hint needs to be changed if you are using some +other key other than the TI dummy key that we are using for this example. +It should be the name of the file containing the keys. .. note:: - The changes only affect a72 binaries so the example just builds that + Generating new set of keys: -3. Sign the fit image and embed the dtb in uboot + .. prompt:: bash - Now once the build is done, you'll have a dtb for your board that you'll - be passing to mkimage for signing the fitImage and embedding the key in - the u-boot dtb. + mkdir keys + openssl genpkey -algorithm RSA -out keys/dev.key \ + -pkeyopt rsa_keygen_bits:4096 -pkeyopt rsa_keygen_pubexp:65537 + openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt - .. prompt:: bash - mkimage -r -f fitImage.its -k $UBOOT_PATH/board/ti/keys -K - $UBOOT_PATH/build/a72/dts/dt.dtb +Generating the fitImage +^^^^^^^^^^^^^^^^^^^^^^^ - For signing a secondary platform, pass the -K parameter to that DTB +.. note:: - .. prompt:: bash + For signing a secondary platform like SK boards, you'll require + additional steps - mkimage -f fitImage.its -k $UBOOT_PATH/board/ti/keys -K - $UBOOT_PATH/build/a72/arch/arm/dts/k3-j721e-sk.dtb + - Change the CONFIG_DEFAULT_DEVICE_TREE - .. note:: + For e.g - If changing `CONFIG_DEFAULT_DEVICE_TREE` to the secondary platform, - binman changes would also be required so that correct dtb gets packaged. + .. code-block:: - .. code-block:: bash + diff --git a/configs/j721e_evm_a72_defconfig b/configs/j721e_evm_a72_defconfig + index a5c1df7e0054..6d0126d955ef 100644 + --- a/configs/j721e_evm_a72_defconfig + +++ b/configs/j721e_evm_a72_defconfig + @@ -13,7 +13,7 @@ CONFIG_CUSTOM_SYS_INIT_SP_ADDR=0x80480000 + CONFIG_ENV_SIZE=0x20000 + CONFIG_DM_GPIO=y + CONFIG_SPL_DM_SPI=y + -CONFIG_DEFAULT_DEVICE_TREE="k3-j721e-common-proc-board" + +CONFIG_DEFAULT_DEVICE_TREE="k3-j721e-sk" + CONFIG_SPL_TEXT_BASE=0x80080000 + CONFIG_DM_RESET=y + CONFIG_SPL_MMC=y - diff --git a/arch/arm/dts/k3-j721e-binman.dtsi b/arch/arm/dts/k3-j721e-binman.dtsi - index 673be646b1e3..752fa805fe8d 100644 - --- a/arch/arm/dts/k3-j721e-binman.dtsi - +++ b/arch/arm/dts/k3-j721e-binman.dtsi - @@ -299,8 +299,8 @@ - #define SPL_J721E_SK_DTB "spl/dts/k3-j721e-sk.dtb" + - Change the binman nodes to package u-boot.dtb for the correct set of platform - #define UBOOT_NODTB "u-boot-nodtb.bin" - -#define J721E_EVM_DTB "u-boot.dtb" - -#define J721E_SK_DTB "arch/arm/dts/k3-j721e-sk.dtb" - +#define J721E_EVM_DTB "arch/arm/dts/k3-j721e-common-proc-board.dtb" - +#define J721E_SK_DTB "u-boot.dtb" + For e.g -5. Rebuilt u-boot + .. code-block:: - This is required so that the modified dtb gets updated in u-boot.img + diff --git a/arch/arm/dts/k3-j721e-binman.dtsi b/arch/arm/dts/k3-j721e-binman.dtsi + index 673be646b1e3..752fa805fe8d 100644 + --- a/arch/arm/dts/k3-j721e-binman.dtsi + +++ b/arch/arm/dts/k3-j721e-binman.dtsi + @@ -299,8 +299,8 @@ + #define SPL_J721E_SK_DTB "spl/dts/k3-j721e-sk.dtb" -.. include:: k3.rst - :start-after: .. k3_rst_include_start_build_steps_uboot - :end-before: .. k3_rst_include_end_build_steps_uboot + #define UBOOT_NODTB "u-boot-nodtb.bin" + -#define J721E_EVM_DTB "u-boot.dtb" + -#define J721E_SK_DTB "arch/arm/dts/k3-j721e-sk.dtb" + +#define J721E_EVM_DTB "arch/arm/dts/k3-j721e-common-proc-board.dtb" + +#define J721E_SK_DTB "u-boot.dtb" + +This step will embed the public key in the u-boot.dtb file that was already +built during the initial u-boot build. + +.. prompt:: bash + + mkimage -r -f fitImage.its -k $UBOOT_PATH/board/ti/keys -K $UBOOT_PATH/build/$ARMV8/dts/dt.dtb fitImage + +.. note:: -6. (Optional) Enabled FIT_SIGNATURE_ENFORCED + If you have another set of keys then change the -k argument to point to + the folder where your keys are present, the build requires the presence + of both .key and .crt file. - By default u-boot will boot up the fit image without any authentication as - such if the public key is not embedded properly, to check if the public key - nodes are proper you can enable FIT_SIGNATURE_ENFORCED that would not rely - on the dtb for anything else then the signature node for checking the fit - image, rest other things will be enforced such as the property of - required-keys. This is not an extensive check so do manual checks also +Build u-boot again +^^^^^^^^^^^^^^^^^^ - This is by default enabled for devices with TI_SECURE_DEVICE enabled. +The updated u-boot.dtb needs to be packed in u-boot.img for authentication +so rebuild U-boot ARMV8 without changing any parameters. +Refer (:ref:`U-boot ARMV8 build `) .. note:: - The devices now also have distroboot enabled so if the fit image doesn't - work then the fallback to normal distroboot will be there on hs devices, - this will need to be explicitly disabled by changing the boot_targets. + The devices now also have distroboot enabled so if the FIT image doesn't + work then the fallback to normal distroboot will be there on HS devices. + This will need to be explicitly disabled by changing the boot_targets to + disallow fallback during testing. Saving environment ------------------ From patchwork Wed Oct 11 06:25:05 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Manorit Chawdhry X-Patchwork-Id: 1846290 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=ti.com header.i=@ti.com header.a=rsa-sha256 header.s=ti-com-17Q1 header.b=TmeTYbbC; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4S52rP3zcPz23jd for ; Wed, 11 Oct 2023 17:27:49 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 37E6286C75; Wed, 11 Oct 2023 08:26:07 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=quarantine dis=none) header.from=ti.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; unprotected) header.d=ti.com header.i=@ti.com header.b="TmeTYbbC"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 8FC9786C71; Wed, 11 Oct 2023 08:26:03 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_MSPIKE_H2, SPF_HELO_PASS,SPF_PASS,WEIRD_QUOTING autolearn=ham autolearn_force=no version=3.4.2 Received: from lelv0143.ext.ti.com (lelv0143.ext.ti.com [198.47.23.248]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 36A2C86C93 for ; Wed, 11 Oct 2023 08:25:56 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=quarantine dis=none) header.from=ti.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=m-chawdhry@ti.com Received: from lelv0266.itg.ti.com ([10.180.67.225]) by lelv0143.ext.ti.com (8.15.2/8.15.2) with ESMTP id 39B6PZEw077450; Wed, 11 Oct 2023 01:25:35 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ti.com; s=ti-com-17Q1; t=1697005535; bh=p0q6FxDaihw4Jp8gRZGdGYBQ/f6KTrmdHPkYYfyHUn8=; h=From:Date:Subject:References:In-Reply-To:To:CC; b=TmeTYbbCjYKgtssWg/GwGFeDx1b5SnymgscAXC6OSe15gmHGl68QRa/bULwetrQ8d gBtpI/4N/fd0ZK6qmPtH8s5h61ha6QBDCWTQLd8V7p+zdV5ZR0GRZwAG3Pyn6/gfql gUtwnfpNFVinqzlv0vbaPjRS8z9AphTGpo6A48xM= Received: from DLEE113.ent.ti.com (dlee113.ent.ti.com [157.170.170.24]) by lelv0266.itg.ti.com (8.15.2/8.15.2) with ESMTPS id 39B6PZaV026489 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 11 Oct 2023 01:25:35 -0500 Received: from DLEE110.ent.ti.com (157.170.170.21) by DLEE113.ent.ti.com (157.170.170.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2507.23; Wed, 11 Oct 2023 01:25:35 -0500 Received: from lelv0326.itg.ti.com (10.180.67.84) by DLEE110.ent.ti.com (157.170.170.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2507.23 via Frontend Transport; Wed, 11 Oct 2023 01:25:35 -0500 Received: from [127.0.1.1] (ileaxei01-snat2.itg.ti.com [10.180.69.6]) by lelv0326.itg.ti.com (8.15.2/8.15.2) with ESMTP id 39B6P2lA005599; Wed, 11 Oct 2023 01:25:32 -0500 From: Manorit Chawdhry Date: Wed, 11 Oct 2023 11:55:05 +0530 Subject: [PATCH v4 8/8] docs: k3: Add secure booting documentation MIME-Version: 1.0 Message-ID: <20231011-binman-firewalling-v4-8-a08085d300e9@ti.com> References: <20231011-binman-firewalling-v4-0-a08085d300e9@ti.com> In-Reply-To: <20231011-binman-firewalling-v4-0-a08085d300e9@ti.com> To: Simon Glass , Alper Nebi Yasak , Neha Malcom Francis , Andrew Davis , Vignesh Raghavendra CC: , Udit Kumar , Praneeth Bajjuri , Kamlesh Gurudasani , Nishanth Menon , Manorit Chawdhry X-Mailer: b4 0.13-dev X-Developer-Signature: v=1; a=ed25519-sha256; t=1697005502; l=2639; i=m-chawdhry@ti.com; s=20230324; h=from:subject:message-id; bh=EGYYGA781Xg5JnwUD5qfYSTDcf1XreYUGgs6rOP9+iI=; b=y4bxJkf4NoIW64reoebVI4sNUk7cWhP03+8lHbd0F45UE9/gStF7JrGz7mC7+LrbBYCLQe26+ MBIlKzoSYDJBFRY5tia4URCk2dtIUW4eSn3HRRUMLg6LEVwb7ZSvUWJ X-Developer-Key: i=m-chawdhry@ti.com; a=ed25519; pk=Z51yAzxWCcDqKRLHiDBrUxIdXbB21R89ms8xgECdiak= X-EXCLAIMER-MD-CONFIG: e1e8a2fd-e40a-4ac6-ac9b-f7e9cc9ee180 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean This commit adds a general flow to explain the usage of firewalls and the chain of trust in K3 devices. Signed-off-by: Manorit Chawdhry --- doc/board/ti/k3.rst | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/doc/board/ti/k3.rst b/doc/board/ti/k3.rst index c68cfd70caed..510dca7c78e3 100644 --- a/doc/board/ti/k3.rst +++ b/doc/board/ti/k3.rst @@ -101,6 +101,51 @@ firmware can be loaded on the now free core in the wakeup domain. For more information on the bootup process of your SoC, consult the device specific boot flow documentation. +Secure Boot +^^^^^^^^^^^ + +K3 HS-SE devices are used for authenticated boot flow with secure boot. +HS-FS devices have optional authentication in the flow and doesn't "require" +authentication unless converted to HS-SE devices. + +Chain of trust +"""""""""""""" + +1) SMS starts up and loads the authenticated ROM code in Wakeup Domain +2) ROM code starts up and loads the authenticated tiboot3.bin in Wakeup + Domain +3) Wakeup SPL (tiboot3.bin) would authenticate the next set of binaries + (ATF,OP-TEE,DM,SPL,etc.) +4) After ATF and OP-TEE load, ARMV8 U-boot authenticates the next set of + binaries (Linux and DTBs) if using FIT Image authentication and having a + signature node in U-boot. + +Steps 1-3 are all authenticated by either the ROM code or TIFS as the +authenticating entity and step 4 uses U-boot standard mechanism for +authenticating. + +All the authentication that are done for ROM/TIFS are done through x509 +certificates that are signed. + +Firewalls +""""""""" + +1) ROM comes up and sets up firewalls that are needed by itself +2) TIFS (in multicertificate will setup it's own firewalls) +3) R5 SPL comes along and opens up other firewalls ( that are not owned by + anyone - essentially firewalls that were setup by ROM but are not needed + anymore) +4) Each stage beyond this: such as tispl.bin containing TFA/OPTEE uses OIDs to + set up firewalls to protect themselves (enforced by TIFS) +5) TFA/OP-TEE can configure other firewalls at runtime if required as they + are already authenticated and firewalled off from illegal access. +6) A53 SPL and U-boot itself startups but has no ability to change the + protection firewalls enforced by x509 OIDs or any other firewalls + configured by ROM/TIFS in the beginning. + +Futhur, firewalls have a lockdown bit in hardware that enforces the setting +(and cannot be over-ridden) till the full system is resetted. + Software Sources ----------------