The following commits adds the configuration of firewalls required to protect ATF and OP-TEE memory region from non-secure reads and writes using master and slave firewalls present in our K3 SOCs.
Signed-off-by: Manorit Chawdhry m-chawdhry@ti.com --- arch/arm/dts/k3-am625-sk-binman.dtsi | 49 ++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+)
diff --git a/arch/arm/dts/k3-am625-sk-binman.dtsi b/arch/arm/dts/k3-am625-sk-binman.dtsi index 41277bf4bfdb..bb5341aaae8e 100644 --- a/arch/arm/dts/k3-am625-sk-binman.dtsi +++ b/arch/arm/dts/k3-am625-sk-binman.dtsi @@ -175,6 +175,36 @@ ti-secure { content = <&atf>; keyfile = "custMpk.pem"; + auth_in_place = <0xa02>; + + firewall-1-0 { + /* sdram Background Firewall - 0 */ + id = <1>; + region = <0>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_BG | FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD | + FWPERM_NON_SECURE_PRIV_RWCD | + FWPERM_NON_SECURE_USER_RWCD)>; + start_address = <0x0 0x0>; + end_address = <0xff 0xffffffff>; + }; + + firewall-1-1 { + /* sdram Foreground Firewall */ + id = <1>; + region = <1>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD)>; + start_address = <0x0 0x9e780000>; + end_address = <0x0 0x9e7fffff>; + }; + }; atf: atf-bl31 { }; @@ -191,8 +221,27 @@ ti-secure { content = <&tee>; keyfile = "custMpk.pem"; + auth_in_place = <0xa02>; + + /* sdram region 0 and 1 configured during + ATF Firewalling */ + + firewall-1-2 { + /* sdram Foreground Firewall */ + id = <1>; + region = <2>; + control = <(FWCTRL_EN | FWCTRL_LOCK | + FWCTRL_CACHE)>; + permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) | + FWPERM_SECURE_PRIV_RWCD | + FWPERM_SECURE_USER_RWCD)>; + start_address = <0x0 0x9e800000>; + end_address = <0x0 0x9fffffff>; + }; + }; tee: tee-os { + }; };