Le 30/04/2026 à 19:28, Andrew Davis a écrit :
On 4/30/26 3:44 AM, Richard Genoud (TI) wrote:
From: Prasanth Babu Mantena <[email protected]>
Extend the access to SRAM region of ATF to TIFS as well. This is
needed for TIFS for encryption and decryption of ATF as a part of
low power mode sequence. TIFS encrypts the ATF while entering into
low power mode and decrypts it back while resuming back.
So, giving permissions for TIFS to access this region.
Signed-off-by: Prasanth Babu Mantena <[email protected]>
---
arch/arm/dts/k3-binman.dtsi | 18 ++++++++++++++++--
arch/arm/dts/k3-j7200-binman.dtsi | 4 ++--
arch/arm/dts/k3-security.h | 1 +
3 files changed, 19 insertions(+), 4 deletions(-)
diff --git a/arch/arm/dts/k3-binman.dtsi b/arch/arm/dts/k3-binman.dtsi
index 0fd93f9536a2..4ffd8ec9e1c1 100644
--- a/arch/arm/dts/k3-binman.dtsi
+++ b/arch/arm/dts/k3-binman.dtsi
@@ -479,7 +479,21 @@
start_address = <0x0 CONFIG_K3_ATF_LOAD_ADDR>;
end_address = <0x0 (CONFIG_K3_ATF_LOAD_ADDR + 0x1ffff)>;
};
- firewall_armv8_optee_fg: template-8 {
+ firewall_armv8_atf_tifs_fg: template-8 {
+ control = <(FWCTRL_EN | FWCTRL_LOCK |
+ FWCTRL_CACHE)>;
+ permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+ FWPERM_SECURE_PRIV_RWCD |
+ FWPERM_SECURE_USER_RWCD)>,
+ <((FWPRIVID_TIFS << FWPRIVID_SHIFT) |
+ FWPERM_SECURE_PRIV_RWCD |
+ FWPERM_SECURE_USER_RWCD |
+ FWPERM_NON_SECURE_PRIV_RWCD |
+ FWPERM_NON_SECURE_USER_RWCD)>;
+ start_address = <0x0 0x70000000>;
Should this be using CONFIG_K3_ATF_LOAD_ADDR like the other templates?
Yes definitely.
Might be easier to just update the existing `firewall_armv8_atf_fg`
template to also always allow TIFS. TIFS is the security root and
if it really wanted to it could just update firewalls to let itself
in, not like anything is really protected from TIFS to begin with.
(if we are not locking the firewalls that is)
Indeed, I'll change that.
Thanks!
Andrew
+ end_address = <0x0 0x7001ffff>;
+ };
+ firewall_armv8_optee_fg: template-9 {
control = <(FWCTRL_EN | FWCTRL_LOCK |
FWCTRL_CACHE)>;
permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
@@ -489,7 +503,7 @@
end_address = <0x0 (CONFIG_K3_OPTEE_LOAD_ADDR + 0x17fffff)>;
};
- ti_falcon_template: template-9 {
+ ti_falcon_template: template-10 {
filename = "tifalcon.bin";
pad-byte = <0xff>;
diff --git a/arch/arm/dts/k3-j7200-binman.dtsi b/arch/arm/dts/k3-
j7200-binman.dtsi
index c2b86339d593..68ce4aa0ff12 100644
--- a/arch/arm/dts/k3-j7200-binman.dtsi
+++ b/arch/arm/dts/k3-j7200-binman.dtsi
@@ -259,7 +259,7 @@
firewall-4760-1 {
/* nb_slv0__mem0 Foreground Firewall */
- insert-template = <&firewall_armv8_atf_fg>;
+ insert-template =
<&firewall_armv8_atf_tifs_fg>;
id = <4760>;
region = <1>;
};
@@ -272,7 +272,7 @@
firewall-4761-1 {
/* nb_slv1__mem0 Foreground Firewall */
- insert-template = <&firewall_armv8_atf_fg>;
+ insert-template =
<&firewall_armv8_atf_tifs_fg>;
id = <4761>;
region = <1>;
};
diff --git a/arch/arm/dts/k3-security.h b/arch/arm/dts/k3-security.h
index 33609caa8fb5..3e066bca6ad7 100644
--- a/arch/arm/dts/k3-security.h
+++ b/arch/arm/dts/k3-security.h
@@ -7,6 +7,7 @@
#define DTS_ARM64_TI_K3_FIREWALL_H
#define FWPRIVID_ALL 0xc3
+#define FWPRIVID_TIFS 0xca
#define FWPRIVID_ARMV8 1
#define FWPRIVID_SHIFT 16
