From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-yb0-x242.google.com (mail-yb0-x242.google.com [IPv6:2607:f8b0:4002:c09::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 4E7A681E9C for ; Fri, 20 Jan 2017 03:41:00 -0800 (PST) Received: by mail-yb0-x242.google.com with SMTP id 123so6675679ybe.0 for ; Fri, 20 Jan 2017 03:41:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=2XnykjSGN8gOisFZkMrzP/J1PZLWMHZ+Bd+BAF/fMlg=; b=E5EWM6X4iiyHzX4IUKRl7txKs8Cm9a38ch25kXbjHpk0Ogjr6vzj1grVIS/02UOH/A zqwlcEGElxAnDHYhycdJ2LRG1duDg1XQz2FnXmeCmYEzHR269gyiKxuufGsiAPD3GWen NizbkmXxeAZRx1HalZPGPsTqgmCkNax5X7Z8yr5iozIvb9nRp5ItPFRlRHTuqAYwBD0X Y0tWHWPhxOP2LshyQa4qrjYQXusP56Xv+2vTFG3FAPLRSwcKNMBVfbh/XoNTCqNhp8Qc w7iXZ1TR4nE08+SOanUPUv8DRcsgjsdEGhXd4ExYdAVBqAiXf/rid6/5P0xKkuvs2cN3 hNyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=2XnykjSGN8gOisFZkMrzP/J1PZLWMHZ+Bd+BAF/fMlg=; b=aOQuA8v5cConDmyRzLlSaeRMD+KRiiZ9XoDeJiRrnkO0fG654aBjVlZ91lYJG3YYD5 2QQiF4w96ZBwBWwY1AtK1jN7V7fIiJVNND/yYfVmiwni8xC3z7TozfuH6G5Q7Wcmy51I o9wXfC8y4ar+Kh2pHfueCrvUCW1DlYRdzsH9K5NbO9PGw2uJWue0Fe5YZfm38+7Ot5qM o3nZyjzSSkBXBuKWo6NWMPvQ3bpwRI0iFjZjV4HCXJA4ub1FQi9kK6TlW9tWIl215KpY co7N/qyrcRsFXMfBfFZ2q8pIC9Il5TFzkQVHG1D0LMaVKWlkFJRirurrMW62I1obzTJK gnxg== X-Gm-Message-State: AIkVDXKtH3owc18+I4WjONsEZY9g9DdNPW57cepttUHq8OMaA7Q2y2tIqsAWnzr3ze67Cg== X-Received: by 10.237.49.225 with SMTP id 88mr11561442qth.120.1484912459302; Fri, 20 Jan 2017 03:40:59 -0800 (PST) Received: from dhcppc2.redhat.com ([122.177.103.227]) by smtp.gmail.com with ESMTPSA id s71sm5679540qkl.22.2017.01.20.03.40.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 20 Jan 2017 03:40:58 -0800 (PST) From: Bhupesh Sharma To: edk2-devel@lists.01.org Cc: bhupesh.linux@gmail.com, Leif Lindholm , Ard Biesheuvel Date: Fri, 20 Jan 2017 17:10:45 +0530 Message-Id: <1484912445-23625-1-git-send-email-bhupesh.linux@gmail.com> X-Mailer: git-send-email 2.7.4 Subject: [PATCH V3 1/1] ArmPlatformPkg/TZASC: Allow specifying subregions to be disabled X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jan 2017 11:41:00 -0000 ARM TZASC-380 IP provides a mechanism to split memory regions being protected via it into eight equal-sized sub-regions. A bit-setting allows the corresponding subregion to be disabled. Several NXP/FSL SoCs support the TZASC-380 IP block and allow the DDR connected via the TZASC to be partitioned into regions having different security settings and also allow subregions to be disabled. This patch enables this support and can be used for SoCs which support such a partition of DDR regions. Details of the 'subregion_disable' register can be viewed here: http://infocenter.arm.com/help/topic/com.arm.doc.ddi0431c/CHDIGDCI.html Cc: Leif Lindholm Cc: Ard Biesheuvel Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Bhupesh Sharma [bhupesh.linux@gmail.com : Added my gmail ID as the NXP one is no longer valid] Signed-off-by: Bhupesh Sharma --- Changes from v2: - Added more descriptive arrays as suggested by Leif .../Library/ArmVExpressSecLibCTA9x4/CTA9x4Sec.c | 14 +++++++------- ArmPlatformPkg/Drivers/ArmTrustZone/ArmTrustZone.c | 13 ++++++++++--- ArmPlatformPkg/Include/Drivers/ArmTrustzone.h | 19 ++++++++++++++++++- 3 files changed, 35 insertions(+), 11 deletions(-) diff --git a/ArmPlatformPkg/ArmVExpressPkg/Library/ArmVExpressSecLibCTA9x4/CTA9x4Sec.c b/ArmPlatformPkg/ArmVExpressPkg/Library/ArmVExpressSecLibCTA9x4/CTA9x4Sec.c index 6fa0774f59f8..42d731ea98c9 100644 --- a/ArmPlatformPkg/ArmVExpressPkg/Library/ArmVExpressSecLibCTA9x4/CTA9x4Sec.c +++ b/ArmPlatformPkg/ArmVExpressPkg/Library/ArmVExpressSecLibCTA9x4/CTA9x4Sec.c @@ -72,18 +72,18 @@ ArmPlatformSecTrustzoneInit ( // NOR Flash 0 non secure (BootMon) TZASCSetRegion(ARM_VE_TZASC_BASE,1,TZASC_REGION_ENABLED, ARM_VE_SMB_NOR0_BASE,0, - TZASC_REGION_SIZE_64MB, TZASC_REGION_SECURITY_NSRW); + TZASC_REGION_SIZE_64MB, TZASC_REGION_SECURITY_NSRW, 0); // NOR Flash 1. The first half of the NOR Flash1 must be secure for the secure firmware (sec_uefi.bin) if (PcdGetBool (PcdTrustzoneSupport) == TRUE) { //Note: Your OS Kernel must be aware of the secure regions before to enable this region TZASCSetRegion(ARM_VE_TZASC_BASE,2,TZASC_REGION_ENABLED, ARM_VE_SMB_NOR1_BASE + SIZE_32MB,0, - TZASC_REGION_SIZE_32MB, TZASC_REGION_SECURITY_NSRW); + TZASC_REGION_SIZE_32MB, TZASC_REGION_SECURITY_NSRW, 0); } else { TZASCSetRegion(ARM_VE_TZASC_BASE,2,TZASC_REGION_ENABLED, ARM_VE_SMB_NOR1_BASE,0, - TZASC_REGION_SIZE_64MB, TZASC_REGION_SECURITY_NSRW); + TZASC_REGION_SIZE_64MB, TZASC_REGION_SECURITY_NSRW, 0); } // Base of SRAM. Only half of SRAM in Non Secure world @@ -92,22 +92,22 @@ ArmPlatformSecTrustzoneInit ( //Note: Your OS Kernel must be aware of the secure regions before to enable this region TZASCSetRegion(ARM_VE_TZASC_BASE,3,TZASC_REGION_ENABLED, ARM_VE_SMB_SRAM_BASE,0, - TZASC_REGION_SIZE_16MB, TZASC_REGION_SECURITY_NSRW); + TZASC_REGION_SIZE_16MB, TZASC_REGION_SECURITY_NSRW, 0); } else { TZASCSetRegion(ARM_VE_TZASC_BASE,3,TZASC_REGION_ENABLED, ARM_VE_SMB_SRAM_BASE,0, - TZASC_REGION_SIZE_32MB, TZASC_REGION_SECURITY_NSRW); + TZASC_REGION_SIZE_32MB, TZASC_REGION_SECURITY_NSRW, 0); } // Memory Mapped Peripherals. All in non secure world TZASCSetRegion(ARM_VE_TZASC_BASE,4,TZASC_REGION_ENABLED, ARM_VE_SMB_PERIPH_BASE,0, - TZASC_REGION_SIZE_64MB, TZASC_REGION_SECURITY_NSRW); + TZASC_REGION_SIZE_64MB, TZASC_REGION_SECURITY_NSRW, 0); // MotherBoard Peripherals and On-chip peripherals. TZASCSetRegion(ARM_VE_TZASC_BASE,5,TZASC_REGION_ENABLED, ARM_VE_SMB_MB_ON_CHIP_PERIPH_BASE,0, - TZASC_REGION_SIZE_256MB, TZASC_REGION_SECURITY_NSRW); + TZASC_REGION_SIZE_256MB, TZASC_REGION_SECURITY_NSRW, 0); } /** diff --git a/ArmPlatformPkg/Drivers/ArmTrustZone/ArmTrustZone.c b/ArmPlatformPkg/Drivers/ArmTrustZone/ArmTrustZone.c index 070c0dcb5d4d..1f002198e552 100644 --- a/ArmPlatformPkg/Drivers/ArmTrustZone/ArmTrustZone.c +++ b/ArmPlatformPkg/Drivers/ArmTrustZone/ArmTrustZone.c @@ -87,20 +87,27 @@ TZASCSetRegion ( IN UINTN LowAddress, IN UINTN HighAddress, IN UINTN Size, - IN UINTN Security + IN UINTN Security, + IN UINTN SubregionDisableMask ) { UINT32* Region; + UINT32 RegionAttributes; if (RegionId > TZASCGetNumRegions(TzascBase)) { return EFI_INVALID_PARAMETER; } + RegionAttributes = TZASC_REGION_ATTR_SECURITY(Security) | + TZASC_REGION_ATTR_SUBREG_DISABLE(SubregionDisableMask) | + TZASC_REGION_ATTR_SIZE(Size) | + TZASC_REGION_ATTR_ENABLE(Enabled); + Region = (UINT32*)((UINTN)TzascBase + TZASC_REGIONS_REG + (RegionId * 0x10)); - MmioWrite32((UINTN)(Region), LowAddress&0xFFFF8000); + MmioWrite32((UINTN)(Region), TZASC_REGION_SETUP_LO_ADDR(LowAddress)); MmioWrite32((UINTN)(Region+1), HighAddress); - MmioWrite32((UINTN)(Region+2), ((Security & 0xF) <<28) | ((Size & 0x3F) << 1) | (Enabled & 0x1)); + MmioWrite32((UINTN)(Region+2), RegionAttributes); return EFI_SUCCESS; } diff --git a/ArmPlatformPkg/Include/Drivers/ArmTrustzone.h b/ArmPlatformPkg/Include/Drivers/ArmTrustzone.h index 78e98aad535f..827b5cd568c1 100644 --- a/ArmPlatformPkg/Include/Drivers/ArmTrustzone.h +++ b/ArmPlatformPkg/Include/Drivers/ArmTrustzone.h @@ -71,6 +71,22 @@ TZPCClearDecProtBits ( #define TZASC_REGION_SECURITY_NSW 1 #define TZASC_REGION_SECURITY_NSRW (TZASC_REGION_SECURITY_NSR|TZASC_REGION_SECURITY_NSW) +/* Some useful masks */ +#define TZASC_REGION_SETUP_LO_ADDR_MASK 0xFFFF8000 + +#define TZASC_REGION_ATTR_SECURITY_MASK 0xF +#define TZASC_REGION_ATTR_SUBREG_DIS_MASK 0xFF +#define TZASC_REGION_ATTR_SIZE_MASK 0x3F +#define TZASC_REGION_ATTR_EN_MASK 0x1 + +#define TZASC_REGION_SETUP_LO_ADDR(x) ((x) & TZASC_REGION_SETUP_LO_ADDR_MASK) + +#define TZASC_REGION_ATTR_SECURITY(x) (((x) & TZASC_REGION_ATTR_SECURITY_MASK) << 28) +#define TZASC_REGION_ATTR_SUBREG_DISABLE(x) \ + (((x) & TZASC_REGION_ATTR_SUBREG_DIS_MASK) << 8) +#define TZASC_REGION_ATTR_SIZE(x) (((x) & TZASC_REGION_ATTR_SIZE_MASK) << 1) +#define TZASC_REGION_ATTR_ENABLE(x) ((x) & TZASC_REGION_ATTR_EN_MASK) + /** FIXME: Need documentation **/ @@ -82,7 +98,8 @@ TZASCSetRegion ( IN UINTN LowAddress, IN UINTN HighAddress, IN UINTN Size, - IN UINTN Security + IN UINTN Security, + IN UINTN SubregionDisableMask ); #endif -- 2.7.4