[RFC PATCH v2 0/8] ATF and OP-TEE Firewalling for K3 devices.

[RFC PATCH v2 0/8] ATF and OP-TEE Firewalling for K3 devices.

[Manorit Chawdhry]

K3 devices have firewalls that are used to prevent illegal accesses to
memory regions that are deemed secure. The series prevents the illegal
accesses to ATF and OP-TEE regions that are present in different K3
devices. 

AM62AX and AM64X are currently in hold due to some firewall
configurations that our System Controller (TIFS) needs to handle. 

Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
---
Changes in v2:

Andrew:
    - Make the firewall DTS more readable with CONSTANTS

Neha:
    - Move GetHexOctet to dtoc for common usage
    - Update the documentation in ti-secure
    - s/indentifier/identifier/
    - Add firewall binman test

- Remove slave firewall multiple background regions
  ( Single firewall region works fine )
- Add a check in the subnodes to check for the node.name 'firewall'
- Change firewall indexing with id and region number so that it is easy
  to purge out firewalls and we don't need to redo the numbering.
- Add information for all the firewalls.
- Link to v1: https://lore.kernel.org/u-boot/20230905-binman-firewalling-v1-0-3894520bff8a@ti.com/

---
Manorit Chawdhry (8):
      dtoc: openssl: Add GetHexOctet method
      binman: ti-secure: Add support for firewalling entities
      binman: ftest: Add test for ti-secure firewall node
      binman: k3: add k3-security.h and include it in k3-binman.dtsi
      binman: j721e: Add firewall configurations for atf
      binman: am62x: Add firewalling configurations
      binman: j721s2: Add firewall configurations
      binman: j7200: Add firewall configurations

 arch/arm/dts/k3-am625-sk-binman.dtsi         |  49 +++++++
 arch/arm/dts/k3-binman.dtsi                  |   2 +
 arch/arm/dts/k3-j7200-binman.dtsi            | 137 ++++++++++++++++++
 arch/arm/dts/k3-j721e-binman.dtsi            | 183 ++++++++++++++++++++++++
 arch/arm/dts/k3-j721s2-binman.dtsi           | 206 +++++++++++++++++++++++++++
 arch/arm/dts/k3-security.h                   |  58 ++++++++
 tools/binman/btool/openssl.py                |  16 ++-
 tools/binman/etype/ti_secure.py              |  85 +++++++++++
 tools/binman/etype/x509_cert.py              |   3 +-
 tools/binman/ftest.py                        |  12 ++
 tools/binman/test/311_ti_secure_firewall.dts |  28 ++++
 tools/dtoc/fdt_util.py                       |  20 +++
 12 files changed, 796 insertions(+), 3 deletions(-)
---
base-commit: 2fe4b54556ea6271237b35de68dc458bfceab94c
change-id: 20230724-binman-firewalling-65ecdb23ec0a

Best regards,
-- 
Manorit Chawdhry <m-chawdhry@ti.com>

[RFC PATCH v2 1/8] dtoc: openssl: Add GetHexOctet method

[Manorit Chawdhry]

HexOctet format is used by openssl for FORMAT:HEX,OCT property in x509
certificates. Add a helper function to extract the integer numbers in
HEX,OCT format to pass to openssl directly.

Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
---
 tools/dtoc/fdt_util.py | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/tools/dtoc/fdt_util.py b/tools/dtoc/fdt_util.py
index f1f70568cfef..d51dbf5633d0 100644
--- a/tools/dtoc/fdt_util.py
+++ b/tools/dtoc/fdt_util.py
@@ -100,6 +100,26 @@ def EnsureCompiled(fname, tmpdir=None, capture_stderr=False):
     command.run(dtc, *args, capture_stderr=capture_stderr)
     return dtb_output
 
+def GetHexOctet(node, propname, default=None):
+    """Get an integer from a property in hex octet form required by openssl
+
+    Args:
+        node: Node object to read from
+        propname: property name to read
+        default: Default value to use if the node/property do not exist
+
+    Returns:
+        Integer value read as a String in Hex Octet Form
+    """
+    prop = node.props.get(propname)
+    if not isinstance(prop.value, list) or len(prop.value) != 2:
+        value = GetInt(node, propname)
+    elif isinstance(prop.value, list) and len(prop.value) == 2:
+        value = GetInt64(node, propname)
+
+    hex_value = '%x' % (value)
+    return ('0' * (len(hex_value) & 1)) + hex_value
+
 def GetInt(node, propname, default=None):
     """Get an integer from a property
 

-- 
2.41.0

[RFC PATCH v2 2/8] binman: ti-secure: Add support for firewalling entities

[Manorit Chawdhry]

We can now firewall entities while loading them through our secure
entity TIFS, the required information should be present in the
certificate that is being parsed by TIFS.

The following commit adds the support to enable the certificates to be
generated if the firewall configurations are present in the binman dtsi
nodes.

Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
---
 tools/binman/btool/openssl.py   | 16 +++++++-
 tools/binman/etype/ti_secure.py | 85 +++++++++++++++++++++++++++++++++++++++++
 tools/binman/etype/x509_cert.py |  3 +-
 3 files changed, 101 insertions(+), 3 deletions(-)

diff --git a/tools/binman/btool/openssl.py b/tools/binman/btool/openssl.py
index aad3b61ae27c..dff439df211f 100644
--- a/tools/binman/btool/openssl.py
+++ b/tools/binman/btool/openssl.py
@@ -82,7 +82,7 @@ imageSize              = INTEGER:{len(indata)}
         return self.run_cmd(*args)
 
     def x509_cert_sysfw(self, cert_fname, input_fname, key_fname, sw_rev,
-                  config_fname, req_dist_name_dict):
+                  config_fname, req_dist_name_dict, firewall_cert_data):
         """Create a certificate to be booted by system firmware
 
         Args:
@@ -94,6 +94,13 @@ imageSize              = INTEGER:{len(indata)}
             req_dist_name_dict (dict): Dictionary containing key-value pairs of
             req_distinguished_name section extensions, must contain extensions for
             C, ST, L, O, OU, CN and emailAddress
+            firewall_cert_data (dict):
+              - auth_in_place (int): The Priv ID for copying as the
+                specific host in firewall protected region
+              - num_firewalls (int): The number of firewalls in the
+                extended certificate
+              - certificate (str): Extended firewall certificate with
+                the information for the firewall configurations.
 
         Returns:
             str: Tool output
@@ -121,6 +128,7 @@ basicConstraints       = CA:true
 1.3.6.1.4.1.294.1.3    = ASN1:SEQUENCE:swrv
 1.3.6.1.4.1.294.1.34   = ASN1:SEQUENCE:sysfw_image_integrity
 1.3.6.1.4.1.294.1.35   = ASN1:SEQUENCE:sysfw_image_load
+1.3.6.1.4.1.294.1.37   = ASN1:SEQUENCE:firewall
 
 [ swrv ]
 swrv = INTEGER:{sw_rev}
@@ -132,7 +140,11 @@ imageSize              = INTEGER:{len(indata)}
 
 [ sysfw_image_load ]
 destAddr = FORMAT:HEX,OCT:00000000
-authInPlace = INTEGER:2
+authInPlace = INTEGER:{hex(firewall_cert_data['auth_in_place'])}
+
+[ firewall ]
+numFirewallRegions = INTEGER:{firewall_cert_data['num_firewalls']}
+{firewall_cert_data['certificate']}
 ''', file=outf)
         args = ['req', '-new', '-x509', '-key', key_fname, '-nodes',
                 '-outform', 'DER', '-out', cert_fname, '-config', config_fname,
diff --git a/tools/binman/etype/ti_secure.py b/tools/binman/etype/ti_secure.py
index d939dce57139..b85dc912623d 100644
--- a/tools/binman/etype/ti_secure.py
+++ b/tools/binman/etype/ti_secure.py
@@ -7,9 +7,35 @@
 
 from binman.entry import EntryArg
 from binman.etype.x509_cert import Entry_x509_cert
+from dataclasses import dataclass
 
 from dtoc import fdt_util
 
+@dataclass
+class Firewall():
+    id: int
+    region: int
+    control : int
+    permissions: list[hex]
+    start_address: str
+    end_address: str
+
+    def get_certificate(self) -> str:
+        unique_identifier = f"{self.id}{self.region}"
+        cert = f"""
+firewallID{unique_identifier} = INTEGER:{self.id}
+region{unique_identifier} = INTEGER:{self.region}
+control{unique_identifier} = INTEGER:{hex(self.control)}
+nPermissionRegs{unique_identifier} = INTEGER:{len(self.permissions)}
+"""
+        for index, permission in enumerate(self.permissions):
+            cert += f"""permissions{unique_identifier}{index} = INTEGER:{hex(permission)}
+"""
+        cert += f"""startAddress{unique_identifier} = FORMAT:HEX,OCT:{self.start_address}
+endAddress{unique_identifier} = FORMAT:HEX,OCT:{self.end_address}
+"""
+        return cert
+
 class Entry_ti_secure(Entry_x509_cert):
     """Entry containing a TI x509 certificate binary
 
@@ -17,6 +43,11 @@ class Entry_ti_secure(Entry_x509_cert):
         - content: List of phandles to entries to sign
         - keyfile: Filename of file containing key to sign binary with
         - sha: Hash function to be used for signing
+        - auth_in_place: This is an integer field that contains two pieces
+          of information
+            Lower Byte - Remains 0x02 as per our use case
+            ( 0x02: Move the authenticated binary back to the header )
+            Upper Byte - The Host ID of the core owning the firewall
 
     Output files:
         - input.<unique_name> - input file passed to openssl
@@ -25,6 +56,35 @@ class Entry_ti_secure(Entry_x509_cert):
         - cert.<unique_name> - output file generated by openssl (which is
           used as the entry contents)
 
+    Depending on auth_in_place information in the inputs, we read the
+    firewall nodes that describe the configurations of firewall that TIFS
+    will be doing after reading the certificate.
+
+    The syntax of the firewall nodes are as such:
+
+    firewall-257-0 {
+        id = <257>;           /* The ID of the firewall being configured */
+        region = <0>;         /* Region number to configure */
+
+        control =             /* The control register */
+            <(FWCTRL_EN | FWCTRL_LOCK | FWCTRL_BG | FWCTRL_CACHE)>;
+
+        permissions =         /* The permission registers */
+            <((FWPRIVID_ALL << FWPRIVID_SHIFT) |
+                        FWPERM_SECURE_PRIV_RWCD |
+                        FWPERM_SECURE_USER_RWCD |
+                        FWPERM_NON_SECURE_PRIV_RWCD |
+                        FWPERM_NON_SECURE_USER_RWCD)>;
+
+        /* More defines can be found in k3-security.h */
+
+        start_address =        /* The Start Address of the firewall */
+            <0x0 0x0>;
+        end_address =          /* The End Address of the firewall */
+            <0xff 0xffffffff>;
+    };
+
+
     openssl signs the provided data, using the TI templated config file and
     writes the signature in this entry. This allows verification that the
     data is genuine.
@@ -32,11 +92,20 @@ class Entry_ti_secure(Entry_x509_cert):
     def __init__(self, section, etype, node):
         super().__init__(section, etype, node)
         self.openssl = None
+        self.firewall_cert_data: dict = {
+            'auth_in_place': 0x02,
+            'num_firewalls': 0,
+            'certificate': "",
+        }
 
     def ReadNode(self):
         super().ReadNode()
         self.key_fname = self.GetEntryArgsOrProps([
             EntryArg('keyfile', str)], required=True)[0]
+        auth_in_place = fdt_util.GetInt(self._node, "auth_in_place")
+        if auth_in_place:
+            self.firewall_cert_data['auth_in_place'] = auth_in_place
+            self.ReadFirewallNode()
         self.sha = fdt_util.GetInt(self._node, 'sha', 512)
         self.req_dist_name = {'C': 'US',
                 'ST': 'TX',
@@ -46,6 +115,22 @@ class Entry_ti_secure(Entry_x509_cert):
                 'CN': 'TI Support',
                 'emailAddress': 'support@ti.com'}
 
+    def ReadFirewallNode(self):
+        self.firewall_cert_data['certificate'] = ""
+        self.firewall_cert_data['num_firewalls'] = 0
+        for node in self._node.subnodes:
+            if 'firewall' in node.name:
+                firewall = Firewall(
+                     fdt_util.GetInt(node, 'id'),
+                     fdt_util.GetInt(node, 'region'),
+                     fdt_util.GetInt(node, 'control'),
+                     fdt_util.GetPhandleList(node, 'permissions'),
+                     fdt_util.GetHexOctet(node, 'start_address'),
+                     fdt_util.GetHexOctet(node, 'end_address'),
+                )
+                self.firewall_cert_data['num_firewalls'] += 1
+                self.firewall_cert_data['certificate'] += firewall.get_certificate()
+
     def GetCertificate(self, required):
         """Get the contents of this entry
 
diff --git a/tools/binman/etype/x509_cert.py b/tools/binman/etype/x509_cert.py
index d028cfe38cd9..9e1cf479023b 100644
--- a/tools/binman/etype/x509_cert.py
+++ b/tools/binman/etype/x509_cert.py
@@ -98,7 +98,8 @@ class Entry_x509_cert(Entry_collection):
                 key_fname=self.key_fname,
                 config_fname=config_fname,
                 sw_rev=self.sw_rev,
-                req_dist_name_dict=self.req_dist_name)
+                req_dist_name_dict=self.req_dist_name,
+                firewall_cert_data=self.firewall_cert_data)
         elif type == 'rom':
             stdout = self.openssl.x509_cert_rom(
                 cert_fname=output_fname,

-- 
2.41.0

[RFC PATCH v2 3/8] binman: ftest: Add test for ti-secure firewall node

[Manorit Chawdhry]

Add test for TI firewalling node in ti-secure.

Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
---
 tools/binman/ftest.py                        | 12 ++++++++++++
 tools/binman/test/311_ti_secure_firewall.dts | 28 ++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
index 8e419645a6d5..a3e49149d0d7 100644
--- a/tools/binman/ftest.py
+++ b/tools/binman/ftest.py
@@ -7030,6 +7030,18 @@ fdt         fdtmap                Extract the devicetree blob from the fdtmap
                                    entry_args=entry_args)[0]
         self.assertGreater(len(data), len(TI_UNSECURE_DATA))
 
+    def testPackTiSecureFirewall(self):
+        """Test that an image with a TI secured binary can be created"""
+        keyfile = self.TestFile('key.key')
+        entry_args = {
+            'keyfile': keyfile,
+        }
+        data_no_firewall = self._DoReadFileDtb('296_ti_secure.dts',
+                                   entry_args=entry_args)[0]
+        data_firewall = self._DoReadFileDtb('311_ti_secure_firewall.dts',
+                                   entry_args=entry_args)[0]
+        self.assertGreater(len(data_firewall),len(data_no_firewall))
+
     def testPackTiSecureMissingTool(self):
         """Test that an image with a TI secured binary (non-functional) can be created
         when openssl is missing"""
diff --git a/tools/binman/test/311_ti_secure_firewall.dts b/tools/binman/test/311_ti_secure_firewall.dts
new file mode 100644
index 000000000000..b392d9ad4cbc
--- /dev/null
+++ b/tools/binman/test/311_ti_secure_firewall.dts
@@ -0,0 +1,28 @@
+// SPDX-License-Identifier: GPL-2.0+
+
+/dts-v1/;
+
+/ {
+	#address-cells = <1>;
+	#size-cells = <1>;
+
+	binman {
+		ti-secure {
+			content = <&unsecure_binary>;
+            auth_in_place = <0xa02>;
+
+            firewall-0-2 {
+                id = <0>;
+                region = <2>;
+                control = <0x31a>;
+                permissions = <0xc3ffff>;
+                start_address = <0x0 0x9e800000>;
+                end_address = <0x0 0x9fffffff>;
+            };
+
+		};
+		unsecure_binary: blob-ext {
+			filename = "ti_unsecure.bin";
+		};
+	};
+};

-- 
2.41.0

[RFC PATCH v2 4/8] binman: k3: add k3-security.h and include it in k3-binman.dtsi

[Manorit Chawdhry]

For readability during configuring firewalls, adding k3-security.h file
and including it in k3-binman.dtsi to be accessible across K3 SoCs

Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
---
 arch/arm/dts/k3-binman.dtsi |  2 ++
 arch/arm/dts/k3-security.h  | 58 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 60 insertions(+)

diff --git a/arch/arm/dts/k3-binman.dtsi b/arch/arm/dts/k3-binman.dtsi
index 2ea2dd18a12b..71ffa998a59f 100644
--- a/arch/arm/dts/k3-binman.dtsi
+++ b/arch/arm/dts/k3-binman.dtsi
@@ -3,6 +3,8 @@
  * Copyright (C) 2022-2023 Texas Instruments Incorporated - https://www.ti.com/
  */
 
+#include "k3-security.h"
+
 / {
 	binman: binman {
 		multiple-images;
diff --git a/arch/arm/dts/k3-security.h b/arch/arm/dts/k3-security.h
new file mode 100644
index 000000000000..e012b7afaf94
--- /dev/null
+++ b/arch/arm/dts/k3-security.h
@@ -0,0 +1,58 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2023 Texas Instruments Incorporated - https://www.ti.com/
+ */
+
+#ifndef DTS_ARM64_TI_K3_FIREWALL_H
+#define DTS_ARM64_TI_K3_FIREWALL_H
+
+#define FWPRIVID_ALL    (0xc3)
+#define FWPRIVID_ARMV8  (1)
+#define FWPRIVID_SHIFT  (16)
+
+#define FWCTRL_EN     (0xA)
+#define FWCTRL_LOCK   (1 << 4)
+#define FWCTRL_BG     (1 << 8)
+#define FWCTRL_CACHE  (1 << 9)
+
+#define FWPERM_SECURE_PRIV_WRITE      (1 << 0)
+#define FWPERM_SECURE_PRIV_READ       (1 << 1)
+#define FWPERM_SECURE_PRIV_CACHEABLE  (1 << 2)
+#define FWPERM_SECURE_PRIV_DEBUG      (1 << 3)
+
+#define FWPERM_SECURE_PRIV_RWCD       (FWPERM_SECURE_PRIV_READ | \
+                                       FWPERM_SECURE_PRIV_WRITE | \
+                                       FWPERM_SECURE_PRIV_CACHEABLE | \
+                                       FWPERM_SECURE_PRIV_DEBUG)
+
+#define FWPERM_SECURE_USER_WRITE      (1 << 4)
+#define FWPERM_SECURE_USER_READ       (1 << 5)
+#define FWPERM_SECURE_USER_CACHEABLE  (1 << 6)
+#define FWPERM_SECURE_USER_DEBUG      (1 << 7)
+
+#define FWPERM_SECURE_USER_RWCD       (FWPERM_SECURE_USER_READ | \
+                                       FWPERM_SECURE_USER_WRITE | \
+                                       FWPERM_SECURE_USER_CACHEABLE | \
+                                       FWPERM_SECURE_USER_DEBUG)
+
+#define FWPERM_NON_SECURE_PRIV_WRITE      (1 << 8)
+#define FWPERM_NON_SECURE_PRIV_READ       (1 << 9)
+#define FWPERM_NON_SECURE_PRIV_CACHEABLE  (1 << 10)
+#define FWPERM_NON_SECURE_PRIV_DEBUG      (1 << 11)
+
+#define FWPERM_NON_SECURE_PRIV_RWCD       (FWPERM_NON_SECURE_PRIV_READ | \
+                                           FWPERM_NON_SECURE_PRIV_WRITE | \
+                                           FWPERM_NON_SECURE_PRIV_CACHEABLE | \
+                                           FWPERM_NON_SECURE_PRIV_DEBUG)
+
+#define FWPERM_NON_SECURE_USER_WRITE      (1 << 12)
+#define FWPERM_NON_SECURE_USER_READ       (1 << 13)
+#define FWPERM_NON_SECURE_USER_CACHEABLE  (1 << 14)
+#define FWPERM_NON_SECURE_USER_DEBUG      (1 << 15)
+
+#define FWPERM_NON_SECURE_USER_RWCD       (FWPERM_NON_SECURE_USER_READ | \
+                                           FWPERM_NON_SECURE_USER_WRITE | \
+                                           FWPERM_NON_SECURE_USER_CACHEABLE | \
+                                           FWPERM_NON_SECURE_USER_DEBUG)
+
+#endif

-- 
2.41.0

[RFC PATCH v2 5/8] binman: j721e: Add firewall configurations for atf

[Manorit Chawdhry]

The following commits adds the configuration of firewalls required to
protect ATF and OP-TEE memory region from non-secure reads and
writes using master and slave firewalls present in our K3 SOCs.

Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
---
 arch/arm/dts/k3-j721e-binman.dtsi | 183 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 183 insertions(+)

diff --git a/arch/arm/dts/k3-j721e-binman.dtsi b/arch/arm/dts/k3-j721e-binman.dtsi
index 4f566c21a9af..15fd5c857452 100644
--- a/arch/arm/dts/k3-j721e-binman.dtsi
+++ b/arch/arm/dts/k3-j721e-binman.dtsi
@@ -330,6 +330,100 @@
 					ti-secure {
 						content = <&atf>;
 						keyfile = "custMpk.pem";
+						auth_in_place = <0xa02>;
+
+						firewall-257-0 {
+							/* cpu_0_cpu_0_msmc Background Firewall */
+							id = <257>;
+							region = <0>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_BG | FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD |
+											FWPERM_NON_SECURE_PRIV_RWCD |
+											FWPERM_NON_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x0>;
+							end_address = <0xff 0xffffffff>;
+						};
+
+						firewall-257-1 {
+							/* cpu_0_cpu_0_msmc Foreground Firewall */
+							id = <257>;
+							region = <1>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x70000000>;
+							end_address = <0x0 0x7001ffff>;
+						};
+
+						firewall-284-0 {
+							/* dru_0_msmc Background Firewall */
+							id = <284>;
+							region = <0>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_BG | FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD |
+											FWPERM_NON_SECURE_PRIV_RWCD |
+											FWPERM_NON_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x0>;
+							end_address = <0xff 0xffffffff>;
+						};
+
+						firewall-284-1 {
+							/* dru_0_msmc Foreground Firewall */
+							id = <284>;
+							region = <1>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x70000000>;
+							end_address = <0x0 0x7001ffff>;
+						};
+
+						/* firewall-4760-0 {
+							nb_slv0__mem0 Background Firewall
+							Already configured by the secure entity
+						}; */
+
+						firewall-4760-1 {
+							/* nb_slv0__mem0 Foreground Firewall */
+							id = <4760>;
+							region = <1>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x70000000>;
+							end_address = <0x0 0x7001ffff>;
+						};
+
+						/* firewall-4761-0 {
+							nb_slv1__mem0 Background Firewall
+							Already configured by the secure entity
+						}; */
+
+						firewall-4761-1 {
+							/* nb_slv1__mem0 Foreground Firewall */
+							id = <4761>;
+							region = <1>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x70000000>;
+							end_address = <0x0 0x7001ffff>;
+						};
+
 					};
 					atf: atf-bl31 {
 					};
@@ -346,6 +440,95 @@
 					ti-secure {
 						content = <&tee>;
 						keyfile = "custMpk.pem";
+						auth_in_place = <0xa02>;
+
+						/* cpu_0_cpu_0_msmc region 0 and 1 configured
+						   during ATF Firewalling */
+
+						firewall-257-2 {
+							/* cpu_0_cpu_0_msmc Foreground Firewall */
+							id = <257>;
+							region = <2>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x9e800000>;
+							end_address = <0x0 0x9fffffff>;
+						};
+
+						/* dru_0_msmc region 0 and 1 configured
+						   during ATF Firewalling */
+
+                        firewall-284-2 {
+                            /* dru_0_msmc Foreground Firewall */
+                            id = <284>;
+                            region = <2>;
+                            control = <(FWCTRL_EN | FWCTRL_LOCK |
+                                        FWCTRL_CACHE)>;
+                            permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+                                            FWPERM_SECURE_PRIV_RWCD |
+                                            FWPERM_SECURE_USER_RWCD)>;
+                            start_address = <0x0 0x9e800000>;
+                            end_address = <0x0 0x9fffffff>;
+                        };
+
+                        firewall-4762-0 {
+                            /* nb_slv2__mem0 Background Firewall */
+                            id = <4762>;
+                            region = <0>;
+                            control = <(FWCTRL_EN | FWCTRL_LOCK |
+                                        FWCTRL_BG | FWCTRL_CACHE)>;
+                            permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) |
+                                            FWPERM_SECURE_PRIV_RWCD |
+                                            FWPERM_SECURE_USER_RWCD |
+                                            FWPERM_NON_SECURE_PRIV_RWCD |
+                                            FWPERM_NON_SECURE_USER_RWCD)>;
+                            start_address = <0x0 0x0>;
+                            end_address = <0xff 0xffffffff>;
+                        };
+
+                        firewall-4762-1 {
+                            /* nb_slv2__mem0 Foreground Firewall */
+                            id = <4762>;
+                            region = <1>;
+                            control = <(FWCTRL_EN | FWCTRL_LOCK |
+                                        FWCTRL_CACHE)>;
+                            permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+                                            FWPERM_SECURE_PRIV_RWCD |
+                                            FWPERM_SECURE_USER_RWCD)>;
+                            start_address = <0x0 0x9e800000>;
+                            end_address = <0x0 0x9fffffff>;
+                        };
+
+                        firewall-4763-0 {
+                            /* nb_slv3__mem0 Background Firewall */
+                            id = <4763>;
+                            region = <0>;
+                            control = <(FWCTRL_EN | FWCTRL_LOCK |
+                                        FWCTRL_BG | FWCTRL_CACHE)>;
+                            permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) |
+                                            FWPERM_SECURE_PRIV_RWCD |
+                                            FWPERM_SECURE_USER_RWCD |
+                                            FWPERM_NON_SECURE_PRIV_RWCD |
+                                            FWPERM_NON_SECURE_USER_RWCD)>;
+                            start_address = <0x0 0x0>;
+                            end_address = <0xff 0xffffffff>;
+                        };
+
+                        firewall-4763-1 {
+                            /* nb_slv3__mem0 Foreground Firewall */
+                            id = <4763>;
+                            region = <1>;
+                            control = <(FWCTRL_EN | FWCTRL_LOCK |
+                                        FWCTRL_CACHE)>;
+                            permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+                                            FWPERM_SECURE_PRIV_RWCD |
+                                            FWPERM_SECURE_USER_RWCD)>;
+                            start_address = <0x0 0x9e800000>;
+                            end_address = <0x0 0x9fffffff>;
+                        };
 					};
 					tee: tee-os {
 					};

-- 
2.41.0

[RFC PATCH v2 6/8] binman: am62x: Add firewalling configurations

[Manorit Chawdhry]

The following commits adds the configuration of firewalls required to
protect ATF and OP-TEE memory region from non-secure reads and
writes using master and slave firewalls present in our K3 SOCs.

Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
---
 arch/arm/dts/k3-am625-sk-binman.dtsi | 49 ++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)

diff --git a/arch/arm/dts/k3-am625-sk-binman.dtsi b/arch/arm/dts/k3-am625-sk-binman.dtsi
index 41277bf4bfdb..bb5341aaae8e 100644
--- a/arch/arm/dts/k3-am625-sk-binman.dtsi
+++ b/arch/arm/dts/k3-am625-sk-binman.dtsi
@@ -175,6 +175,36 @@
 					ti-secure {
 						content = <&atf>;
 						keyfile = "custMpk.pem";
+						auth_in_place = <0xa02>;
+
+						firewall-1-0 {
+							/* sdram Background Firewall - 0 */
+							id = <1>;
+							region = <0>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_BG | FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD |
+											FWPERM_NON_SECURE_PRIV_RWCD |
+											FWPERM_NON_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x0>;
+							end_address = <0xff 0xffffffff>;
+						};
+
+						firewall-1-1 {
+							/* sdram Foreground Firewall */
+							id = <1>;
+							region = <1>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x9e780000>;
+							end_address = <0x0 0x9e7fffff>;
+						};
+
 					};
 					atf: atf-bl31 {
 					};
@@ -191,8 +221,27 @@
 					ti-secure {
 						content = <&tee>;
 						keyfile = "custMpk.pem";
+						auth_in_place = <0xa02>;
+
+						/* sdram region 0 and 1 configured during
+						   ATF Firewalling */
+
+						firewall-1-2 {
+							/* sdram Foreground Firewall */
+							id = <1>;
+							region = <2>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x9e800000>;
+							end_address = <0x0 0x9fffffff>;
+						};
+
 					};
 					tee: tee-os {
+
 					};
 				};
 

-- 
2.41.0

[RFC PATCH v2 7/8] binman: j721s2: Add firewall configurations

[Manorit Chawdhry]

The following commits adds the configuration of firewalls required to
protect ATF and OP-TEE memory region from non-secure reads and
writes using master and slave firewalls present in our K3 SOCs.

Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
---
 arch/arm/dts/k3-j721s2-binman.dtsi | 206 +++++++++++++++++++++++++++++++++++++
 1 file changed, 206 insertions(+)

diff --git a/arch/arm/dts/k3-j721s2-binman.dtsi b/arch/arm/dts/k3-j721s2-binman.dtsi
index 5bca4e94ecf9..40205fb8655e 100644
--- a/arch/arm/dts/k3-j721s2-binman.dtsi
+++ b/arch/arm/dts/k3-j721s2-binman.dtsi
@@ -177,6 +177,100 @@
 					ti-secure {
 						content = <&atf>;
 						keyfile = "custMpk.pem";
+						auth_in_place = <0xa02>;
+
+						firewall-257-0 {
+							/* cpu_0_cpu_0_msmc Background Firewall */
+							id = <257>;
+							region = <0>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_BG | FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD |
+											FWPERM_NON_SECURE_PRIV_RWCD |
+											FWPERM_NON_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x0>;
+							end_address = <0xff 0xffffffff>;
+						};
+
+						firewall-257-1 {
+							/* cpu_0_cpu_0_msmc Foreground Firewall */
+							id = <257>;
+							region = <1>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x70000000>;
+							end_address = <0x0 0x7001ffff>;
+						};
+
+						firewall-284-0 {
+							/* dru_0_msmc Background Firewall */
+							id = <284>;
+							region = <0>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_BG | FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD |
+											FWPERM_NON_SECURE_PRIV_RWCD |
+											FWPERM_NON_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x0>;
+							end_address = <0xff 0xffffffff>;
+						};
+
+						firewall-284-1 {
+							/* dru_0_msmc Foreground Firewall */
+							id = <284>;
+							region = <1>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x70000000>;
+							end_address = <0x0 0x7001ffff>;
+						};
+
+						/* firewall-5140-0 {
+							nb_slv0__mem0 Background Firewall
+							Already configured by the secure entity
+						}; */
+
+						firewall-5140-1 {
+							/* nb_slv0__mem0 Foreground Firewall */
+							id = <5140>;
+							region = <1>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x70000000>;
+							end_address = <0x0 0x7001ffff>;
+						};
+
+                        /* firewall-5140-0 {
+							nb_slv1__mem0 Background Firewall
+							Already configured by the secure entity
+						}; */
+
+						firewall-5141-1 {
+							/* nb_slv1__mem0 Foreground Firewall */
+							id = <5141>;
+							region = <1>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x70000000>;
+							end_address = <0x0 0x7001ffff>;
+						};
+
 					};
 					atf: atf-bl31 {
 					};
@@ -193,6 +287,118 @@
 					ti-secure {
 						content = <&tee>;
 						keyfile = "custMpk.pem";
+						auth_in_place = <0xa02>;
+
+						firewall-257-2 {
+							/* cpu_0_cpu_0_msmc Foreground Firewall */
+							id = <257>;
+							region = <2>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x9e800000>;
+							end_address = <0x0 0x9fffffff>;
+						};
+
+						firewall-284-2 {
+							/* dru_0_msmc Foreground Firewall */
+							id = <284>;
+							region = <2>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x9e800000>;
+							end_address = <0x0 0x9fffffff>;
+						};
+
+						firewall-5142-0 {
+							/* nb_slv2__mem0 Background Firewall - 0 */
+							id = <5142>;
+							region = <0>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_BG | FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD |
+											FWPERM_NON_SECURE_PRIV_RWCD |
+											FWPERM_NON_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x0>;
+							end_address = <0xff 0xffffffff>;
+						};
+
+						firewall-5142-1 {
+							/* nb_slv2__mem0 Foreground Firewall */
+							id = <5142>;
+							region = <1>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x9e800000>;
+							end_address = <0x0 0x9fffffff>;
+						};
+
+						firewall-5143-0 {
+							/* nb_slv3__mem0 Background Firewall - 0 */
+							id = <5143>;
+							region = <0>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_BG | FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD |
+											FWPERM_NON_SECURE_PRIV_RWCD |
+											FWPERM_NON_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x0>;
+							end_address = <0xff 0xffffffff>;
+						};
+
+						firewall-5143-1 {
+							/* nb_slv3__mem0 Foreground Firewall */
+							id = <5143>;
+							region = <1>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x9e800000>;
+							end_address = <0x0 0x9fffffff>;
+						};
+
+						firewall-5144-0 {
+							/* nb_slv4__mem0 Background Firewall - 0 */
+							id = <5144>;
+							region = <0>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_BG | FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD |
+											FWPERM_NON_SECURE_PRIV_RWCD |
+											FWPERM_NON_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x0>;
+							end_address = <0xff 0xffffffff>;
+						};
+
+						firewall-5144-1 {
+							/* nb_slv4__mem0 Foreground Firewall */
+							id = <5144>;
+							region = <1>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x9e800000>;
+							end_address = <0x0 0x9fffffff>;
+						};
+
 					};
 					tee: tee-os {
 					};

-- 
2.41.0

[RFC PATCH v2 8/8] binman: j7200: Add firewall configurations

[Manorit Chawdhry]

The following commits adds the configuration of firewalls required to
protect ATF and OP-TEE memory region from non-secure reads and
writes using master and slave firewalls present in our K3 SOCs.

Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
---
 arch/arm/dts/k3-j7200-binman.dtsi | 137 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 137 insertions(+)

diff --git a/arch/arm/dts/k3-j7200-binman.dtsi b/arch/arm/dts/k3-j7200-binman.dtsi
index 14f7dea65ee3..c5a2cc065294 100644
--- a/arch/arm/dts/k3-j7200-binman.dtsi
+++ b/arch/arm/dts/k3-j7200-binman.dtsi
@@ -214,6 +214,72 @@
 					ti-secure {
 						content = <&atf>;
 						keyfile = "custMpk.pem";
+						auth_in_place = <0xa02>;
+
+						firewall-257-0 {
+							/* cpu_0_cpu_0_msmc Background Firewall */
+							id = <257>;
+							region = <0>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_BG | FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD |
+											FWPERM_NON_SECURE_PRIV_RWCD |
+											FWPERM_NON_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x0>;
+							end_address = <0xff 0xffffffff>;
+						};
+
+						firewall-257-1 {
+							/* cpu_0_cpu_0_msmc Foreground Firewall */
+							id = <257>;
+							region = <1>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x70000000>;
+							end_address = <0x0 0x7001ffff>;
+						};
+
+						/* firewall-4760-0 {
+							nb_slv0__mem0 Background Firewall
+							Already configured by the secure entity
+						}; */
+
+						firewall-4760-1 {
+							/* nb_slv0__mem0 Foreground Firewall */
+							id = <4760>;
+							region = <1>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x70000000>;
+							end_address = <0x0 0x7001ffff>;
+						};
+
+						/* firewall-4761-0 {
+							nb_slv1__mem0 Background Firewall
+							Already configured by the secure entity
+						}; */
+
+						firewall-4761-1 {
+							/* nb_slv1__mem0 Foreground Firewall */
+							id = <4761>;
+							region = <1>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x70000000>;
+							end_address = <0x0 0x7001ffff>;
+						};
+
 					};
 					atf: atf-bl31 {
 					};
@@ -230,6 +296,77 @@
 					ti-secure {
 						content = <&tee>;
 						keyfile = "custMpk.pem";
+						auth_in_place = <0xa02>;
+
+						firewall-257-2 {
+							/* cpu_0_cpu_0_msmc Foreground Firewall */
+							id = <257>;
+							region = <2>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x9e800000>;
+							end_address = <0x0 0x9fffffff>;
+						};
+
+						firewall-4762-0 {
+							/* nb_slv2__mem0 Background Firewall - 0 */
+							id = <4762>;
+							region = <0>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_BG | FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD |
+											FWPERM_NON_SECURE_PRIV_RWCD |
+											FWPERM_NON_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x0>;
+							end_address = <0xff 0xffffffff>;
+						};
+
+						firewall-4762-1 {
+							/* nb_slv2__mem0 Foreground Firewall */
+							id = <4762>;
+							region = <1>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x9e800000>;
+							end_address = <0x0 0x9fffffff>;
+						};
+
+						firewall-4763-0 {
+							/* nb_slv3__mem0 Background Firewall - 0 */
+							id = <4763>;
+							region = <0>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_BG | FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD |
+											FWPERM_NON_SECURE_PRIV_RWCD |
+											FWPERM_NON_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x0>;
+							end_address = <0xff 0xffffffff>;
+						};
+
+						firewall-4763-1 {
+							/* nb_slv3__mem0 Foreground Firewall */
+							id = <4763>;
+							region = <1>;
+							control = <(FWCTRL_EN | FWCTRL_LOCK |
+										FWCTRL_CACHE)>;
+							permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
+											FWPERM_SECURE_PRIV_RWCD |
+											FWPERM_SECURE_USER_RWCD)>;
+							start_address = <0x0 0x9e800000>;
+							end_address = <0x0 0x9fffffff>;
+						};
+
 					};
 					tee: tee-os {
 					};

-- 
2.41.0

Re: [RFC PATCH v2 0/8] ATF and OP-TEE Firewalling for K3 devices.

[Andrew Davis]

On 9/26/23 2:58 AM, Manorit Chawdhry wrote:
> K3 devices have firewalls that are used to prevent illegal accesses to
> memory regions that are deemed secure. The series prevents the illegal
> accesses to ATF and OP-TEE regions that are present in different K3
> devices.
> 
> AM62AX and AM64X are currently in hold due to some firewall
> configurations that our System Controller (TIFS) needs to handle.
> 
> Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
> ---

You have mixed tabs and spaces in the .dtsi patches.

Andrew

> Changes in v2:
> 
> Andrew:
>      - Make the firewall DTS more readable with CONSTANTS
> 
> Neha:
>      - Move GetHexOctet to dtoc for common usage
>      - Update the documentation in ti-secure
>      - s/indentifier/identifier/
>      - Add firewall binman test
> 
> - Remove slave firewall multiple background regions
>    ( Single firewall region works fine )
> - Add a check in the subnodes to check for the node.name 'firewall'
> - Change firewall indexing with id and region number so that it is easy
>    to purge out firewalls and we don't need to redo the numbering.
> - Add information for all the firewalls.
> - Link to v1: https://lore.kernel.org/u-boot/20230905-binman-firewalling-v1-0-3894520bff8a@ti.com/
> 
> ---
> Manorit Chawdhry (8):
>        dtoc: openssl: Add GetHexOctet method
>        binman: ti-secure: Add support for firewalling entities
>        binman: ftest: Add test for ti-secure firewall node
>        binman: k3: add k3-security.h and include it in k3-binman.dtsi
>        binman: j721e: Add firewall configurations for atf
>        binman: am62x: Add firewalling configurations
>        binman: j721s2: Add firewall configurations
>        binman: j7200: Add firewall configurations
> 
>   arch/arm/dts/k3-am625-sk-binman.dtsi         |  49 +++++++
>   arch/arm/dts/k3-binman.dtsi                  |   2 +
>   arch/arm/dts/k3-j7200-binman.dtsi            | 137 ++++++++++++++++++
>   arch/arm/dts/k3-j721e-binman.dtsi            | 183 ++++++++++++++++++++++++
>   arch/arm/dts/k3-j721s2-binman.dtsi           | 206 +++++++++++++++++++++++++++
>   arch/arm/dts/k3-security.h                   |  58 ++++++++
>   tools/binman/btool/openssl.py                |  16 ++-
>   tools/binman/etype/ti_secure.py              |  85 +++++++++++
>   tools/binman/etype/x509_cert.py              |   3 +-
>   tools/binman/ftest.py                        |  12 ++
>   tools/binman/test/311_ti_secure_firewall.dts |  28 ++++
>   tools/dtoc/fdt_util.py                       |  20 +++
>   12 files changed, 796 insertions(+), 3 deletions(-)
> ---
> base-commit: 2fe4b54556ea6271237b35de68dc458bfceab94c
> change-id: 20230724-binman-firewalling-65ecdb23ec0a
> 
> Best regards,

Re: [RFC PATCH v2 0/8] ATF and OP-TEE Firewalling for K3 devices.

[Manorit Chawdhry]

Hi Andrew,

On 09:25-20230926, Andrew Davis wrote:
> On 9/26/23 2:58 AM, Manorit Chawdhry wrote:
> > K3 devices have firewalls that are used to prevent illegal accesses to
> > memory regions that are deemed secure. The series prevents the illegal
> > accesses to ATF and OP-TEE regions that are present in different K3
> > devices.
> > 
> > AM62AX and AM64X are currently in hold due to some firewall
> > configurations that our System Controller (TIFS) needs to handle.
> > 
> > Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
> > ---
> 
> You have mixed tabs and spaces in the .dtsi patches.

Thanks for this, would be sending a v3 with the fixes.

Regards,
Manorit

> 
> Andrew
> 
> > Changes in v2:
> > 
> > Andrew:
> >      - Make the firewall DTS more readable with CONSTANTS
> > 
> > Neha:
> >      - Move GetHexOctet to dtoc for common usage
> >      - Update the documentation in ti-secure
> >      - s/indentifier/identifier/
> >      - Add firewall binman test
> > 
> > - Remove slave firewall multiple background regions
> >    ( Single firewall region works fine )
> > - Add a check in the subnodes to check for the node.name 'firewall'
> > - Change firewall indexing with id and region number so that it is easy
> >    to purge out firewalls and we don't need to redo the numbering.
> > - Add information for all the firewalls.
> > - Link to v1: https://lore.kernel.org/u-boot/20230905-binman-firewalling-v1-0-3894520bff8a@ti.com/
> > 
> > ---
> > Manorit Chawdhry (8):
> >        dtoc: openssl: Add GetHexOctet method
> >        binman: ti-secure: Add support for firewalling entities
> >        binman: ftest: Add test for ti-secure firewall node
> >        binman: k3: add k3-security.h and include it in k3-binman.dtsi
> >        binman: j721e: Add firewall configurations for atf
> >        binman: am62x: Add firewalling configurations
> >        binman: j721s2: Add firewall configurations
> >        binman: j7200: Add firewall configurations
> > 
> >   arch/arm/dts/k3-am625-sk-binman.dtsi         |  49 +++++++
> >   arch/arm/dts/k3-binman.dtsi                  |   2 +
> >   arch/arm/dts/k3-j7200-binman.dtsi            | 137 ++++++++++++++++++
> >   arch/arm/dts/k3-j721e-binman.dtsi            | 183 ++++++++++++++++++++++++
> >   arch/arm/dts/k3-j721s2-binman.dtsi           | 206 +++++++++++++++++++++++++++
> >   arch/arm/dts/k3-security.h                   |  58 ++++++++
> >   tools/binman/btool/openssl.py                |  16 ++-
> >   tools/binman/etype/ti_secure.py              |  85 +++++++++++
> >   tools/binman/etype/x509_cert.py              |   3 +-
> >   tools/binman/ftest.py                        |  12 ++
> >   tools/binman/test/311_ti_secure_firewall.dts |  28 ++++
> >   tools/dtoc/fdt_util.py                       |  20 +++
> >   12 files changed, 796 insertions(+), 3 deletions(-)
> > ---
> > base-commit: 2fe4b54556ea6271237b35de68dc458bfceab94c
> > change-id: 20230724-binman-firewalling-65ecdb23ec0a
> > 
> > Best regards,

Re: [RFC PATCH v2 1/8] dtoc: openssl: Add GetHexOctet method

[Simon Glass]

Hi Manorit,

On Tue, 26 Sept 2023 at 01:58, Manorit Chawdhry <m-chawdhry@ti.com> wrote:
>
> HexOctet format is used by openssl for FORMAT:HEX,OCT property in x509
> certificates. Add a helper function to extract the integer numbers in
> HEX,OCT format to pass to openssl directly.
>
> Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
> ---
>  tools/dtoc/fdt_util.py | 20 ++++++++++++++++++++
>  1 file changed, 20 insertions(+)
>
> diff --git a/tools/dtoc/fdt_util.py b/tools/dtoc/fdt_util.py
> index f1f70568cfef..d51dbf5633d0 100644
> --- a/tools/dtoc/fdt_util.py
> +++ b/tools/dtoc/fdt_util.py
> @@ -100,6 +100,26 @@ def EnsureCompiled(fname, tmpdir=None, capture_stderr=False):
>      command.run(dtc, *args, capture_stderr=capture_stderr)
>      return dtb_output
>
> +def GetHexOctet(node, propname, default=None):

What is a hex octet?

> +    """Get an integer from a property in hex octet form required by openssl
> +

You should mention what size property is permitted.

> +    Args:
> +        node: Node object to read from
> +        propname: property name to read
> +        default: Default value to use if the node/property do not exist
> +
> +    Returns:
> +        Integer value read as a String in Hex Octet Form
> +    """
> +    prop = node.props.get(propname)
> +    if not isinstance(prop.value, list) or len(prop.value) != 2:
> +        value = GetInt(node, propname)
> +    elif isinstance(prop.value, list) and len(prop.value) == 2:
> +        value = GetInt64(node, propname)

What if it is neither of those?

> +
> +    hex_value = '%x' % (value)
> +    return ('0' * (len(hex_value) & 1)) + hex_value

Can you do:

return f'{value:02x}'

?


> +
>  def GetInt(node, propname, default=None):
>      """Get an integer from a property
>
>
> --
> 2.41.0
>

Re: [RFC PATCH v2 2/8] binman: ti-secure: Add support for firewalling entities

[Simon Glass]

Hi Manorit,

On Tue, 26 Sept 2023 at 01:58, Manorit Chawdhry <m-chawdhry@ti.com> wrote:
>
> We can now firewall entities while loading them through our secure
> entity TIFS, the required information should be present in the
> certificate that is being parsed by TIFS.
>
> The following commit adds the support to enable the certificates to be
> generated if the firewall configurations are present in the binman dtsi
> nodes.
>
> Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
> ---
>  tools/binman/btool/openssl.py   | 16 +++++++-
>  tools/binman/etype/ti_secure.py | 85 +++++++++++++++++++++++++++++++++++++++++
>  tools/binman/etype/x509_cert.py |  3 +-
>  3 files changed, 101 insertions(+), 3 deletions(-)
>

Please do check that you have 100% test coverage here (binman test -T)

Regards,
Simon

Re: [RFC PATCH v2 3/8] binman: ftest: Add test for ti-secure firewall node

[Simon Glass]

On Tue, 26 Sept 2023 at 01:58, Manorit Chawdhry <m-chawdhry@ti.com> wrote:
>
> Add test for TI firewalling node in ti-secure.
>
> Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
> ---
>  tools/binman/ftest.py                        | 12 ++++++++++++
>  tools/binman/test/311_ti_secure_firewall.dts | 28 ++++++++++++++++++++++++++++
>  2 files changed, 40 insertions(+)
>

Reviewed-by: Simon Glass <sjg@chromium.org>

Re: [RFC PATCH v2 4/8] binman: k3: add k3-security.h and include it in k3-binman.dtsi

[Simon Glass]

Hi Manorit,

On Tue, 26 Sept 2023 at 01:59, Manorit Chawdhry <m-chawdhry@ti.com> wrote:
>
> For readability during configuring firewalls, adding k3-security.h file
> and including it in k3-binman.dtsi to be accessible across K3 SoCs
>
> Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
> ---
>  arch/arm/dts/k3-binman.dtsi |  2 ++
>  arch/arm/dts/k3-security.h  | 58 +++++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 60 insertions(+)
>

Reviewed-by: Simon Glass <sjg@chromium.org>

nits below

> diff --git a/arch/arm/dts/k3-binman.dtsi b/arch/arm/dts/k3-binman.dtsi
> index 2ea2dd18a12b..71ffa998a59f 100644
> --- a/arch/arm/dts/k3-binman.dtsi
> +++ b/arch/arm/dts/k3-binman.dtsi
> @@ -3,6 +3,8 @@
>   * Copyright (C) 2022-2023 Texas Instruments Incorporated - https://www.ti.com/
>   */
>
> +#include "k3-security.h"
> +
>  / {
>         binman: binman {
>                 multiple-images;
> diff --git a/arch/arm/dts/k3-security.h b/arch/arm/dts/k3-security.h
> new file mode 100644
> index 000000000000..e012b7afaf94
> --- /dev/null
> +++ b/arch/arm/dts/k3-security.h
> @@ -0,0 +1,58 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Copyright (C) 2023 Texas Instruments Incorporated - https://www.ti.com/
> + */
> +
> +#ifndef DTS_ARM64_TI_K3_FIREWALL_H
> +#define DTS_ARM64_TI_K3_FIREWALL_H
> +
> +#define FWPRIVID_ALL    (0xc3)
> +#define FWPRIVID_ARMV8  (1)
> +#define FWPRIVID_SHIFT  (16)

drop () on those three and the next one

> +
> +#define FWCTRL_EN     (0xA)
> +#define FWCTRL_LOCK   (1 << 4)
> +#define FWCTRL_BG     (1 << 8)
> +#define FWCTRL_CACHE  (1 << 9)
> +
> +#define FWPERM_SECURE_PRIV_WRITE      (1 << 0)
> +#define FWPERM_SECURE_PRIV_READ       (1 << 1)
> +#define FWPERM_SECURE_PRIV_CACHEABLE  (1 << 2)
> +#define FWPERM_SECURE_PRIV_DEBUG      (1 << 3)
> +
> +#define FWPERM_SECURE_PRIV_RWCD       (FWPERM_SECURE_PRIV_READ | \
> +                                       FWPERM_SECURE_PRIV_WRITE | \
> +                                       FWPERM_SECURE_PRIV_CACHEABLE | \
> +                                       FWPERM_SECURE_PRIV_DEBUG)
> +
> +#define FWPERM_SECURE_USER_WRITE      (1 << 4)
> +#define FWPERM_SECURE_USER_READ       (1 << 5)
> +#define FWPERM_SECURE_USER_CACHEABLE  (1 << 6)
> +#define FWPERM_SECURE_USER_DEBUG      (1 << 7)
> +
> +#define FWPERM_SECURE_USER_RWCD       (FWPERM_SECURE_USER_READ | \
> +                                       FWPERM_SECURE_USER_WRITE | \
> +                                       FWPERM_SECURE_USER_CACHEABLE | \
> +                                       FWPERM_SECURE_USER_DEBUG)
> +
> +#define FWPERM_NON_SECURE_PRIV_WRITE      (1 << 8)
> +#define FWPERM_NON_SECURE_PRIV_READ       (1 << 9)
> +#define FWPERM_NON_SECURE_PRIV_CACHEABLE  (1 << 10)
> +#define FWPERM_NON_SECURE_PRIV_DEBUG      (1 << 11)
> +
> +#define FWPERM_NON_SECURE_PRIV_RWCD       (FWPERM_NON_SECURE_PRIV_READ | \
> +                                           FWPERM_NON_SECURE_PRIV_WRITE | \
> +                                           FWPERM_NON_SECURE_PRIV_CACHEABLE | \
> +                                           FWPERM_NON_SECURE_PRIV_DEBUG)
> +
> +#define FWPERM_NON_SECURE_USER_WRITE      (1 << 12)
> +#define FWPERM_NON_SECURE_USER_READ       (1 << 13)
> +#define FWPERM_NON_SECURE_USER_CACHEABLE  (1 << 14)
> +#define FWPERM_NON_SECURE_USER_DEBUG      (1 << 15)
> +
> +#define FWPERM_NON_SECURE_USER_RWCD       (FWPERM_NON_SECURE_USER_READ | \
> +                                           FWPERM_NON_SECURE_USER_WRITE | \
> +                                           FWPERM_NON_SECURE_USER_CACHEABLE | \
> +                                           FWPERM_NON_SECURE_USER_DEBUG)
> +
> +#endif
>
> --
> 2.41.0
>

Regards,
Simon

Re: [RFC PATCH v2 1/8] dtoc: openssl: Add GetHexOctet method

[Manorit Chawdhry]

Hi Simon,

On 19:17-20231001, Simon Glass wrote:
> Hi Manorit,
> 
> On Tue, 26 Sept 2023 at 01:58, Manorit Chawdhry <m-chawdhry@ti.com> wrote:
> >
> > HexOctet format is used by openssl for FORMAT:HEX,OCT property in x509
> > certificates. Add a helper function to extract the integer numbers in
> > HEX,OCT format to pass to openssl directly.
> >
> > Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
> > ---
> >  tools/dtoc/fdt_util.py | 20 ++++++++++++++++++++
> >  1 file changed, 20 insertions(+)
> >
> > diff --git a/tools/dtoc/fdt_util.py b/tools/dtoc/fdt_util.py
> > index f1f70568cfef..d51dbf5633d0 100644
> > --- a/tools/dtoc/fdt_util.py
> > +++ b/tools/dtoc/fdt_util.py
> > @@ -100,6 +100,26 @@ def EnsureCompiled(fname, tmpdir=None, capture_stderr=False):
> >      command.run(dtc, *args, capture_stderr=capture_stderr)
> >      return dtb_output
> >
> > +def GetHexOctet(node, propname, default=None):
> 
> What is a hex octet?
> 

It is actually a Hex number in Octet form, basically using 0x0a instead
of 0xa type of thing. 

OpenSSL has complained when we use FORMAT:HEX,OCT:0 type of string
instead of FORMAT:HEX,OCT:00. Tbvh I still haven't been able to find a
clear documentation for this but this is what I have been able to figure
out based on my tests.

> > +    """Get an integer from a property in hex octet form required by openssl
> > +
> 
> You should mention what size property is permitted.
> 
> > +    Args:
> > +        node: Node object to read from
> > +        propname: property name to read
> > +        default: Default value to use if the node/property do not exist
> > +
> > +    Returns:
> > +        Integer value read as a String in Hex Octet Form
> > +    """
> > +    prop = node.props.get(propname)
> > +    if not isinstance(prop.value, list) or len(prop.value) != 2:
> > +        value = GetInt(node, propname)
> > +    elif isinstance(prop.value, list) and len(prop.value) == 2:
> > +        value = GetInt64(node, propname)
> 
> What if it is neither of those?
> 
> > +
> > +    hex_value = '%x' % (value)
> > +    return ('0' * (len(hex_value) & 1)) + hex_value
> 
> Can you do:
> 
> return f'{value:02x}'
> 

With the following suggestion I don't think I need the patch at all
anymore given that no one else seems to be requiring this HEX,OCT just
yet and am still in the process of finding a clear documentation for it.

Will be dropping that patch after testing if not required to be generic.
Thanks!

Regards,
Manorit

> ?
> 
> 
> > +
> >  def GetInt(node, propname, default=None):
> >      """Get an integer from a property
> >
> >
> > --
> > 2.41.0
> >

Re: [RFC PATCH v2 2/8] binman: ti-secure: Add support for firewalling entities

[Manorit Chawdhry]

Hi Simon,

On 19:17-20231001, Simon Glass wrote:
> Hi Manorit,
> 
> On Tue, 26 Sept 2023 at 01:58, Manorit Chawdhry <m-chawdhry@ti.com> wrote:
> >
> > We can now firewall entities while loading them through our secure
> > entity TIFS, the required information should be present in the
> > certificate that is being parsed by TIFS.
> >
> > The following commit adds the support to enable the certificates to be
> > generated if the firewall configurations are present in the binman dtsi
> > nodes.
> >
> > Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
> > ---
> >  tools/binman/btool/openssl.py   | 16 +++++++-
> >  tools/binman/etype/ti_secure.py | 85 +++++++++++++++++++++++++++++++++++++++++
> >  tools/binman/etype/x509_cert.py |  3 +-
> >  3 files changed, 101 insertions(+), 3 deletions(-)
> >
> 
> Please do check that you have 100% test coverage here (binman test -T)
> 

Name                                                    Stmts   Miss  Cover
---------------------------------------------------------------------------
[snip]
tools/binman/btool/openssl.py                              42      0   100%
tools/binman/etype/ti_secure.py                            57      0   100%
tools/binman/etype/x509_cert.py                            70      0   100%
[snip]
---------------------------------------------------------------------------
TOTAL                                                    5588    134    98%

I did check that, did you notice something else that I might've missed?
I just checked for the files that I have changed, I am not sure if there
are any dependencies that I also have to keep in mind. Do let me know if
I missed something.

Regards,
Manorit

> Regards,
> Simon

Re: [RFC PATCH v2 4/8] binman: k3: add k3-security.h and include it in k3-binman.dtsi

[Manorit Chawdhry]

Hi Simon,

On 19:17-20231001, Simon Glass wrote:
> Hi Manorit,
> 
> On Tue, 26 Sept 2023 at 01:59, Manorit Chawdhry <m-chawdhry@ti.com> wrote:
> >
> > For readability during configuring firewalls, adding k3-security.h file
> > and including it in k3-binman.dtsi to be accessible across K3 SoCs
> >
> > Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
> > ---
> >  arch/arm/dts/k3-binman.dtsi |  2 ++
> >  arch/arm/dts/k3-security.h  | 58 +++++++++++++++++++++++++++++++++++++++++++++
> >  2 files changed, 60 insertions(+)
> >
> 
> Reviewed-by: Simon Glass <sjg@chromium.org>
> 
> nits below
> 
> > diff --git a/arch/arm/dts/k3-binman.dtsi b/arch/arm/dts/k3-binman.dtsi
> > index 2ea2dd18a12b..71ffa998a59f 100644
> > --- a/arch/arm/dts/k3-binman.dtsi
> > +++ b/arch/arm/dts/k3-binman.dtsi
> > @@ -3,6 +3,8 @@
> >   * Copyright (C) 2022-2023 Texas Instruments Incorporated - https://www.ti.com/
> >   */
> >
> > +#include "k3-security.h"
> > +
> >  / {
> >         binman: binman {
> >                 multiple-images;
> > diff --git a/arch/arm/dts/k3-security.h b/arch/arm/dts/k3-security.h
> > new file mode 100644
> > index 000000000000..e012b7afaf94
> > --- /dev/null
> > +++ b/arch/arm/dts/k3-security.h
> > @@ -0,0 +1,58 @@
> > +// SPDX-License-Identifier: GPL-2.0
> > +/*
> > + * Copyright (C) 2023 Texas Instruments Incorporated - https://www.ti.com/
> > + */
> > +
> > +#ifndef DTS_ARM64_TI_K3_FIREWALL_H
> > +#define DTS_ARM64_TI_K3_FIREWALL_H
> > +
> > +#define FWPRIVID_ALL    (0xc3)
> > +#define FWPRIVID_ARMV8  (1)
> > +#define FWPRIVID_SHIFT  (16)
> 
> drop () on those three and the next one
> 

Would fix those in next revision. Thanks for the reviews!

Regards,
Manorit

> > +
> > +#define FWCTRL_EN     (0xA)
> > +#define FWCTRL_LOCK   (1 << 4)
> > +#define FWCTRL_BG     (1 << 8)
> > +#define FWCTRL_CACHE  (1 << 9)
> > +
> > +#define FWPERM_SECURE_PRIV_WRITE      (1 << 0)
> > +#define FWPERM_SECURE_PRIV_READ       (1 << 1)
> > +#define FWPERM_SECURE_PRIV_CACHEABLE  (1 << 2)
> > +#define FWPERM_SECURE_PRIV_DEBUG      (1 << 3)
> > +
> > +#define FWPERM_SECURE_PRIV_RWCD       (FWPERM_SECURE_PRIV_READ | \
> > +                                       FWPERM_SECURE_PRIV_WRITE | \
> > +                                       FWPERM_SECURE_PRIV_CACHEABLE | \
> > +                                       FWPERM_SECURE_PRIV_DEBUG)
> > +
> > +#define FWPERM_SECURE_USER_WRITE      (1 << 4)
> > +#define FWPERM_SECURE_USER_READ       (1 << 5)
> > +#define FWPERM_SECURE_USER_CACHEABLE  (1 << 6)
> > +#define FWPERM_SECURE_USER_DEBUG      (1 << 7)
> > +
> > +#define FWPERM_SECURE_USER_RWCD       (FWPERM_SECURE_USER_READ | \
> > +                                       FWPERM_SECURE_USER_WRITE | \
> > +                                       FWPERM_SECURE_USER_CACHEABLE | \
> > +                                       FWPERM_SECURE_USER_DEBUG)
> > +
> > +#define FWPERM_NON_SECURE_PRIV_WRITE      (1 << 8)
> > +#define FWPERM_NON_SECURE_PRIV_READ       (1 << 9)
> > +#define FWPERM_NON_SECURE_PRIV_CACHEABLE  (1 << 10)
> > +#define FWPERM_NON_SECURE_PRIV_DEBUG      (1 << 11)
> > +
> > +#define FWPERM_NON_SECURE_PRIV_RWCD       (FWPERM_NON_SECURE_PRIV_READ | \
> > +                                           FWPERM_NON_SECURE_PRIV_WRITE | \
> > +                                           FWPERM_NON_SECURE_PRIV_CACHEABLE | \
> > +                                           FWPERM_NON_SECURE_PRIV_DEBUG)
> > +
> > +#define FWPERM_NON_SECURE_USER_WRITE      (1 << 12)
> > +#define FWPERM_NON_SECURE_USER_READ       (1 << 13)
> > +#define FWPERM_NON_SECURE_USER_CACHEABLE  (1 << 14)
> > +#define FWPERM_NON_SECURE_USER_DEBUG      (1 << 15)
> > +
> > +#define FWPERM_NON_SECURE_USER_RWCD       (FWPERM_NON_SECURE_USER_READ | \
> > +                                           FWPERM_NON_SECURE_USER_WRITE | \
> > +                                           FWPERM_NON_SECURE_USER_CACHEABLE | \
> > +                                           FWPERM_NON_SECURE_USER_DEBUG)
> > +
> > +#endif
> >
> > --
> > 2.41.0
> >
> 
> Regards,
> Simon

Re: [RFC PATCH v2 2/8] binman: ti-secure: Add support for firewalling entities

[Simon Glass]

Hi Manorit,

On Tue, 3 Oct 2023 at 05:21, Manorit Chawdhry <m-chawdhry@ti.com> wrote:
>
> Hi Simon,
>
> On 19:17-20231001, Simon Glass wrote:
> > Hi Manorit,
> >
> > On Tue, 26 Sept 2023 at 01:58, Manorit Chawdhry <m-chawdhry@ti.com> wrote:
> > >
> > > We can now firewall entities while loading them through our secure
> > > entity TIFS, the required information should be present in the
> > > certificate that is being parsed by TIFS.
> > >
> > > The following commit adds the support to enable the certificates to be
> > > generated if the firewall configurations are present in the binman dtsi
> > > nodes.
> > >
> > > Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
> > > ---
> > >  tools/binman/btool/openssl.py   | 16 +++++++-
> > >  tools/binman/etype/ti_secure.py | 85 +++++++++++++++++++++++++++++++++++++++++
> > >  tools/binman/etype/x509_cert.py |  3 +-
> > >  3 files changed, 101 insertions(+), 3 deletions(-)
> > >
> >
> > Please do check that you have 100% test coverage here (binman test -T)
> >
>
> Name                                                    Stmts   Miss  Cover
> ---------------------------------------------------------------------------
> [snip]
> tools/binman/btool/openssl.py                              42      0   100%
> tools/binman/etype/ti_secure.py                            57      0   100%
> tools/binman/etype/x509_cert.py                            70      0   100%
> [snip]
> ---------------------------------------------------------------------------
> TOTAL                                                    5588    134    98%
>
> I did check that, did you notice something else that I might've missed?
> I just checked for the files that I have changed, I am not sure if there
> are any dependencies that I also have to keep in mind. Do let me know if
> I missed something.

Yes it seems to be a problem with a Xilinx tool. I sent an email about
it, so don't worry about this.

Regards,
iSimon