diff options
Diffstat (limited to 'arch/arm/cpu/armv7')
-rw-r--r-- | arch/arm/cpu/armv7/am33xx/Kconfig | 87 | ||||
-rw-r--r-- | arch/arm/cpu/armv7/am33xx/config.mk | 24 | ||||
-rw-r--r-- | arch/arm/cpu/armv7/omap-common/Kconfig | 2 | ||||
-rw-r--r-- | arch/arm/cpu/armv7/omap-common/emif-common.c | 15 | ||||
-rw-r--r-- | arch/arm/cpu/armv7/omap5/Kconfig | 26 | ||||
-rw-r--r-- | arch/arm/cpu/armv7/omap5/Makefile | 1 | ||||
-rw-r--r-- | arch/arm/cpu/armv7/omap5/fdt.c | 64 | ||||
-rw-r--r-- | arch/arm/cpu/armv7/omap5/sec-fxns.c | 126 |
8 files changed, 338 insertions, 7 deletions
diff --git a/arch/arm/cpu/armv7/am33xx/Kconfig b/arch/arm/cpu/armv7/am33xx/Kconfig index 2d7d1fc4f1..8fd32c2a46 100644 --- a/arch/arm/cpu/armv7/am33xx/Kconfig +++ b/arch/arm/cpu/armv7/am33xx/Kconfig @@ -1,3 +1,88 @@ +if AM33XX + +choice + prompt "AM33xx board select" + optional + +config TARGET_AM335X_EVM + bool "Support am335x_evm" + select DM + select DM_SERIAL + select DM_GPIO + select TI_I2C_BOARD_DETECT + help + This option specifies support for the AM335x + GP and HS EVM development platforms. The AM335x + GP EVM is a standalone test, development, and + evaluation module system that enables developers + to write software and develop hardware around + an AM335x processor subsystem. + +config TARGET_AM335X_BALTOS + bool "Support am335x_baltos" + select DM + select DM_SERIAL + select DM_GPIO + +config TARGET_AM335X_IGEP0033 + bool "Support am335x_igep0033" + select DM + select DM_SERIAL + select DM_GPIO + +config TARGET_AM335X_SHC + bool "Support am335x based shc board from bosch" + select DM + select DM_SERIAL + select DM_GPIO + +config TARGET_AM335X_SL50 + bool "Support am335x_sl50" + select DM + select DM_SERIAL + select DM_GPIO + +config TARGET_BAV335X + bool "Support bav335x" + select DM + select DM_SERIAL + help + The BAV335x OEM Network Processor integrates all the functions of an + embedded network computer in a small, easy to use SODIMM module which + incorporates the popular Texas Instruments Sitara 32bit ARM Coretex-A8 + processor, with fast DDR3 512MB SDRAM, 4GB of embedded MMC and a Gigabit + ethernet with simple connection to external connectors. + + For more information, visit: http://birdland.com/oem + +config TARGET_CM_T335 + bool "Support cm_t335" + select DM + select DM_SERIAL + select DM_GPIO + +config TARGET_PCM051 + bool "Support pcm051" + select DM + select DM_SERIAL + select DM_GPIO + +config TARGET_PENGWYN + bool "Support pengwyn" + select DM + select DM_SERIAL + select DM_GPIO + +config TARGET_PEPPER + bool "Support pepper" + select DM + select DM_SERIAL + select DM_GPIO + +endchoice + +endif + if AM43XX config SPL_EXT_SUPPORT @@ -19,7 +104,9 @@ config TARGET_AM43XX_EVM evaluation module system that enables developers to write software and develop hardware around an AM43xx processor subsystem. +endif +if AM43XX || AM33XX config ISW_ENTRY_ADDR hex "Address in memory or XIP flash of bootloader entry point" help diff --git a/arch/arm/cpu/armv7/am33xx/config.mk b/arch/arm/cpu/armv7/am33xx/config.mk index d4eb21ca14..87b76d96a8 100644 --- a/arch/arm/cpu/armv7/am33xx/config.mk +++ b/arch/arm/cpu/armv7/am33xx/config.mk @@ -12,16 +12,32 @@ ifeq ($(CONFIG_TI_SECURE_DEVICE),y) # For booting from SPI use # u-boot-spl_HS_SPI_X-LOADER to program flash # -# For booting spl from all other media -# use u-boot-spl_HS_ISSW +# On AM43XX: +# +# For booting spl from all other media use +# u-boot-spl_HS_ISSW +# +# On AM33XX: +# +# For booting spl from NAND flash use +# u-boot-spl_HS_X-LOADER +# +# For booting spl from SD/MMC/eMMC media use +# u-boot-spl_HS_MLO +# +# For booting spl over UART, USB, or Ethernet use +# u-boot-spl_HS_2ND # # Refer to README.ti-secure for more info # ALL-y += u-boot-spl_HS_ISSW -ALL-$(CONFIG_SPL_SPI_SUPPORT) += u-boot-spl_HS_SPI_X-LOADER +ALL-y += u-boot-spl_HS_SPI_X-LOADER +ALL-y += u-boot-spl_HS_X-LOADER +ALL-y += u-boot-spl_HS_MLO +ALL-y += u-boot-spl_HS_2ND else ALL-y += MLO -ALL-$(CONFIG_SPL_SPI_SUPPORT) += MLO.byteswap +ALL-y += MLO.byteswap endif else ifeq ($(CONFIG_TI_SECURE_DEVICE),y) diff --git a/arch/arm/cpu/armv7/omap-common/Kconfig b/arch/arm/cpu/armv7/omap-common/Kconfig index 7b39506ae8..4daccd93ff 100644 --- a/arch/arm/cpu/armv7/omap-common/Kconfig +++ b/arch/arm/cpu/armv7/omap-common/Kconfig @@ -1,6 +1,6 @@ config TI_SECURE_DEVICE bool "HS Device Type Support" - depends on OMAP54XX || AM43XX + depends on OMAP54XX || AM43XX || AM33XX help If a high secure (HS) device type is being used, this config must be set. This option impacts various aspects of the diff --git a/arch/arm/cpu/armv7/omap-common/emif-common.c b/arch/arm/cpu/armv7/omap-common/emif-common.c index 2b790105b0..b26984e26c 100644 --- a/arch/arm/cpu/armv7/omap-common/emif-common.c +++ b/arch/arm/cpu/armv7/omap-common/emif-common.c @@ -14,6 +14,7 @@ #include <asm/arch/clock.h> #include <asm/arch/sys_proto.h> #include <asm/omap_common.h> +#include <asm/omap_sec_common.h> #include <asm/utils.h> #include <linux/compiler.h> @@ -1477,6 +1478,20 @@ void sdram_init(void) debug("get_ram_size() successful"); } +#if defined(CONFIG_TI_SECURE_DEVICE) + /* + * On HS devices, do static EMIF firewall configuration + * but only do it if not already running in SDRAM + */ + if (!in_sdram) + if (0 != secure_emif_reserve()) + hang(); + + /* On HS devices, ensure static EMIF firewall APIs are locked */ + if (0 != secure_emif_firewall_lock()) + hang(); +#endif + if (sdram_type == EMIF_SDRAM_TYPE_DDR3 && (!in_sdram && !warm_reset()) && (!is_dra7xx())) { if (emif1_enabled) diff --git a/arch/arm/cpu/armv7/omap5/Kconfig b/arch/arm/cpu/armv7/omap5/Kconfig index ef68c535df..a947ba4d98 100644 --- a/arch/arm/cpu/armv7/omap5/Kconfig +++ b/arch/arm/cpu/armv7/omap5/Kconfig @@ -57,6 +57,32 @@ endchoice config SYS_SOC default "omap5" +config TI_SECURE_EMIF_REGION_START + hex "Reserved EMIF region start address" + depends on TI_SECURE_DEVICE + default 0x0 + help + Reserved EMIF region start address. Set to "0" to auto-select + to be at the end of the external memory region. + +config TI_SECURE_EMIF_TOTAL_REGION_SIZE + hex "Reserved EMIF region size" + depends on TI_SECURE_DEVICE + default 0x0 + help + Total reserved EMIF region size. Default is 0, which means no reserved EMIF + region on secure devices. + +config TI_SECURE_EMIF_PROTECTED_REGION_SIZE + hex "Size of protected region within reserved EMIF region" + depends on TI_SECURE_DEVICE + default 0x0 + help + This config option is used to specify the size of the portion of the total + reserved EMIF region set aside for secure OS needs that will be protected + using hardware memory firewalls. This value must be smaller than the + TI_SECURE_EMIF_TOTAL_REGION_SIZE value. + source "board/compulab/cm_t54/Kconfig" source "board/ti/omap5_uevm/Kconfig" source "board/ti/dra7xx/Kconfig" diff --git a/arch/arm/cpu/armv7/omap5/Makefile b/arch/arm/cpu/armv7/omap5/Makefile index 3caba86791..0212df73c1 100644 --- a/arch/arm/cpu/armv7/omap5/Makefile +++ b/arch/arm/cpu/armv7/omap5/Makefile @@ -14,3 +14,4 @@ obj-y += hw_data.o obj-y += abb.o obj-y += fdt.o obj-$(CONFIG_IODELAY_RECALIBRATION) += dra7xx_iodelay.o +obj-$(CONFIG_TI_SECURE_DEVICE) += sec-fxns.o diff --git a/arch/arm/cpu/armv7/omap5/fdt.c b/arch/arm/cpu/armv7/omap5/fdt.c index 0493cd1eab..da8d59bb59 100644 --- a/arch/arm/cpu/armv7/omap5/fdt.c +++ b/arch/arm/cpu/armv7/omap5/fdt.c @@ -153,13 +153,73 @@ static int ft_hs_fixup_sram(void *fdt, bd_t *bd) static int ft_hs_fixup_sram(void *fdt, bd_t *bd) { return 0; } #endif +#if (CONFIG_TI_SECURE_EMIF_TOTAL_REGION_SIZE != 0) +static int ft_hs_fixup_dram(void *fdt, bd_t *bd) +{ + const char *path, *subpath; + int offs; + u32 sec_mem_start = CONFIG_TI_SECURE_EMIF_REGION_START; + u32 sec_mem_size = CONFIG_TI_SECURE_EMIF_TOTAL_REGION_SIZE; + fdt64_t temp[2]; + + /* If start address is zero, place at end of DRAM */ + if (0 == sec_mem_start) + sec_mem_start = + (CONFIG_SYS_SDRAM_BASE + + (omap_sdram_size() - sec_mem_size)); + + /* Delete any original secure_reserved node */ + path = "/reserved-memory/secure_reserved"; + offs = fdt_path_offset(fdt, path); + if (offs >= 0) + fdt_del_node(fdt, offs); + + /* Add new secure_reserved node */ + path = "/reserved-memory"; + offs = fdt_path_offset(fdt, path); + if (offs < 0) { + debug("Node %s not found\n", path); + path = "/"; + subpath = "reserved-memory"; + fdt_path_offset(fdt, path); + offs = fdt_add_subnode(fdt, offs, subpath); + if (offs < 0) { + printf("Could not create %s%s node.\n", path, subpath); + return 1; + } + path = "/reserved-memory"; + offs = fdt_path_offset(fdt, path); + } + + subpath = "secure_reserved"; + offs = fdt_add_subnode(fdt, offs, subpath); + if (offs < 0) { + printf("Could not create %s%s node.\n", path, subpath); + return 1; + } + + temp[0] = cpu_to_fdt64(((u64)sec_mem_start)); + temp[1] = cpu_to_fdt64(((u64)sec_mem_size)); + fdt_setprop_string(fdt, offs, "compatible", + "ti,dra7-secure-memory"); + fdt_setprop_string(fdt, offs, "status", "okay"); + fdt_setprop(fdt, offs, "no-map", NULL, 0); + fdt_setprop(fdt, offs, "reg", temp, sizeof(temp)); + + return 0; +} +#else +static int ft_hs_fixup_dram(void *fdt, bd_t *bd) { return 0; } +#endif + static void ft_hs_fixups(void *fdt, bd_t *bd) { /* Check we are running on an HS/EMU device type */ if (GP_DEVICE != get_device_type()) { if ((ft_hs_fixup_crossbar(fdt, bd) == 0) && (ft_hs_disable_rng(fdt, bd) == 0) && - (ft_hs_fixup_sram(fdt, bd) == 0)) + (ft_hs_fixup_sram(fdt, bd) == 0) && + (ft_hs_fixup_dram(fdt, bd) == 0)) return; } else { printf("ERROR: Incorrect device type (GP) detected!"); @@ -171,7 +231,7 @@ static void ft_hs_fixups(void *fdt, bd_t *bd) static void ft_hs_fixups(void *fdt, bd_t *bd) { } -#endif +#endif /* #ifdef CONFIG_TI_SECURE_DEVICE */ /* * Place for general cpu/SoC FDT fixups. Board specific diff --git a/arch/arm/cpu/armv7/omap5/sec-fxns.c b/arch/arm/cpu/armv7/omap5/sec-fxns.c new file mode 100644 index 0000000000..33d4ea4eac --- /dev/null +++ b/arch/arm/cpu/armv7/omap5/sec-fxns.c @@ -0,0 +1,126 @@ +/* + * + * Security related functions for OMAP5 class devices + * + * (C) Copyright 2016 + * Texas Instruments, <www.ti.com> + * + * Daniel Allred <d-allred@ti.com> + * Harinarayan Bhatta <harinarayan@ti.com> + * + * SPDX-License-Identifier: GPL-2.0+ + */ + +#include <common.h> +#include <stdarg.h> + +#include <asm/arch/sys_proto.h> +#include <asm/omap_common.h> +#include <asm/omap_sec_common.h> +#include <asm/spl.h> +#include <spl.h> + +/* Index for signature PPA-based TI HAL APIs */ +#define PPA_HAL_SERVICES_START_INDEX (0x200) +#define PPA_SERV_HAL_SETUP_SEC_RESVD_REGION (PPA_HAL_SERVICES_START_INDEX + 25) +#define PPA_SERV_HAL_SETUP_EMIF_FW_REGION (PPA_HAL_SERVICES_START_INDEX + 26) +#define PPA_SERV_HAL_LOCK_EMIF_FW (PPA_HAL_SERVICES_START_INDEX + 27) + +static u32 get_sec_mem_start(void) +{ + u32 sec_mem_start = CONFIG_TI_SECURE_EMIF_REGION_START; + u32 sec_mem_size = CONFIG_TI_SECURE_EMIF_TOTAL_REGION_SIZE; + /* + * Total reserved region is all contiguous with protected + * region coming first, followed by the non-secure region. + * If 0x0 start address is given, we simply put the reserved + * region at the end of the external DRAM. + */ + if (sec_mem_start == 0) + sec_mem_start = + (CONFIG_SYS_SDRAM_BASE + + (omap_sdram_size() - sec_mem_size)); + return sec_mem_start; +} + +int secure_emif_firewall_setup(uint8_t region_num, uint32_t start_addr, + uint32_t size, uint32_t access_perm, + uint32_t initiator_perm) +{ + int result = 1; + + /* + * Call PPA HAL API to do any other general firewall + * configuration for regions 1-6 of the EMIF firewall. + */ + debug("%s: regionNum = %x, startAddr = %x, size = %x", __func__, + region_num, start_addr, size); + + result = secure_rom_call( + PPA_SERV_HAL_SETUP_EMIF_FW_REGION, 0, 0, 4, + (start_addr & 0xFFFFFFF0) | (region_num & 0x0F), + size, access_perm, initiator_perm); + + if (result != 0) { + puts("Secure EMIF Firewall Setup failed!\n"); + debug("Return Value = %x\n", result); + } + + return result; +} + +#if (CONFIG_TI_SECURE_EMIF_TOTAL_REGION_SIZE < \ + CONFIG_TI_SECURE_EMIF_PROTECTED_REGION_SIZE) +#error "TI Secure EMIF: Protected size cannot be larger than total size." +#endif +int secure_emif_reserve(void) +{ + int result = 1; + u32 sec_mem_start = get_sec_mem_start(); + u32 sec_prot_size = CONFIG_TI_SECURE_EMIF_PROTECTED_REGION_SIZE; + + /* If there is no protected region, there is no reservation to make */ + if (sec_prot_size == 0) + return 0; + + /* + * Call PPA HAL API to reserve a chunk of EMIF SDRAM + * for secure world use. This region should be carved out + * from use by any public code. EMIF firewall region 7 + * will be used to protect this block of memory. + */ + result = secure_rom_call( + PPA_SERV_HAL_SETUP_SEC_RESVD_REGION, + 0, 0, 2, sec_mem_start, sec_prot_size); + + if (result != 0) { + puts("SDRAM Firewall: Secure memory reservation failed!\n"); + debug("Return Value = %x\n", result); + } + + return result; +} + +int secure_emif_firewall_lock(void) +{ + int result = 1; + + /* + * Call PPA HAL API to lock the EMIF firewall configurations. + * After this API is called, none of the PPA HAL APIs for + * configuring the EMIF firewalls will be usable again (that + * is, calls to those APIs will return failure and have no + * effect). + */ + + result = secure_rom_call( + PPA_SERV_HAL_LOCK_EMIF_FW, + 0, 0, 0); + + if (result != 0) { + puts("Secure EMIF Firewall Lock failed!\n"); + debug("Return Value = %x\n", result); + } + + return result; +} |