mirror of
https://github.com/AsahiLinux/u-boot
synced 2024-12-14 15:23:07 +00:00
89caf6d6c5
For readability during configuring firewalls, adding k3-security.h file and including it in k3-binman.dtsi to be accessible across K3 SoCs Reviewed-by: Simon Glass <sjg@chromium.org> Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com> Reviewed-by: Andrew Davis <afd@ti.com>
492 lines
10 KiB
Text
492 lines
10 KiB
Text
// SPDX-License-Identifier: GPL-2.0
|
|
/*
|
|
* Copyright (C) 2022-2023 Texas Instruments Incorporated - https://www.ti.com/
|
|
*/
|
|
|
|
#include "k3-security.h"
|
|
|
|
/ {
|
|
binman: binman {
|
|
multiple-images;
|
|
};
|
|
};
|
|
|
|
&binman {
|
|
custMpk {
|
|
filename = "custMpk.pem";
|
|
custmpk_pem: blob-ext {
|
|
filename = "arch/arm/mach-k3/keys/custMpk.pem";
|
|
};
|
|
};
|
|
|
|
ti-degenerate-key {
|
|
filename = "ti-degenerate-key.pem";
|
|
dkey_pem: blob-ext {
|
|
filename = "arch/arm/mach-k3/keys/ti-degenerate-key.pem";
|
|
};
|
|
};
|
|
};
|
|
|
|
#ifndef CONFIG_ARM64
|
|
|
|
&binman {
|
|
board-cfg {
|
|
filename = "board-cfg.bin";
|
|
bcfg_yaml: ti-board-config {
|
|
config = "board-cfg.yaml";
|
|
schema = "arch/arm/mach-k3/schema.yaml";
|
|
};
|
|
};
|
|
pm-cfg {
|
|
filename = "pm-cfg.bin";
|
|
pcfg_yaml: ti-board-config {
|
|
config = "pm-cfg.yaml";
|
|
schema = "arch/arm/mach-k3/schema.yaml";
|
|
};
|
|
};
|
|
rm-cfg {
|
|
filename = "rm-cfg.bin";
|
|
rcfg_yaml: ti-board-config {
|
|
config = "rm-cfg.yaml";
|
|
schema = "arch/arm/mach-k3/schema.yaml";
|
|
};
|
|
};
|
|
sec-cfg {
|
|
filename = "sec-cfg.bin";
|
|
scfg_yaml: ti-board-config {
|
|
config = "sec-cfg.yaml";
|
|
schema = "arch/arm/mach-k3/schema.yaml";
|
|
};
|
|
};
|
|
combined-tifs-cfg {
|
|
filename = "combined-tifs-cfg.bin";
|
|
ti-board-config {
|
|
bcfg_yaml_tifs: board-cfg {
|
|
config = "board-cfg.yaml";
|
|
schema = "arch/arm/mach-k3/schema.yaml";
|
|
};
|
|
scfg_yaml_tifs: sec-cfg {
|
|
config = "sec-cfg.yaml";
|
|
schema = "arch/arm/mach-k3/schema.yaml";
|
|
};
|
|
pcfg_yaml_tifs: pm-cfg {
|
|
config = "pm-cfg.yaml";
|
|
schema = "arch/arm/mach-k3/schema.yaml";
|
|
};
|
|
rcfg_yaml_tifs: rm-cfg {
|
|
config = "rm-cfg.yaml";
|
|
schema = "arch/arm/mach-k3/schema.yaml";
|
|
};
|
|
};
|
|
};
|
|
combined-dm-cfg {
|
|
filename = "combined-dm-cfg.bin";
|
|
ti-board-config {
|
|
pcfg_yaml_dm: pm-cfg {
|
|
config = "pm-cfg.yaml";
|
|
schema = "arch/arm/mach-k3/schema.yaml";
|
|
};
|
|
rcfg_yaml_dm: rm-cfg {
|
|
config = "rm-cfg.yaml";
|
|
schema = "arch/arm/mach-k3/schema.yaml";
|
|
};
|
|
};
|
|
};
|
|
combined-sysfw-cfg {
|
|
filename = "combined-sysfw-cfg.bin";
|
|
ti-board-config {
|
|
bcfg_yaml_sysfw: board-cfg {
|
|
config = "board-cfg.yaml";
|
|
schema = "arch/arm/mach-k3/schema.yaml";
|
|
};
|
|
scfg_yaml_sysfw: sec-cfg {
|
|
config = "sec-cfg.yaml";
|
|
schema = "arch/arm/mach-k3/schema.yaml";
|
|
};
|
|
pcfg_yaml_sysfw: pm-cfg {
|
|
config = "pm-cfg.yaml";
|
|
schema = "arch/arm/mach-k3/schema.yaml";
|
|
};
|
|
rcfg_yaml_sysfw: rm-cfg {
|
|
config = "rm-cfg.yaml";
|
|
schema = "arch/arm/mach-k3/schema.yaml";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
&binman {
|
|
itb_template: template-5 {
|
|
fit {
|
|
description = "SYSFW and Config fragments";
|
|
#address-cells = <1>;
|
|
images {
|
|
sysfw.bin {
|
|
description = "sysfw";
|
|
type = "firmware";
|
|
arch = "arm";
|
|
compression = "none";
|
|
blob-ext {
|
|
filename = "sysfw.bin";
|
|
};
|
|
};
|
|
board-cfg.bin {
|
|
description = "board-cfg";
|
|
type = "firmware";
|
|
arch = "arm";
|
|
compression = "none";
|
|
ti-secure {
|
|
content = <&board_cfg>;
|
|
keyfile = "custMpk.pem";
|
|
};
|
|
board_cfg: board-cfg {
|
|
filename = "board-cfg.bin";
|
|
type = "blob-ext";
|
|
};
|
|
|
|
};
|
|
pm-cfg.bin {
|
|
description = "pm-cfg";
|
|
type = "firmware";
|
|
arch = "arm";
|
|
compression = "none";
|
|
ti-secure {
|
|
content = <&pm_cfg>;
|
|
keyfile = "custMpk.pem";
|
|
};
|
|
pm_cfg: pm-cfg {
|
|
filename = "pm-cfg.bin";
|
|
type = "blob-ext";
|
|
};
|
|
};
|
|
rm-cfg.bin {
|
|
description = "rm-cfg";
|
|
type = "firmware";
|
|
arch = "arm";
|
|
compression = "none";
|
|
ti-secure {
|
|
content = <&rm_cfg>;
|
|
keyfile = "custMpk.pem";
|
|
};
|
|
rm_cfg: rm-cfg {
|
|
filename = "rm-cfg.bin";
|
|
type = "blob-ext";
|
|
};
|
|
};
|
|
sec-cfg.bin {
|
|
description = "sec-cfg";
|
|
type = "firmware";
|
|
arch = "arm";
|
|
compression = "none";
|
|
ti-secure {
|
|
content = <&sec_cfg>;
|
|
keyfile = "custMpk.pem";
|
|
};
|
|
sec_cfg: sec-cfg {
|
|
filename = "sec-cfg.bin";
|
|
type = "blob-ext";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
itb_unsigned_template: template-6 {
|
|
fit {
|
|
description = "SYSFW and Config fragments";
|
|
#address-cells = <1>;
|
|
images {
|
|
sysfw.bin {
|
|
description = "sysfw";
|
|
type = "firmware";
|
|
arch = "arm";
|
|
compression = "none";
|
|
blob-ext {
|
|
filename = "sysfw.bin_fs";
|
|
};
|
|
};
|
|
board-cfg.bin {
|
|
description = "board-cfg";
|
|
type = "firmware";
|
|
arch = "arm";
|
|
compression = "none";
|
|
board-cfg {
|
|
filename = "board-cfg.bin";
|
|
type = "blob-ext";
|
|
};
|
|
|
|
};
|
|
pm-cfg.bin {
|
|
description = "pm-cfg";
|
|
type = "firmware";
|
|
arch = "arm";
|
|
compression = "none";
|
|
pm-cfg {
|
|
filename = "pm-cfg.bin";
|
|
type = "blob-ext";
|
|
};
|
|
};
|
|
rm-cfg.bin {
|
|
description = "rm-cfg";
|
|
type = "firmware";
|
|
arch = "arm";
|
|
compression = "none";
|
|
rm-cfg {
|
|
filename = "rm-cfg.bin";
|
|
type = "blob-ext";
|
|
};
|
|
};
|
|
sec-cfg.bin {
|
|
description = "sec-cfg";
|
|
type = "firmware";
|
|
arch = "arm";
|
|
compression = "none";
|
|
sec-cfg {
|
|
filename = "sec-cfg.bin";
|
|
type = "blob-ext";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
#else
|
|
|
|
&binman {
|
|
ti_spl_template: template-1 {
|
|
filename = "tispl.bin";
|
|
pad-byte = <0xff>;
|
|
|
|
fit {
|
|
description = "Configuration to load ATF and SPL";
|
|
#address-cells = <1>;
|
|
|
|
images {
|
|
|
|
atf {
|
|
description = "ARM Trusted Firmware";
|
|
type = "firmware";
|
|
arch = "arm64";
|
|
compression = "none";
|
|
os = "arm-trusted-firmware";
|
|
load = <CONFIG_K3_ATF_LOAD_ADDR>;
|
|
entry = <CONFIG_K3_ATF_LOAD_ADDR>;
|
|
ti-secure {
|
|
content = <&atf>;
|
|
keyfile = "custMpk.pem";
|
|
};
|
|
atf: atf-bl31 {
|
|
};
|
|
};
|
|
|
|
tee {
|
|
description = "OP-TEE";
|
|
type = "tee";
|
|
arch = "arm64";
|
|
compression = "none";
|
|
os = "tee";
|
|
load = <0x9e800000>;
|
|
entry = <0x9e800000>;
|
|
ti-secure {
|
|
content = <&tee>;
|
|
keyfile = "custMpk.pem";
|
|
};
|
|
tee: tee-os {
|
|
};
|
|
};
|
|
|
|
dm {
|
|
description = "DM binary";
|
|
type = "firmware";
|
|
arch = "arm32";
|
|
compression = "none";
|
|
os = "DM";
|
|
load = <0x89000000>;
|
|
entry = <0x89000000>;
|
|
};
|
|
|
|
spl {
|
|
description = "SPL (64-bit)";
|
|
type = "standalone";
|
|
os = "U-Boot";
|
|
arch = "arm64";
|
|
compression = "none";
|
|
load = <CONFIG_SPL_TEXT_BASE>;
|
|
entry = <CONFIG_SPL_TEXT_BASE>;
|
|
ti-secure {
|
|
content = <&u_boot_spl_nodtb>;
|
|
keyfile = "custMpk.pem";
|
|
|
|
};
|
|
u_boot_spl_nodtb: blob-ext {
|
|
filename = "spl/u-boot-spl-nodtb.bin";
|
|
};
|
|
};
|
|
|
|
};
|
|
};
|
|
};
|
|
ti_spl_unsigned_template: template-2 {
|
|
filename = "tispl.bin_unsigned";
|
|
pad-byte = <0xff>;
|
|
|
|
fit {
|
|
description = "Configuration to load ATF and SPL";
|
|
#address-cells = <1>;
|
|
|
|
images {
|
|
|
|
atf {
|
|
description = "ARM Trusted Firmware";
|
|
type = "firmware";
|
|
arch = "arm64";
|
|
compression = "none";
|
|
os = "arm-trusted-firmware";
|
|
load = <CONFIG_K3_ATF_LOAD_ADDR>;
|
|
entry = <CONFIG_K3_ATF_LOAD_ADDR>;
|
|
atf-bl31 {
|
|
filename = "bl31.bin";
|
|
};
|
|
};
|
|
|
|
tee {
|
|
description = "OP-TEE";
|
|
type = "tee";
|
|
arch = "arm64";
|
|
compression = "none";
|
|
os = "tee";
|
|
load = <0x9e800000>;
|
|
entry = <0x9e800000>;
|
|
tee-os {
|
|
filename = "tee-raw.bin";
|
|
};
|
|
};
|
|
|
|
dm {
|
|
description = "DM binary";
|
|
type = "firmware";
|
|
arch = "arm32";
|
|
compression = "none";
|
|
os = "DM";
|
|
load = <0x89000000>;
|
|
entry = <0x89000000>;
|
|
};
|
|
|
|
spl {
|
|
description = "SPL (64-bit)";
|
|
type = "standalone";
|
|
os = "U-Boot";
|
|
arch = "arm64";
|
|
compression = "none";
|
|
load = <CONFIG_SPL_TEXT_BASE>;
|
|
entry = <CONFIG_SPL_TEXT_BASE>;
|
|
blob-ext {
|
|
filename = "spl/u-boot-spl-nodtb.bin";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
u_boot_template: template-3 {
|
|
filename = "u-boot.img";
|
|
pad-byte = <0xff>;
|
|
|
|
fit {
|
|
description = "FIT image with multiple configurations";
|
|
|
|
images {
|
|
uboot {
|
|
type = "firmware";
|
|
os = "u-boot";
|
|
arch = "arm";
|
|
compression = "none";
|
|
load = <CONFIG_TEXT_BASE>;
|
|
ti-secure {
|
|
content = <&u_boot_nodtb>;
|
|
keyfile = "custMpk.pem";
|
|
};
|
|
u_boot_nodtb: u-boot-nodtb {
|
|
};
|
|
hash {
|
|
algo = "crc32";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
u_boot_unsigned_template: template-4 {
|
|
filename = "u-boot.img_unsigned";
|
|
pad-byte = <0xff>;
|
|
|
|
fit {
|
|
description = "FIT image with multiple configurations";
|
|
|
|
images {
|
|
uboot {
|
|
type = "firmware";
|
|
os = "u-boot";
|
|
arch = "arm";
|
|
compression = "none";
|
|
load = <CONFIG_TEXT_BASE>;
|
|
blob {
|
|
filename = "u-boot-nodtb.bin";
|
|
};
|
|
hash {
|
|
algo = "crc32";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
firewall_bg_1: template-5 {
|
|
control = <(FWCTRL_EN | FWCTRL_LOCK |
|
|
FWCTRL_BG | FWCTRL_CACHE)>;
|
|
permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) |
|
|
FWPERM_SECURE_PRIV_RWCD |
|
|
FWPERM_SECURE_USER_RWCD |
|
|
FWPERM_NON_SECURE_PRIV_RWCD |
|
|
FWPERM_NON_SECURE_USER_RWCD)>;
|
|
start_address = <0x0 0x0>;
|
|
end_address = <0xff 0xffffffff>;
|
|
};
|
|
firewall_bg_3: template-6 {
|
|
insert-template = <&firewall_bg_1>;
|
|
permissions = <((FWPRIVID_ALL << FWPRIVID_SHIFT) |
|
|
FWPERM_SECURE_PRIV_RWCD |
|
|
FWPERM_SECURE_USER_RWCD |
|
|
FWPERM_NON_SECURE_PRIV_RWCD |
|
|
FWPERM_NON_SECURE_USER_RWCD)>,
|
|
<((FWPRIVID_ALL << FWPRIVID_SHIFT) |
|
|
FWPERM_SECURE_PRIV_RWCD |
|
|
FWPERM_SECURE_USER_RWCD |
|
|
FWPERM_NON_SECURE_PRIV_RWCD |
|
|
FWPERM_NON_SECURE_USER_RWCD)>,
|
|
<((FWPRIVID_ALL << FWPRIVID_SHIFT) |
|
|
FWPERM_SECURE_PRIV_RWCD |
|
|
FWPERM_SECURE_USER_RWCD |
|
|
FWPERM_NON_SECURE_PRIV_RWCD |
|
|
FWPERM_NON_SECURE_USER_RWCD)>;
|
|
};
|
|
firewall_armv8_atf_fg: template-7 {
|
|
control = <(FWCTRL_EN | FWCTRL_LOCK |
|
|
FWCTRL_CACHE)>;
|
|
permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
|
|
FWPERM_SECURE_PRIV_RWCD |
|
|
FWPERM_SECURE_USER_RWCD)>;
|
|
start_address = <0x0 0x70000000>;
|
|
end_address = <0x0 0x7001ffff>;
|
|
};
|
|
firewall_armv8_optee_fg: template-8 {
|
|
control = <(FWCTRL_EN | FWCTRL_LOCK |
|
|
FWCTRL_CACHE)>;
|
|
permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
|
|
FWPERM_SECURE_PRIV_RWCD |
|
|
FWPERM_SECURE_USER_RWCD)>;
|
|
start_address = <0x0 0x9e800000>;
|
|
end_address = <0x0 0x9fffffff>;
|
|
};
|
|
|
|
};
|
|
|
|
#endif
|