From 364daf93208b7344b9618922004997f341ff1ca3 Mon Sep 17 00:00:00 2001 From: Juan Castillo Date: Fri, 16 May 2014 15:33:15 +0100 Subject: Reserve some DDR DRAM for secure use on FVP platforms TZC-400 is configured to set the last 16MB of DRAM1 as secure memory and the rest of DRAM as non-secure. Non-secure software must not attempt to access the 16MB secure area. Device tree files (sources and binaries) have been updated to match this configuration, removing that memory from the Linux physical memory map. To use UEFI and Linux with this patch, the latest version of UEFI and the updated device tree files are required. Check the user guide in the documentation for more details. Replaced magic numbers with #define for memory region definition in the platform security initialization function. Fixes ARM-software/tf-issues#149 Change-Id: Ia5d070244aae6c5288ea0e6c8e89d92859522bfe --- docs/user-guide.md | 2 +- fdts/fvp-base-gicv2-psci.dtb | Bin 9077 -> 9077 bytes fdts/fvp-base-gicv2-psci.dts | 2 +- fdts/fvp-base-gicv2legacy-psci.dtb | Bin 9077 -> 9077 bytes fdts/fvp-base-gicv2legacy-psci.dts | 2 +- fdts/fvp-base-gicv3-psci.dtb | Bin 9544 -> 9544 bytes fdts/fvp-base-gicv3-psci.dts | 2 +- fdts/fvp-foundation-gicv2-psci.dtb | Bin 6802 -> 6802 bytes fdts/fvp-foundation-gicv2-psci.dts | 2 +- fdts/fvp-foundation-gicv2legacy-psci.dtb | Bin 6802 -> 6802 bytes fdts/fvp-foundation-gicv2legacy-psci.dts | 2 +- fdts/fvp-foundation-gicv3-psci.dtb | Bin 7269 -> 7269 bytes fdts/fvp-foundation-gicv3-psci.dts | 2 +- plat/fvp/aarch64/plat_common.c | 2 +- plat/fvp/bl2_plat_setup.c | 4 ++-- plat/fvp/plat_security.c | 11 +++++++++-- plat/fvp/platform.h | 15 ++++++++++++--- 17 files changed, 31 insertions(+), 15 deletions(-) diff --git a/docs/user-guide.md b/docs/user-guide.md index e7f0df54..3359fee5 100644 --- a/docs/user-guide.md +++ b/docs/user-guide.md @@ -280,7 +280,7 @@ and Foundation FVPs: git clone -n https://github.com/tianocore/edk2.git cd edk2 - git checkout c1cdcab9526506673b882017845a043cead8bc69 + git checkout 129ff94661bd3a6c759b1e154c143d0136bedc7d To build the software to be compatible with Foundation and Base FVPs, follow diff --git a/fdts/fvp-base-gicv2-psci.dtb b/fdts/fvp-base-gicv2-psci.dtb index abdb9a0c..efe83be5 100644 Binary files a/fdts/fvp-base-gicv2-psci.dtb and b/fdts/fvp-base-gicv2-psci.dtb differ diff --git a/fdts/fvp-base-gicv2-psci.dts b/fdts/fvp-base-gicv2-psci.dts index 7d089227..2b2c2b09 100644 --- a/fdts/fvp-base-gicv2-psci.dts +++ b/fdts/fvp-base-gicv2-psci.dts @@ -115,7 +115,7 @@ memory@80000000 { device_type = "memory"; - reg = <0x00000000 0x80000000 0 0x80000000>, + reg = <0x00000000 0x80000000 0 0x7F000000>, <0x00000008 0x80000000 0 0x80000000>; }; diff --git a/fdts/fvp-base-gicv2legacy-psci.dtb b/fdts/fvp-base-gicv2legacy-psci.dtb index 3fc6b3ee..7243c065 100644 Binary files a/fdts/fvp-base-gicv2legacy-psci.dtb and b/fdts/fvp-base-gicv2legacy-psci.dtb differ diff --git a/fdts/fvp-base-gicv2legacy-psci.dts b/fdts/fvp-base-gicv2legacy-psci.dts index f0952314..620bc05b 100644 --- a/fdts/fvp-base-gicv2legacy-psci.dts +++ b/fdts/fvp-base-gicv2legacy-psci.dts @@ -115,7 +115,7 @@ memory@80000000 { device_type = "memory"; - reg = <0x00000000 0x80000000 0 0x80000000>, + reg = <0x00000000 0x80000000 0 0x7F000000>, <0x00000008 0x80000000 0 0x80000000>; }; diff --git a/fdts/fvp-base-gicv3-psci.dtb b/fdts/fvp-base-gicv3-psci.dtb index 1efa1368..b9fe1cf3 100644 Binary files a/fdts/fvp-base-gicv3-psci.dtb and b/fdts/fvp-base-gicv3-psci.dtb differ diff --git a/fdts/fvp-base-gicv3-psci.dts b/fdts/fvp-base-gicv3-psci.dts index 96d264e9..d111a991 100644 --- a/fdts/fvp-base-gicv3-psci.dts +++ b/fdts/fvp-base-gicv3-psci.dts @@ -115,7 +115,7 @@ memory@80000000 { device_type = "memory"; - reg = <0x00000000 0x80000000 0 0x80000000>, + reg = <0x00000000 0x80000000 0 0x7F000000>, <0x00000008 0x80000000 0 0x80000000>; }; diff --git a/fdts/fvp-foundation-gicv2-psci.dtb b/fdts/fvp-foundation-gicv2-psci.dtb index ca100889..70175e89 100644 Binary files a/fdts/fvp-foundation-gicv2-psci.dtb and b/fdts/fvp-foundation-gicv2-psci.dtb differ diff --git a/fdts/fvp-foundation-gicv2-psci.dts b/fdts/fvp-foundation-gicv2-psci.dts index bf368a01..8f3de9df 100644 --- a/fdts/fvp-foundation-gicv2-psci.dts +++ b/fdts/fvp-foundation-gicv2-psci.dts @@ -91,7 +91,7 @@ memory@80000000 { device_type = "memory"; - reg = <0x00000000 0x80000000 0 0x80000000>, + reg = <0x00000000 0x80000000 0 0x7F000000>, <0x00000008 0x80000000 0 0x80000000>; }; diff --git a/fdts/fvp-foundation-gicv2legacy-psci.dtb b/fdts/fvp-foundation-gicv2legacy-psci.dtb index a602ff5c..564d223f 100644 Binary files a/fdts/fvp-foundation-gicv2legacy-psci.dtb and b/fdts/fvp-foundation-gicv2legacy-psci.dtb differ diff --git a/fdts/fvp-foundation-gicv2legacy-psci.dts b/fdts/fvp-foundation-gicv2legacy-psci.dts index 63cef80c..951da06d 100644 --- a/fdts/fvp-foundation-gicv2legacy-psci.dts +++ b/fdts/fvp-foundation-gicv2legacy-psci.dts @@ -91,7 +91,7 @@ memory@80000000 { device_type = "memory"; - reg = <0x00000000 0x80000000 0 0x80000000>, + reg = <0x00000000 0x80000000 0 0x7F000000>, <0x00000008 0x80000000 0 0x80000000>; }; diff --git a/fdts/fvp-foundation-gicv3-psci.dtb b/fdts/fvp-foundation-gicv3-psci.dtb index f64e4210..26800ba0 100644 Binary files a/fdts/fvp-foundation-gicv3-psci.dtb and b/fdts/fvp-foundation-gicv3-psci.dtb differ diff --git a/fdts/fvp-foundation-gicv3-psci.dts b/fdts/fvp-foundation-gicv3-psci.dts index f9f1ff33..7692c618 100644 --- a/fdts/fvp-foundation-gicv3-psci.dts +++ b/fdts/fvp-foundation-gicv3-psci.dts @@ -91,7 +91,7 @@ memory@80000000 { device_type = "memory"; - reg = <0x00000000 0x80000000 0 0x80000000>, + reg = <0x00000000 0x80000000 0 0x7F000000>, <0x00000008 0x80000000 0 0x80000000>; }; diff --git a/plat/fvp/aarch64/plat_common.c b/plat/fvp/aarch64/plat_common.c index 29bf602f..2845f3e4 100644 --- a/plat/fvp/aarch64/plat_common.c +++ b/plat/fvp/aarch64/plat_common.c @@ -122,7 +122,7 @@ const mmap_region_t fvp_mmap[] = { { DEVICE1_BASE, DEVICE1_SIZE, MT_DEVICE | MT_RW | MT_SECURE }, /* 2nd GB as device for now...*/ { 0x40000000, 0x40000000, MT_DEVICE | MT_RW | MT_SECURE }, - { DRAM_BASE, DRAM_SIZE, MT_MEMORY | MT_RW | MT_NS }, + { DRAM1_BASE, DRAM1_SIZE, MT_MEMORY | MT_RW | MT_NS }, {0} }; diff --git a/plat/fvp/bl2_plat_setup.c b/plat/fvp/bl2_plat_setup.c index ea9d0a48..8c006e92 100644 --- a/plat/fvp/bl2_plat_setup.c +++ b/plat/fvp/bl2_plat_setup.c @@ -285,9 +285,9 @@ void bl2_plat_get_bl32_meminfo(meminfo_t *bl32_meminfo) void bl2_plat_get_bl33_meminfo(meminfo_t *bl33_meminfo) { bl33_meminfo->total_base = DRAM_BASE; - bl33_meminfo->total_size = DRAM_SIZE; + bl33_meminfo->total_size = DRAM_SIZE - DRAM1_SEC_SIZE; bl33_meminfo->free_base = DRAM_BASE; - bl33_meminfo->free_size = DRAM_SIZE; + bl33_meminfo->free_size = DRAM_SIZE - DRAM1_SEC_SIZE; bl33_meminfo->attr = 0; bl33_meminfo->attr = 0; } diff --git a/plat/fvp/plat_security.c b/plat/fvp/plat_security.c index c39907a8..9da56122 100644 --- a/plat/fvp/plat_security.c +++ b/plat/fvp/plat_security.c @@ -100,16 +100,23 @@ void plat_security_setup(void) /* Set to cover the first block of DRAM */ tzc_configure_region(&controller, FILTER_SHIFT(0), 1, - DRAM_BASE, 0xFFFFFFFF, TZC_REGION_S_NONE, + DRAM1_BASE, DRAM1_END - DRAM1_SEC_SIZE, + TZC_REGION_S_NONE, TZC_REGION_ACCESS_RDWR(FVP_NSAID_DEFAULT) | TZC_REGION_ACCESS_RDWR(FVP_NSAID_PCI) | TZC_REGION_ACCESS_RDWR(FVP_NSAID_AP) | TZC_REGION_ACCESS_RDWR(FVP_NSAID_VIRTIO) | TZC_REGION_ACCESS_RDWR(FVP_NSAID_VIRTIO_OLD)); + /* Set to cover the secure reserved region */ + tzc_configure_region(&controller, FILTER_SHIFT(0), 3, + (DRAM1_END - DRAM1_SEC_SIZE) + 1 , DRAM1_END, + TZC_REGION_S_RDWR, + 0x0); + /* Set to cover the second block of DRAM */ tzc_configure_region(&controller, FILTER_SHIFT(0), 2, - 0x880000000, 0xFFFFFFFFF, TZC_REGION_S_NONE, + DRAM2_BASE, DRAM2_END, TZC_REGION_S_NONE, TZC_REGION_ACCESS_RDWR(FVP_NSAID_DEFAULT) | TZC_REGION_ACCESS_RDWR(FVP_NSAID_PCI) | TZC_REGION_ACCESS_RDWR(FVP_NSAID_AP) | diff --git a/plat/fvp/platform.h b/plat/fvp/platform.h index bd76d678..b50df00e 100644 --- a/plat/fvp/platform.h +++ b/plat/fvp/platform.h @@ -68,7 +68,7 @@ /* Non-Trusted Firmware BL33 and its load address */ #define BL33_IMAGE_NAME "bl33.bin" /* e.g. UEFI */ -#define NS_IMAGE_OFFSET (DRAM_BASE + 0x8000000) /* DRAM + 128MB */ +#define NS_IMAGE_OFFSET (DRAM1_BASE + 0x8000000) /* DRAM + 128MB */ /* Firmware Image Package */ #define FIP_IMAGE_NAME "fip.bin" @@ -139,8 +139,17 @@ #define PARAMS_BASE TZDRAM_BASE -#define DRAM_BASE 0x80000000ull -#define DRAM_SIZE 0x80000000ull +#define DRAM1_BASE 0x80000000ull +#define DRAM1_SIZE 0x80000000ull +#define DRAM1_END (DRAM1_BASE + DRAM1_SIZE - 1) +#define DRAM1_SEC_SIZE 0x01000000ull + +#define DRAM_BASE DRAM1_BASE +#define DRAM_SIZE DRAM1_SIZE + +#define DRAM2_BASE 0x880000000ull +#define DRAM2_SIZE 0x780000000ull +#define DRAM2_END (DRAM2_BASE + DRAM2_SIZE - 1) #define PCIE_EXP_BASE 0x40000000 #define TZRNG_BASE 0x7fe60000 -- cgit v1.2.3