1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
|
// SPDX-License-Identifier: BSD-3-Clause
/*
* Copyright (c) 2016-2022, ARM Limited and Contributors. All rights reserved.
*
*/
#define pr_fmt(fmt) "tzc400: " fmt
#include <common.h>
#include <linux/bitfield.h>
#include <linux/sizes.h>
#include <mach/layerscape/lowlevel.h>
#include <mach/layerscape/layerscape.h>
#include "tzc400.h"
static inline void mmio_write_32(uintptr_t addr, uint32_t value)
{
out_le32(addr, value);
}
static inline uint32_t mmio_read_32(uintptr_t addr)
{
return in_le32(addr);
}
static inline void mmio_clrsetbits_32(uintptr_t addr,
uint32_t clear,
uint32_t set)
{
clrsetbits_le32(addr, clear, set);
}
static inline unsigned int tzc_read_peripheral_id(uintptr_t base)
{
unsigned int id;
id = mmio_read_32(base + PID0_OFF);
/* Masks DESC part in PID1 */
id |= ((mmio_read_32(base + PID1_OFF) & 0xFU) << 8U);
return id;
}
/*
* Implementation defined values used to validate inputs later.
* Filters : max of 4 ; 0 to 3
* Regions : max of 9 ; 0 to 8
* Address width : Values between 32 to 64
*/
struct tzc400_instance {
uintptr_t base;
uint8_t addr_width;
uint8_t num_filters;
uint8_t num_regions;
};
static struct tzc400_instance tzc400;
static inline unsigned int tzc400_read_gate_keeper(void)
{
uintptr_t base = tzc400.base;
return mmio_read_32(base + TZC400_GATE_KEEPER);
}
static inline void tzc400_write_gate_keeper(unsigned int val)
{
uintptr_t base = tzc400.base;
mmio_write_32(base + TZC400_GATE_KEEPER, val);
}
static unsigned int tzc400_open_status(void)
{
return FIELD_GET(TZC400_GATE_KEEPER_OS, tzc400_read_gate_keeper());
}
static unsigned int tzc400_get_gate_keeper(unsigned int filter)
{
return (tzc400_open_status() >> filter) & GATE_KEEPER_FILTER_MASK;
}
/* This function is not MP safe. */
static void tzc400_set_gate_keeper(unsigned int filter, int val)
{
unsigned int os;
/* Upper half is current state. Lower half is requested state. */
os = tzc400_open_status();
if (val != 0)
os |= (1UL << filter);
else
os &= ~(1UL << filter);
tzc400_write_gate_keeper(FIELD_PREP(TZC400_GATE_KEEPER_OR, os));
/* Wait here until we see the change reflected in the TZC status. */
while ((tzc400_open_status()) != os)
;
}
void tzc400_set_action(unsigned int action)
{
uintptr_t base = tzc400.base;
ASSERT(base != 0U);
ASSERT(action <= TZC_ACTION_ERR_INT);
mmio_write_32(base + TZC400_ACTION, action);
}
void tzc400_init(uintptr_t base)
{
unsigned int tzc400_id;
unsigned int tzc400_build;
tzc400.base = base;
tzc400_id = tzc_read_peripheral_id(base);
if (tzc400_id != TZC400_PERIPHERAL_ID)
panic("TZC-400 : Wrong device ID (0x%x).\n", tzc400_id);
/* Save values we will use later. */
tzc400_build = mmio_read_32(base + TZC400_BUILD_CONFIG);
tzc400.num_filters = FIELD_GET(TZC400_BUILD_CONFIG_NF, tzc400_build) + 1;
tzc400.addr_width = FIELD_GET(TZC400_BUILD_CONFIG_AW, tzc400_build) + 1;
tzc400.num_regions = FIELD_GET(TZC400_BUILD_CONFIG_NR, tzc400_build) + 1;
}
/*
* `tzc400_configure_region` is used to program regions into the TrustZone
* controller. A region can be associated with more than one filter. The
* associated filters are passed in as a bitmap (bit0 = filter0), except that
* the value TZC400_REGION_ATTR_FILTER_BIT_ALL selects all filters, based on
* the value of tzc400.num_filters.
* NOTE:
* Region 0 is special; it is preferable to use tzc400_configure_region0
* for this region (see comment for that function).
*/
void tzc400_configure_region(unsigned int filters, unsigned int region, uint64_t region_base,
uint64_t region_top, unsigned int sec_attr,
unsigned int nsaid_permissions)
{
uintptr_t rbase = tzc400.base + TZC_REGION_OFFSET(TZC400_REGION_SIZE, region);
/* Adjust filter mask by real filter number */
if (filters == TZC400_REGION_ATTR_FILTER_BIT_ALL)
filters = (1U << tzc400.num_filters) - 1U;
/* Do range checks on filters and regions. */
ASSERT(((filters >> tzc400.num_filters) == 0U) &&
(region < tzc400.num_regions));
/*
* Do address range check based on TZC configuration. A 64bit address is
* the max and expected case.
*/
ASSERT((region_top <= (U64_MAX >> (64U - tzc400.addr_width))) &&
(region_base < region_top));
/* region_base and (region_top + 1) must be 4KB aligned */
ASSERT(((region_base | (region_top + 1U)) & (4096U - 1U)) == 0U);
ASSERT(sec_attr <= TZC_REGION_S_RDWR);
pr_debug("TrustZone : Configuring region %u\n", region);
pr_debug("TrustZone : ... base = %llx, top = %llx,\n", region_base, region_top);
pr_debug("TrustZone : ... sec_attr = 0x%x, ns_devs = 0x%x)\n",
sec_attr, nsaid_permissions);
/***************************************************/
/* Inputs look ok, start programming registers. */
/* All the address registers are 32 bits wide and */
/* have a LOW and HIGH */
/* component used to construct an address up to a */
/* 64bit. */
/***************************************************/
mmio_write_32(rbase + TZC400_REGION_BASE_LOW_0, (uint32_t)region_base);
mmio_write_32(rbase + TZC400_REGION_BASE_HIGH_0, (uint32_t)(region_base >> 32));
mmio_write_32(rbase + TZC400_REGION_TOP_LOW_0, (uint32_t)region_top);
mmio_write_32(rbase + TZC400_REGION_TOP_HIGH_0, (uint32_t)(region_top >> 32));
/* Enable filter to the region and set secure attributes */
mmio_write_32(rbase + TZC400_REGION_ATTR_0,
(sec_attr << TZC_REGION_ATTR_SEC_SHIFT) | (filters << TZC_REGION_ATTR_F_EN_SHIFT));
/***************************************************/
/* Specify which non-secure devices have permission*/
/* to access this region. */
/***************************************************/
mmio_write_32(rbase + TZC400_REGION_ID_ACCESS_0, nsaid_permissions);
}
void tzc400_update_filters(unsigned int region, unsigned int filters)
{
uintptr_t rbase = tzc400.base + TZC_REGION_OFFSET(TZC400_REGION_SIZE, region);
uint32_t filters_mask = GENMASK(tzc400.num_filters - 1U, 0);
/* Do range checks on filters and regions. */
ASSERT(((filters >> tzc400.num_filters) == 0U) &&
(region < tzc400.num_regions));
mmio_clrsetbits_32(rbase + TZC400_REGION_ATTR_0,
filters_mask << TZC_REGION_ATTR_F_EN_SHIFT,
filters << TZC_REGION_ATTR_F_EN_SHIFT);
}
void tzc400_enable_filters(void)
{
unsigned int state;
unsigned int filter;
ASSERT(tzc400.base != 0U);
for (filter = 0U; filter < tzc400.num_filters; filter++) {
state = tzc400_get_gate_keeper(filter);
if (state != 0U) {
/* Filter 0 is special and cannot be disabled.
* So here we allow it being already enabled. */
if (filter == 0U)
continue;
/*
* The TZC filter is already configured. Changing the
* programmer's view in an active system can cause
* unpredictable behavior therefore panic for now rather
* than try to determine whether this is safe in this
* instance.
*
* See the 'ARM (R) CoreLink TM TZC-400 TrustZone (R)
* Address Space Controller' Technical Reference Manual.
*/
panic("TZC-400 : Filter %u Gatekeeper already enabled.\n",
filter);
}
tzc400_set_gate_keeper(filter, 1);
}
}
void tzc400_disable_filters(void)
{
unsigned int filter;
unsigned int state;
unsigned int start = 0U;
ASSERT(tzc400.base != 0U);
/* Filter 0 is special and cannot be disabled. */
state = tzc400_get_gate_keeper(0);
if (state != 0U)
start++;
for (filter = start; filter < tzc400.num_filters; filter++)
tzc400_set_gate_keeper(filter, 0);
}
unsigned long ls1028a_tzc400_init(unsigned long memsize)
{
unsigned long lowmem, highmem, lowmem_end;
tzc400_init(LS1028A_TZC400_BASE);
tzc400_disable_filters();
/* Region 0 set to no access by default */
mmio_write_32(tzc400.base + TZC400_REGION_ATTR_0, TZC_REGION_S_NONE << TZC_REGION_ATTR_SEC_SHIFT);
mmio_write_32(tzc400.base + TZC400_REGION_ID_ACCESS_0, 0);
lowmem = min_t(unsigned long, LS1028A_DDR_SDRAM_LOWMEM_SIZE, memsize);
lowmem_end = LS1028A_DDR_SDRAM_BASE + lowmem;
highmem = memsize - lowmem;
/* region 1: secure memory */
tzc400_configure_region(1, 1,
lowmem_end - LS1028A_SECURE_DRAM_SIZE,
lowmem_end - 1,
TZC_REGION_S_RDWR, TZC_REGION_NS_NONE);
/* region 2: shared memory */
tzc400_configure_region(1, 2,
lowmem_end - LS1028A_SECURE_DRAM_SIZE - LS1028A_SP_SHARED_DRAM_SIZE,
lowmem_end - LS1028A_SECURE_DRAM_SIZE - 1,
TZC_REGION_S_RDWR, TZC_NS_ACCESS_ID);
/* region 3: nonsecure low memory */
tzc400_configure_region(1, 3,
LS1028A_DDR_SDRAM_BASE,
lowmem_end - LS1028A_SECURE_DRAM_SIZE - LS1028A_SP_SHARED_DRAM_SIZE - 1,
TZC_REGION_S_RDWR, TZC_NS_ACCESS_ID);
if (highmem)
/* nonsecure high memory */
tzc400_configure_region(1, 4,
LS1028A_DDR_SDRAM_HIGHMEM_BASE,
LS1028A_DDR_SDRAM_HIGHMEM_BASE + highmem - 1,
TZC_REGION_S_RDWR, TZC_NS_ACCESS_ID);
tzc400_set_action(TZC_ACTION_ERR);
tzc400_enable_filters();
return lowmem - LS1028A_SECURE_DRAM_SIZE - LS1028A_SP_SHARED_DRAM_SIZE;
}
|
