feat(ethos-n): add protected NPU TZMP1 regions TZMP1 protected memory regions have been added in the Juno platform to store sensitive data for the Arm(R) Ethos(TM)-N NPU This is enabled when building TF-A with ARM_ETHOSN_NPU_TZMP1. The NPU uses two protected memory regions: 1) Firmware region to protect the NPU's firmware from being modified from the non-secure world 2) Data region for sensitive data used by the NPU Respective memory region can only be accessed with their unique NSAID. Signed-off-by: Bjorn Engstrom <bjoern.engstroem@arm.com> Signed-off-by: Mikael Olsson <mikael.olsson@arm.com> Signed-off-by: Rob Hughes <robert.hughes@arm.com> Change-Id: I65200047f10364ca18681ce348a6edb2ffb9b095

commit: 26bd4a1d4c64f9610fc832b96d16343431b08acd [log] [tgz]
author: Bjorn Engstrom <bjoern.engstroem@arm.com> Mon Sep 19 08:34:03 2022 +0200
committer: Joanna Farley <joanna.farley@arm.com> Tue Apr 04 11:34:59 2023 +0200
tree: 3d0ad3b4a35ac3f5fe2b8950187eda53bf774fa0
parent: 74c5f87f900c1443b94811cdd2302bd548b92aaf [diff]
diff --git a/plat/arm/board/juno/juno_ethosn_tzmp1_def.h b/plat/arm/board/juno/juno_ethosn_tzmp1_def.h
new file mode 100644
index 0000000..131adcd
--- /dev/null
+++ b/plat/arm/board/juno/juno_ethosn_tzmp1_def.h

@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 2023, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef JUNO_ETHOSN_TZMP1_DEF_H
+#define JUNO_ETHOSN_TZMP1_DEF_H
+
+#define JUNO_ETHOSN_TZC400_NSAID_FW_PROT        7
+#define JUNO_ETHOSN_TZC400_NSAID_DATA_PROT      8
+
+#define JUNO_ETHOSN_FW_TZC_PROT_DRAM2_SIZE      UL(0x000400000) /* 4 MB */
+#define JUNO_ETHOSN_FW_TZC_PROT_DRAM2_BASE      (ARM_DRAM2_BASE)
+#define JUNO_ETHOSN_FW_TZC_PROT_DRAM2_END       (ARM_DRAM2_BASE +		    \
+						 JUNO_ETHOSN_FW_TZC_PROT_DRAM2_SIZE \
+						 - 1U)
+
+#define JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_SIZE    UL(0x004000000) /* 64 MB */
+#define JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_BASE    ( \
+		JUNO_ETHOSN_FW_TZC_PROT_DRAM2_END + 1)
+#define JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_END     (      \
+		JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_BASE + \
+		JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_SIZE - 1U)
+
+#define JUNO_ETHOSN_NS_DRAM2_BASE       (JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_END + \
+					 1)
+#define JUNO_ETHOSN_NS_DRAM2_END        (ARM_DRAM2_END)
+#define JUNO_ETHOSN_NS_DRAM2_SIZE       (ARM_DRAM2_SIZE - \
+					 JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_END)
+
+#define JUNO_FW_TZC_PROT_ACCESS	\
+	(TZC_REGION_ACCESS_RDWR(JUNO_ETHOSN_TZC400_NSAID_FW_PROT))
+#define JUNO_DATA_TZC_PROT_ACCESS \
+	(TZC_REGION_ACCESS_RDWR(JUNO_ETHOSN_TZC400_NSAID_DATA_PROT))
+
+#define JUNO_ETHOSN_TZMP_REGIONS_DEF					  \
+	{ ARM_AP_TZC_DRAM1_BASE, ARM_EL3_TZC_DRAM1_END + ARM_L1_GPT_SIZE, \
+	  TZC_REGION_S_RDWR, 0 },					  \
+	{ ARM_NS_DRAM1_BASE, ARM_NS_DRAM1_END,				  \
+	  ARM_TZC_NS_DRAM_S_ACCESS, PLAT_ARM_TZC_NS_DEV_ACCESS },	  \
+	{ JUNO_ETHOSN_FW_TZC_PROT_DRAM2_BASE,				  \
+	  JUNO_ETHOSN_FW_TZC_PROT_DRAM2_END,				  \
+	  TZC_REGION_S_RDWR, JUNO_FW_TZC_PROT_ACCESS },			  \
+	{ JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_BASE,				  \
+	  JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_END,				  \
+	  TZC_REGION_S_NONE, JUNO_DATA_TZC_PROT_ACCESS },		  \
+	{ JUNO_ETHOSN_NS_DRAM2_BASE, JUNO_ETHOSN_NS_DRAM2_END,		  \
+	  ARM_TZC_NS_DRAM_S_ACCESS, PLAT_ARM_TZC_NS_DEV_ACCESS }
+
+#endif /* JUNO_ETHOSN_TZMP1_DEF_H */

diff --git a/plat/arm/board/juno/juno_security.c b/plat/arm/board/juno/juno_security.c
index a0fd36c..72e7e78 100644
--- a/plat/arm/board/juno/juno_security.c
+++ b/plat/arm/board/juno/juno_security.c

@@ -13,6 +13,7 @@
 #include <plat/arm/soc/common/soc_css.h>
 #include <plat/common/platform.h>
 
+#include "juno_ethosn_tzmp1_def.h"
 #include "juno_tzmp1_def.h"
 
 #ifdef JUNO_TZMP1
@@ -79,12 +80,9 @@
 #endif /* JUNO_TZMP1 */
 
 #ifdef JUNO_ETHOSN_TZMP1
-/*
- * Currently use the default regions defined in ARM_TZC_REGIONS_DEF.
- * See the definition in /include/plat/arm/common/plat_arm.h
- */
+
 static const arm_tzc_regions_info_t juno_ethosn_tzmp1_tzc_regions[] = {
-	ARM_TZC_REGIONS_DEF, /* See define in /include/plat/arm/common/plat_arm.h */
+	JUNO_ETHOSN_TZMP_REGIONS_DEF,
 	{},
 };
 
@@ -154,7 +152,15 @@
 	     (void *)JUNO_AP_TZC_SHARE_DRAM1_END);
 #elif defined(JUNO_ETHOSN_TZMP1)
 	arm_tzc400_setup(PLAT_ARM_TZC_BASE, juno_ethosn_tzmp1_tzc_regions);
-	INFO("TZC set up with default settings for NPU TZMP usecase\n");
+	INFO("TZC protected shared memory range for NPU TZMP usecase: %p - %p\n",
+	     (void *)JUNO_ETHOSN_NS_DRAM2_BASE,
+	     (void *)JUNO_ETHOSN_NS_DRAM2_END);
+	INFO("TZC protected Data memory range for NPU TZMP usecase: %p - %p\n",
+	     (void *)JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_BASE,
+	     (void *)JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_END);
+	INFO("TZC protected FW memory range for NPU TZMP usecase: %p - %p\n",
+	     (void *)JUNO_ETHOSN_FW_TZC_PROT_DRAM2_BASE,
+	     (void *)JUNO_ETHOSN_FW_TZC_PROT_DRAM2_END);
 #else
 	arm_tzc400_setup(PLAT_ARM_TZC_BASE, NULL);
 #endif
commit	26bd4a1d4c64f9610fc832b96d16343431b08acd	[log] [tgz]
author	Bjorn Engstrom <bjoern.engstroem@arm.com>	Mon Sep 19 08:34:03 2022 +0200
committer	Joanna Farley <joanna.farley@arm.com>	Tue Apr 04 11:34:59 2023 +0200
tree	3d0ad3b4a35ac3f5fe2b8950187eda53bf774fa0
parent	74c5f87f900c1443b94811cdd2302bd548b92aaf [diff]