Reserve some DDR DRAM for secure use on FVP platforms
TZC-400 is configured to set the last 16MB of DRAM1 as secure memory and
the rest of DRAM as non-secure. Non-secure software must not attempt to
access the 16MB secure area.
Device tree files (sources and binaries) have been updated to match this
configuration, removing that memory from the Linux physical memory map.
To use UEFI and Linux with this patch, the latest version of UEFI and
the updated device tree files are required. Check the user guide in the
documentation for more details.
Replaced magic numbers with #define for memory region definition in the
platform security initialization function.
Fixes ARM-software/tf-issues#149
Change-Id: Ia5d070244aae6c5288ea0e6c8e89d92859522bfe
diff --git a/docs/user-guide.md b/docs/user-guide.md
index e7f0df5..3359fee 100644
--- a/docs/user-guide.md
+++ b/docs/user-guide.md
@@ -280,7 +280,7 @@
git clone -n https://github.com/tianocore/edk2.git
cd edk2
- git checkout c1cdcab9526506673b882017845a043cead8bc69
+ git checkout 129ff94661bd3a6c759b1e154c143d0136bedc7d
To build the software to be compatible with Foundation and Base FVPs, follow
diff --git a/fdts/fvp-base-gicv2-psci.dtb b/fdts/fvp-base-gicv2-psci.dtb
index abdb9a0..efe83be 100644
--- a/fdts/fvp-base-gicv2-psci.dtb
+++ b/fdts/fvp-base-gicv2-psci.dtb
Binary files differ
diff --git a/fdts/fvp-base-gicv2-psci.dts b/fdts/fvp-base-gicv2-psci.dts
index 7d08922..2b2c2b0 100644
--- a/fdts/fvp-base-gicv2-psci.dts
+++ b/fdts/fvp-base-gicv2-psci.dts
@@ -115,7 +115,7 @@
memory@80000000 {
device_type = "memory";
- reg = <0x00000000 0x80000000 0 0x80000000>,
+ reg = <0x00000000 0x80000000 0 0x7F000000>,
<0x00000008 0x80000000 0 0x80000000>;
};
diff --git a/fdts/fvp-base-gicv2legacy-psci.dtb b/fdts/fvp-base-gicv2legacy-psci.dtb
index 3fc6b3e..7243c06 100644
--- a/fdts/fvp-base-gicv2legacy-psci.dtb
+++ b/fdts/fvp-base-gicv2legacy-psci.dtb
Binary files differ
diff --git a/fdts/fvp-base-gicv2legacy-psci.dts b/fdts/fvp-base-gicv2legacy-psci.dts
index f095231..620bc05 100644
--- a/fdts/fvp-base-gicv2legacy-psci.dts
+++ b/fdts/fvp-base-gicv2legacy-psci.dts
@@ -115,7 +115,7 @@
memory@80000000 {
device_type = "memory";
- reg = <0x00000000 0x80000000 0 0x80000000>,
+ reg = <0x00000000 0x80000000 0 0x7F000000>,
<0x00000008 0x80000000 0 0x80000000>;
};
diff --git a/fdts/fvp-base-gicv3-psci.dtb b/fdts/fvp-base-gicv3-psci.dtb
index 1efa136..b9fe1cf 100644
--- a/fdts/fvp-base-gicv3-psci.dtb
+++ b/fdts/fvp-base-gicv3-psci.dtb
Binary files differ
diff --git a/fdts/fvp-base-gicv3-psci.dts b/fdts/fvp-base-gicv3-psci.dts
index 96d264e..d111a99 100644
--- a/fdts/fvp-base-gicv3-psci.dts
+++ b/fdts/fvp-base-gicv3-psci.dts
@@ -115,7 +115,7 @@
memory@80000000 {
device_type = "memory";
- reg = <0x00000000 0x80000000 0 0x80000000>,
+ reg = <0x00000000 0x80000000 0 0x7F000000>,
<0x00000008 0x80000000 0 0x80000000>;
};
diff --git a/fdts/fvp-foundation-gicv2-psci.dtb b/fdts/fvp-foundation-gicv2-psci.dtb
index ca10088..70175e8 100644
--- a/fdts/fvp-foundation-gicv2-psci.dtb
+++ b/fdts/fvp-foundation-gicv2-psci.dtb
Binary files differ
diff --git a/fdts/fvp-foundation-gicv2-psci.dts b/fdts/fvp-foundation-gicv2-psci.dts
index bf368a0..8f3de9d 100644
--- a/fdts/fvp-foundation-gicv2-psci.dts
+++ b/fdts/fvp-foundation-gicv2-psci.dts
@@ -91,7 +91,7 @@
memory@80000000 {
device_type = "memory";
- reg = <0x00000000 0x80000000 0 0x80000000>,
+ reg = <0x00000000 0x80000000 0 0x7F000000>,
<0x00000008 0x80000000 0 0x80000000>;
};
diff --git a/fdts/fvp-foundation-gicv2legacy-psci.dtb b/fdts/fvp-foundation-gicv2legacy-psci.dtb
index a602ff5..564d223 100644
--- a/fdts/fvp-foundation-gicv2legacy-psci.dtb
+++ b/fdts/fvp-foundation-gicv2legacy-psci.dtb
Binary files differ
diff --git a/fdts/fvp-foundation-gicv2legacy-psci.dts b/fdts/fvp-foundation-gicv2legacy-psci.dts
index 63cef80..951da06 100644
--- a/fdts/fvp-foundation-gicv2legacy-psci.dts
+++ b/fdts/fvp-foundation-gicv2legacy-psci.dts
@@ -91,7 +91,7 @@
memory@80000000 {
device_type = "memory";
- reg = <0x00000000 0x80000000 0 0x80000000>,
+ reg = <0x00000000 0x80000000 0 0x7F000000>,
<0x00000008 0x80000000 0 0x80000000>;
};
diff --git a/fdts/fvp-foundation-gicv3-psci.dtb b/fdts/fvp-foundation-gicv3-psci.dtb
index f64e421..26800ba 100644
--- a/fdts/fvp-foundation-gicv3-psci.dtb
+++ b/fdts/fvp-foundation-gicv3-psci.dtb
Binary files differ
diff --git a/fdts/fvp-foundation-gicv3-psci.dts b/fdts/fvp-foundation-gicv3-psci.dts
index f9f1ff3..7692c61 100644
--- a/fdts/fvp-foundation-gicv3-psci.dts
+++ b/fdts/fvp-foundation-gicv3-psci.dts
@@ -91,7 +91,7 @@
memory@80000000 {
device_type = "memory";
- reg = <0x00000000 0x80000000 0 0x80000000>,
+ reg = <0x00000000 0x80000000 0 0x7F000000>,
<0x00000008 0x80000000 0 0x80000000>;
};
diff --git a/plat/fvp/aarch64/plat_common.c b/plat/fvp/aarch64/plat_common.c
index 29bf602..2845f3e 100644
--- a/plat/fvp/aarch64/plat_common.c
+++ b/plat/fvp/aarch64/plat_common.c
@@ -122,7 +122,7 @@
{ DEVICE1_BASE, DEVICE1_SIZE, MT_DEVICE | MT_RW | MT_SECURE },
/* 2nd GB as device for now...*/
{ 0x40000000, 0x40000000, MT_DEVICE | MT_RW | MT_SECURE },
- { DRAM_BASE, DRAM_SIZE, MT_MEMORY | MT_RW | MT_NS },
+ { DRAM1_BASE, DRAM1_SIZE, MT_MEMORY | MT_RW | MT_NS },
{0}
};
diff --git a/plat/fvp/bl2_plat_setup.c b/plat/fvp/bl2_plat_setup.c
index ea9d0a4..8c006e9 100644
--- a/plat/fvp/bl2_plat_setup.c
+++ b/plat/fvp/bl2_plat_setup.c
@@ -285,9 +285,9 @@
void bl2_plat_get_bl33_meminfo(meminfo_t *bl33_meminfo)
{
bl33_meminfo->total_base = DRAM_BASE;
- bl33_meminfo->total_size = DRAM_SIZE;
+ bl33_meminfo->total_size = DRAM_SIZE - DRAM1_SEC_SIZE;
bl33_meminfo->free_base = DRAM_BASE;
- bl33_meminfo->free_size = DRAM_SIZE;
+ bl33_meminfo->free_size = DRAM_SIZE - DRAM1_SEC_SIZE;
bl33_meminfo->attr = 0;
bl33_meminfo->attr = 0;
}
diff --git a/plat/fvp/plat_security.c b/plat/fvp/plat_security.c
index c39907a..9da5612 100644
--- a/plat/fvp/plat_security.c
+++ b/plat/fvp/plat_security.c
@@ -100,16 +100,23 @@
/* Set to cover the first block of DRAM */
tzc_configure_region(&controller, FILTER_SHIFT(0), 1,
- DRAM_BASE, 0xFFFFFFFF, TZC_REGION_S_NONE,
+ DRAM1_BASE, DRAM1_END - DRAM1_SEC_SIZE,
+ TZC_REGION_S_NONE,
TZC_REGION_ACCESS_RDWR(FVP_NSAID_DEFAULT) |
TZC_REGION_ACCESS_RDWR(FVP_NSAID_PCI) |
TZC_REGION_ACCESS_RDWR(FVP_NSAID_AP) |
TZC_REGION_ACCESS_RDWR(FVP_NSAID_VIRTIO) |
TZC_REGION_ACCESS_RDWR(FVP_NSAID_VIRTIO_OLD));
+ /* Set to cover the secure reserved region */
+ tzc_configure_region(&controller, FILTER_SHIFT(0), 3,
+ (DRAM1_END - DRAM1_SEC_SIZE) + 1 , DRAM1_END,
+ TZC_REGION_S_RDWR,
+ 0x0);
+
/* Set to cover the second block of DRAM */
tzc_configure_region(&controller, FILTER_SHIFT(0), 2,
- 0x880000000, 0xFFFFFFFFF, TZC_REGION_S_NONE,
+ DRAM2_BASE, DRAM2_END, TZC_REGION_S_NONE,
TZC_REGION_ACCESS_RDWR(FVP_NSAID_DEFAULT) |
TZC_REGION_ACCESS_RDWR(FVP_NSAID_PCI) |
TZC_REGION_ACCESS_RDWR(FVP_NSAID_AP) |
diff --git a/plat/fvp/platform.h b/plat/fvp/platform.h
index bd76d67..b50df00 100644
--- a/plat/fvp/platform.h
+++ b/plat/fvp/platform.h
@@ -68,7 +68,7 @@
/* Non-Trusted Firmware BL33 and its load address */
#define BL33_IMAGE_NAME "bl33.bin" /* e.g. UEFI */
-#define NS_IMAGE_OFFSET (DRAM_BASE + 0x8000000) /* DRAM + 128MB */
+#define NS_IMAGE_OFFSET (DRAM1_BASE + 0x8000000) /* DRAM + 128MB */
/* Firmware Image Package */
#define FIP_IMAGE_NAME "fip.bin"
@@ -139,8 +139,17 @@
#define PARAMS_BASE TZDRAM_BASE
-#define DRAM_BASE 0x80000000ull
-#define DRAM_SIZE 0x80000000ull
+#define DRAM1_BASE 0x80000000ull
+#define DRAM1_SIZE 0x80000000ull
+#define DRAM1_END (DRAM1_BASE + DRAM1_SIZE - 1)
+#define DRAM1_SEC_SIZE 0x01000000ull
+
+#define DRAM_BASE DRAM1_BASE
+#define DRAM_SIZE DRAM1_SIZE
+
+#define DRAM2_BASE 0x880000000ull
+#define DRAM2_SIZE 0x780000000ull
+#define DRAM2_END (DRAM2_BASE + DRAM2_SIZE - 1)
#define PCIE_EXP_BASE 0x40000000
#define TZRNG_BASE 0x7fe60000