1 // SPDX-License-Identifier: BSD-3-Clause
2 /*
3 * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved.
4 * Copyright (c) 2017-2024, STMicroelectronics
5 */
6
7 /*
8 * STM32 ETPZC acts as a firewall on stm32mp SoC peripheral interfaces and
9 * internal memories. The driver expects a single instance of the controller
10 * in the platform.
11 */
12
13 #include <assert.h>
14 #include <drivers/clk_dt.h>
15 #include <drivers/firewall.h>
16 #include <drivers/firewall_device.h>
17 #include <drivers/stm32mp_dt_bindings.h>
18 #ifdef CFG_STM32MP15
19 #include <drivers/stm32mp1_rcc.h>
20 #endif
21 #include <initcall.h>
22 #include <io.h>
23 #include <keep.h>
24 #include <kernel/boot.h>
25 #include <kernel/dt.h>
26 #include <kernel/panic.h>
27 #include <kernel/pm.h>
28 #include <kernel/spinlock.h>
29 #include <kernel/tee_misc.h>
30 #include <libfdt.h>
31 #include <mm/core_memprot.h>
32 #include <mm/core_mmu.h>
33 #include <stm32_util.h>
34 #include <util.h>
35
36 /* ID Registers */
37 #define ETZPC_TZMA0_SIZE U(0x000)
38 #define ETZPC_DECPROT0 U(0x010)
39 #define ETZPC_DECPROT_LOCK0 U(0x030)
40 #define ETZPC_HWCFGR U(0x3F0)
41 #define ETZPC_VERR U(0x3F4)
42
43 /* ID Registers fields */
44 #define ETZPC_TZMA0_SIZE_LOCK BIT(31)
45 #define ETZPC_DECPROT0_MASK GENMASK_32(1, 0)
46 #define ETZPC_HWCFGR_NUM_TZMA_MASK GENMASK_32(7, 0)
47 #define ETZPC_HWCFGR_NUM_TZMA_SHIFT 0
48 #define ETZPC_HWCFGR_NUM_PER_SEC_MASK GENMASK_32(15, 8)
49 #define ETZPC_HWCFGR_NUM_PER_SEC_SHIFT 8
50 #define ETZPC_HWCFGR_NUM_AHB_SEC_MASK GENMASK_32(23, 16)
51 #define ETZPC_HWCFGR_NUM_AHB_SEC_SHIFT 16
52 #define ETZPC_HWCFGR_CHUNKS1N4_MASK GENMASK_32(31, 24)
53 #define ETZPC_HWCFGR_CHUNKS1N4_SHIFT 24
54
55 #define DECPROT_SHIFT 1
56 #define IDS_PER_DECPROT_REGS U(16)
57 #define IDS_PER_DECPROT_LOCK_REGS U(32)
58
59 /*
60 * Implementation uses uint8_t to store each securable DECPROT configuration
61 * and uint16_t to store each securable TZMA configuration. When resuming
62 * from deep suspend, the DECPROT configurations are restored.
63 */
64 #define PERIPH_PM_LOCK_BIT BIT(7)
65 #define PERIPH_PM_ATTR_MASK GENMASK_32(2, 0)
66 #define TZMA_PM_LOCK_BIT BIT(15)
67 #define TZMA_PM_VALUE_MASK GENMASK_32(9, 0)
68
69 /* ETZPC DECPROT bit field values */
70 enum etzpc_decprot_attributes {
71 ETZPC_DECPROT_S_RW = 0,
72 ETZPC_DECPROT_NS_R_S_W = 1,
73 ETZPC_DECPROT_MCU_ISOLATION = 2,
74 ETZPC_DECPROT_NS_RW = 3,
75 ETZPC_DECPROT_MAX = 4,
76 };
77
78 /*
79 * struct stm32_etzpc_platdata - Driver data set at initialization
80 *
81 * @name: Name of the peripheral
82 * @clk: ETZPC clock
83 * @periph_cfg: Peripheral DECPROT configuration
84 * @tzma_cfg: TZMA configuration
85 * @base: ETZPC IOMEM base address
86 */
87 struct stm32_etzpc_platdata {
88 char *name;
89 struct clk *clk;
90 uint8_t *periph_cfg;
91 uint16_t *tzma_cfg;
92 struct io_pa_va base;
93 };
94
95 /*
96 * struct stm32_etzpc_driver_data - configuration data from the hardware
97 *
98 * @num_tzma: Number of TZMA zones, read from the hardware
99 * @num_per_sec: Number of securable AHB & APB periphs, read from the hardware
100 * @num_ahb_sec: Number of securable AHB master zones, read from the hardware
101 */
102 struct stm32_etzpc_driver_data {
103 unsigned int num_tzma;
104 unsigned int num_per_sec;
105 unsigned int num_ahb_sec;
106 };
107
108 /*
109 * struct etzpc_device - ETZPC device driver instance
110 * @pdata: Platform data set during initialization
111 * @ddata: Device configuration data from the hardware
112 * @lock: Access contention
113 */
114 struct etzpc_device {
115 struct stm32_etzpc_platdata pdata;
116 struct stm32_etzpc_driver_data ddata;
117 unsigned int lock;
118 };
119
120 static struct etzpc_device *etzpc_device;
121
122 static const char *const etzpc_decprot_strings[] __maybe_unused = {
123 [ETZPC_DECPROT_S_RW] = "ETZPC_DECPROT_S_RW",
124 [ETZPC_DECPROT_NS_R_S_W] = "ETZPC_DECPROT_NS_R_S_W",
125 [ETZPC_DECPROT_MCU_ISOLATION] = "ETZPC_DECPROT_MCU_ISOLATION",
126 [ETZPC_DECPROT_NS_RW] = "ETZPC_DECPROT_NS_RW",
127 };
128
etzpc_lock(void)129 static uint32_t etzpc_lock(void)
130 {
131 return cpu_spin_lock_xsave(&etzpc_device->lock);
132 }
133
etzpc_unlock(uint32_t exceptions)134 static void etzpc_unlock(uint32_t exceptions)
135 {
136 cpu_spin_unlock_xrestore(&etzpc_device->lock, exceptions);
137 }
138
valid_decprot_id(unsigned int id)139 static bool valid_decprot_id(unsigned int id)
140 {
141 return id < etzpc_device->ddata.num_per_sec;
142 }
143
valid_tzma_id(unsigned int id)144 static bool __maybe_unused valid_tzma_id(unsigned int id)
145 {
146 return id < etzpc_device->ddata.num_tzma;
147 }
148
etzpc_binding2decprot(uint32_t mode)149 static enum etzpc_decprot_attributes etzpc_binding2decprot(uint32_t mode)
150 {
151 switch (mode) {
152 case DECPROT_S_RW:
153 return ETZPC_DECPROT_S_RW;
154 case DECPROT_NS_R_S_W:
155 return ETZPC_DECPROT_NS_R_S_W;
156 #ifdef CFG_STM32MP15
157 case DECPROT_MCU_ISOLATION:
158 return ETZPC_DECPROT_MCU_ISOLATION;
159 #endif
160 case DECPROT_NS_RW:
161 return ETZPC_DECPROT_NS_RW;
162 default:
163 panic();
164 }
165 }
166
167 static void
sanitize_decprot_config(uint32_t decprot_id __maybe_unused,enum etzpc_decprot_attributes attr __maybe_unused)168 sanitize_decprot_config(uint32_t decprot_id __maybe_unused,
169 enum etzpc_decprot_attributes attr __maybe_unused)
170 {
171 #ifdef CFG_STM32MP15
172 /*
173 * STM32MP15: check dependency on RCC TZEN/MCKPROT configuration
174 * when a ETZPC resource is secured or isolated for Cortex-M
175 * coprocessor.
176 */
177 switch (attr) {
178 case ETZPC_DECPROT_S_RW:
179 case ETZPC_DECPROT_NS_R_S_W:
180 if (!stm32_rcc_is_secure()) {
181 IMSG("WARNING: RCC tzen:0, insecure ETZPC hardening %"PRIu32":%s",
182 decprot_id, etzpc_decprot_strings[attr]);
183 if (!IS_ENABLED(CFG_INSECURE))
184 panic();
185 }
186 break;
187 case ETZPC_DECPROT_MCU_ISOLATION:
188 if (!stm32_rcc_is_secure() || !stm32_rcc_is_mckprot()) {
189 IMSG("WARNING: RCC tzen:%u mckprot:%u, insecure ETZPC hardening %"PRIu32":%s",
190 stm32_rcc_is_secure(), stm32_rcc_is_mckprot(),
191 decprot_id, etzpc_decprot_strings[attr]);
192 if (!IS_ENABLED(CFG_INSECURE))
193 panic();
194 }
195 break;
196 case ETZPC_DECPROT_NS_RW:
197 break;
198 default:
199 assert(0);
200 break;
201 }
202 #endif
203 }
204
etzpc_configure_decprot(uint32_t decprot_id,enum etzpc_decprot_attributes attr)205 static void etzpc_configure_decprot(uint32_t decprot_id,
206 enum etzpc_decprot_attributes attr)
207 {
208 size_t offset = U(4) * (decprot_id / IDS_PER_DECPROT_REGS);
209 uint32_t shift = (decprot_id % IDS_PER_DECPROT_REGS) << DECPROT_SHIFT;
210 uint32_t masked_decprot = (uint32_t)attr & ETZPC_DECPROT0_MASK;
211 vaddr_t base = etzpc_device->pdata.base.va;
212 unsigned int exceptions = 0;
213
214 assert(valid_decprot_id(decprot_id));
215
216 FMSG("ID : %"PRIu32", config %i", decprot_id, attr);
217
218 sanitize_decprot_config(decprot_id, attr);
219
220 exceptions = etzpc_lock();
221
222 io_clrsetbits32(base + ETZPC_DECPROT0 + offset,
223 ETZPC_DECPROT0_MASK << shift,
224 masked_decprot << shift);
225
226 etzpc_unlock(exceptions);
227 }
228
etzpc_get_decprot(uint32_t decprot_id)229 static enum etzpc_decprot_attributes etzpc_get_decprot(uint32_t decprot_id)
230 {
231 size_t offset = U(4) * (decprot_id / IDS_PER_DECPROT_REGS);
232 uint32_t shift = (decprot_id % IDS_PER_DECPROT_REGS) << DECPROT_SHIFT;
233 vaddr_t base = etzpc_device->pdata.base.va;
234 uint32_t value = 0;
235
236 assert(valid_decprot_id(decprot_id));
237
238 value = (io_read32(base + ETZPC_DECPROT0 + offset) >> shift) &
239 ETZPC_DECPROT0_MASK;
240
241 return (enum etzpc_decprot_attributes)value;
242 }
243
etzpc_lock_decprot(uint32_t decprot_id)244 static void etzpc_lock_decprot(uint32_t decprot_id)
245 {
246 size_t offset = U(4) * (decprot_id / IDS_PER_DECPROT_LOCK_REGS);
247 uint32_t mask = BIT(decprot_id % IDS_PER_DECPROT_LOCK_REGS);
248 vaddr_t base = etzpc_device->pdata.base.va;
249 uint32_t exceptions = 0;
250
251 assert(valid_decprot_id(decprot_id));
252
253 exceptions = etzpc_lock();
254
255 io_write32(base + offset + ETZPC_DECPROT_LOCK0, mask);
256
257 etzpc_unlock(exceptions);
258 }
259
decprot_is_locked(uint32_t decprot_id)260 static bool decprot_is_locked(uint32_t decprot_id)
261 {
262 size_t offset = U(4) * (decprot_id / IDS_PER_DECPROT_LOCK_REGS);
263 uint32_t mask = BIT(decprot_id % IDS_PER_DECPROT_LOCK_REGS);
264 vaddr_t base = etzpc_device->pdata.base.va;
265
266 assert(valid_decprot_id(decprot_id));
267
268 return io_read32(base + offset + ETZPC_DECPROT_LOCK0) & mask;
269 }
270
etzpc_configure_tzma(uint32_t tzma_id,uint16_t tzma_value)271 static void etzpc_configure_tzma(uint32_t tzma_id, uint16_t tzma_value)
272 {
273 size_t offset = sizeof(uint32_t) * tzma_id;
274 vaddr_t base = etzpc_device->pdata.base.va;
275 uint32_t exceptions = 0;
276
277 assert(valid_tzma_id(tzma_id));
278
279 exceptions = etzpc_lock();
280
281 io_write32(base + ETZPC_TZMA0_SIZE + offset, tzma_value);
282
283 etzpc_unlock(exceptions);
284 }
285
etzpc_get_tzma(uint32_t tzma_id)286 static uint16_t etzpc_get_tzma(uint32_t tzma_id)
287 {
288 size_t offset = sizeof(uint32_t) * tzma_id;
289 vaddr_t base = etzpc_device->pdata.base.va;
290
291 assert(valid_tzma_id(tzma_id));
292
293 return io_read32(base + ETZPC_TZMA0_SIZE + offset);
294 }
295
etzpc_lock_tzma(uint32_t tzma_id)296 static void etzpc_lock_tzma(uint32_t tzma_id)
297 {
298 size_t offset = sizeof(uint32_t) * tzma_id;
299 vaddr_t base = etzpc_device->pdata.base.va;
300 uint32_t exceptions = 0;
301
302 assert(valid_tzma_id(tzma_id));
303
304 exceptions = etzpc_lock();
305
306 io_setbits32(base + ETZPC_TZMA0_SIZE + offset, ETZPC_TZMA0_SIZE_LOCK);
307
308 etzpc_unlock(exceptions);
309 }
310
tzma_is_locked(uint32_t tzma_id)311 static bool tzma_is_locked(uint32_t tzma_id)
312 {
313 size_t offset = sizeof(uint32_t) * tzma_id;
314 vaddr_t base = etzpc_device->pdata.base.va;
315
316 assert(valid_tzma_id(tzma_id));
317
318 return io_read32(base + ETZPC_TZMA0_SIZE + offset) &
319 ETZPC_TZMA0_SIZE_LOCK;
320 }
321
etzpc_pm(enum pm_op op,unsigned int pm_hint __unused,const struct pm_callback_handle * pm_handle __unused)322 static TEE_Result etzpc_pm(enum pm_op op, unsigned int pm_hint __unused,
323 const struct pm_callback_handle *pm_handle __unused)
324 {
325 struct stm32_etzpc_driver_data *ddata = &etzpc_device->ddata;
326 struct stm32_etzpc_platdata *pdata = &etzpc_device->pdata;
327 unsigned int n = 0;
328
329 if (op == PM_OP_SUSPEND) {
330 for (n = 0; n < ddata->num_per_sec; n++) {
331 pdata->periph_cfg[n] =
332 (uint8_t)etzpc_get_decprot(n);
333 if (decprot_is_locked(n))
334 pdata->periph_cfg[n] |= PERIPH_PM_LOCK_BIT;
335 }
336
337 for (n = 0; n < ddata->num_tzma; n++) {
338 pdata->tzma_cfg[n] =
339 (uint8_t)etzpc_get_tzma(n);
340 if (tzma_is_locked(n))
341 pdata->tzma_cfg[n] |= TZMA_PM_LOCK_BIT;
342 }
343
344 return TEE_SUCCESS;
345 }
346
347 /* PM_OP_RESUME */
348 for (n = 0; n < ddata->num_per_sec; n++) {
349 unsigned int attr = pdata->periph_cfg[n] & PERIPH_PM_ATTR_MASK;
350
351 etzpc_configure_decprot(n, (enum etzpc_decprot_attributes)attr);
352
353 if (pdata->periph_cfg[n] & PERIPH_PM_LOCK_BIT)
354 etzpc_lock_decprot(n);
355 }
356
357 for (n = 0; n < ddata->num_tzma; n++) {
358 uint16_t value = pdata->tzma_cfg[n] & TZMA_PM_VALUE_MASK;
359
360 etzpc_configure_tzma(n, value);
361
362 if (pdata->tzma_cfg[n] & TZMA_PM_LOCK_BIT)
363 etzpc_lock_tzma(n);
364 }
365
366 return TEE_SUCCESS;
367 }
368 DECLARE_KEEP_PAGER(etzpc_pm);
369
stm32_etzpc_check_access(struct firewall_query * firewall)370 static TEE_Result stm32_etzpc_check_access(struct firewall_query *firewall)
371 {
372 enum etzpc_decprot_attributes attr_req = ETZPC_DECPROT_MAX;
373 uint32_t id = 0;
374
375 if (!firewall || firewall->arg_count != 1)
376 return TEE_ERROR_BAD_PARAMETERS;
377
378 id = firewall->args[0] & ETZPC_ID_MASK;
379 attr_req = etzpc_binding2decprot((firewall->args[0] &
380 ETZPC_MODE_MASK) >> ETZPC_MODE_SHIFT);
381
382 if (id < etzpc_device->ddata.num_per_sec) {
383 if (etzpc_get_decprot(id) == attr_req)
384 return TEE_SUCCESS;
385 else
386 return TEE_ERROR_ACCESS_DENIED;
387 } else {
388 return TEE_ERROR_BAD_PARAMETERS;
389 }
390 }
391
stm32_etzpc_acquire_access(struct firewall_query * firewall)392 static TEE_Result stm32_etzpc_acquire_access(struct firewall_query *firewall)
393 {
394 enum etzpc_decprot_attributes attr = ETZPC_DECPROT_MCU_ISOLATION;
395 uint32_t id = 0;
396
397 if (!firewall || firewall->arg_count != 1)
398 return TEE_ERROR_BAD_PARAMETERS;
399
400 id = firewall->args[0] & ETZPC_ID_MASK;
401 if (id < etzpc_device->ddata.num_per_sec) {
402 attr = etzpc_get_decprot(id);
403 if (attr != ETZPC_DECPROT_S_RW &&
404 attr != ETZPC_DECPROT_NS_R_S_W)
405 return TEE_ERROR_ACCESS_DENIED;
406 } else {
407 return TEE_ERROR_BAD_PARAMETERS;
408 }
409
410 return TEE_SUCCESS;
411 }
412
413 static TEE_Result
stm32_etzpc_acquire_memory_access(struct firewall_query * firewall,paddr_t paddr,size_t size,bool read __unused,bool write __unused)414 stm32_etzpc_acquire_memory_access(struct firewall_query *firewall,
415 paddr_t paddr, size_t size,
416 bool read __unused, bool write __unused)
417 {
418 paddr_t tzma_base = 0;
419 size_t prot_size = 0;
420 uint32_t id = 0;
421
422 if (!firewall || firewall->arg_count != 1)
423 return TEE_ERROR_BAD_PARAMETERS;
424
425 id = firewall->args[0] & ETZPC_ID_MASK;
426 switch (id) {
427 case ETZPC_TZMA0_ID:
428 tzma_base = ROM_BASE;
429 prot_size = etzpc_get_tzma(0) * SMALL_PAGE_SIZE;
430 break;
431 case ETZPC_TZMA1_ID:
432 tzma_base = SYSRAM_BASE;
433 prot_size = etzpc_get_tzma(1) * SMALL_PAGE_SIZE;
434 break;
435 default:
436 return TEE_ERROR_BAD_PARAMETERS;
437 }
438
439 DMSG("Acquiring access for TZMA%u, secured from %#"PRIxPA" to %#"PRIxPA,
440 id == ETZPC_TZMA0_ID ? 0 : 1, tzma_base, tzma_base + prot_size);
441
442 if (core_is_buffer_inside(paddr, size, tzma_base, prot_size))
443 return TEE_SUCCESS;
444
445 return TEE_ERROR_ACCESS_DENIED;
446 }
447
448 #ifdef CFG_STM32MP15
pager_permits_decprot_config(uint32_t decprot_id,enum etzpc_decprot_attributes attr)449 static bool pager_permits_decprot_config(uint32_t decprot_id,
450 enum etzpc_decprot_attributes attr)
451 {
452 paddr_t ram_base = 0;
453 size_t ram_size = 0;
454
455 if (!IS_ENABLED(CFG_WITH_PAGER))
456 return true;
457
458 switch (decprot_id) {
459 case ETZPC_TZMA1_ID:
460 ram_base = SYSRAM_BASE;
461 ram_size = SYSRAM_SEC_SIZE;
462 break;
463 case STM32MP1_ETZPC_SRAM1_ID:
464 ram_base = SRAM1_BASE;
465 ram_size = SRAM1_SIZE;
466 break;
467 case STM32MP1_ETZPC_SRAM2_ID:
468 ram_base = SRAM2_BASE;
469 ram_size = SRAM2_SIZE;
470 break;
471 case STM32MP1_ETZPC_SRAM3_ID:
472 ram_base = SRAM3_BASE;
473 ram_size = SRAM3_SIZE;
474 break;
475 case STM32MP1_ETZPC_SRAM4_ID:
476 ram_base = SRAM4_BASE;
477 ram_size = SRAM4_SIZE;
478 break;
479 default:
480 return true;
481 }
482
483 if (stm32mp1_ram_intersect_pager_ram(ram_base, ram_size) &&
484 attr != ETZPC_DECPROT_S_RW) {
485 EMSG("Internal RAM %#"PRIxPA"..%#"PRIxPA" is used by pager, must be secure",
486 ram_base, ram_base + ram_size);
487 return false;
488 }
489
490 return true;
491 }
492 #endif /* CFG_STM32MP15 */
493
decprot_id_is_internal_ram(uint32_t id)494 static bool decprot_id_is_internal_ram(uint32_t id)
495 {
496 switch (id) {
497 case STM32MP1_ETZPC_SRAM1_ID:
498 case STM32MP1_ETZPC_SRAM2_ID:
499 case STM32MP1_ETZPC_SRAM3_ID:
500 #ifdef CFG_STM32MP15
501 case STM32MP1_ETZPC_SRAM4_ID:
502 case STM32MP1_ETZPC_RETRAM_ID:
503 #endif
504 return true;
505 default:
506 return false;
507 }
508 }
509
stm32_etzpc_configure_memory(struct firewall_query * firewall,paddr_t paddr,size_t size)510 static TEE_Result stm32_etzpc_configure_memory(struct firewall_query *firewall,
511 paddr_t paddr, size_t size)
512 {
513 enum etzpc_decprot_attributes attr = ETZPC_DECPROT_MAX;
514 bool lock = false;
515 uint32_t mode = 0;
516 uint32_t id = 0;
517
518 if (firewall->arg_count != 1)
519 return TEE_ERROR_BAD_PARAMETERS;
520
521 id = firewall->args[0] & ETZPC_ID_MASK;
522 mode = (firewall->args[0] & ETZPC_MODE_MASK) >> ETZPC_MODE_SHIFT;
523 attr = etzpc_binding2decprot(mode);
524 lock = firewall->args[0] & ETZPC_LOCK_MASK;
525
526 if (decprot_id_is_internal_ram(id)) {
527 /* Use OP-TEE SRAM addresses, not the alias one */
528 paddr = stm32mp1_pa_or_sram_alias_pa(paddr);
529
530 /* Target address range must match the full SRAM range */
531 switch (id) {
532 case STM32MP1_ETZPC_SRAM1_ID:
533 if (paddr != SRAM1_BASE || size != SRAM1_SIZE)
534 return TEE_ERROR_BAD_PARAMETERS;
535 break;
536 case STM32MP1_ETZPC_SRAM2_ID:
537 if (paddr != SRAM2_BASE || size != SRAM2_SIZE)
538 return TEE_ERROR_BAD_PARAMETERS;
539 break;
540 case STM32MP1_ETZPC_SRAM3_ID:
541 if (paddr != SRAM3_BASE || size != SRAM3_SIZE)
542 return TEE_ERROR_BAD_PARAMETERS;
543 break;
544 #ifdef CFG_STM32MP15
545 case STM32MP1_ETZPC_SRAM4_ID:
546 if (paddr != SRAM4_BASE || size != SRAM4_SIZE)
547 return TEE_ERROR_BAD_PARAMETERS;
548 break;
549 case STM32MP1_ETZPC_RETRAM_ID:
550 if (paddr != RETRAM_BASE || size != RETRAM_SIZE)
551 return TEE_ERROR_BAD_PARAMETERS;
552 break;
553 #endif /*CFG_STM32MP15*/
554 default:
555 panic();
556 }
557
558 if (decprot_is_locked(id)) {
559 if (etzpc_get_decprot(id) != attr) {
560 EMSG("Internal RAM configuration locked");
561 return TEE_ERROR_ACCESS_DENIED;
562 }
563
564 return TEE_SUCCESS;
565 }
566
567 #ifdef CFG_STM32MP15
568 if (!pager_permits_decprot_config(id, attr))
569 return TEE_ERROR_ACCESS_DENIED;
570 #endif
571
572 etzpc_configure_decprot(id, attr);
573 if (lock)
574 etzpc_lock_decprot(id);
575 } else if (id == ETZPC_TZMA0_ID || id == ETZPC_TZMA1_ID) {
576 unsigned int tzma_id = 0;
577 uint16_t tzma_r0size = 0;
578 paddr_t ram_base = 0;
579 size_t ram_size = 0;
580
581 switch (id) {
582 case ETZPC_TZMA0_ID:
583 ram_base = ROM_BASE;
584 ram_size = ROM_SIZE;
585 tzma_id = 0;
586 break;
587 case ETZPC_TZMA1_ID:
588 ram_base = SYSRAM_BASE;
589 ram_size = SYSRAM_SIZE;
590 tzma_id = 1;
591 break;
592 default:
593 return TEE_ERROR_BAD_PARAMETERS;
594 }
595
596 /* TZMA configuration supports only page aligned sizes */
597 if (!IS_ALIGNED(paddr, SMALL_PAGE_SIZE) ||
598 !IS_ALIGNED(size, SMALL_PAGE_SIZE))
599 return TEE_ERROR_BAD_PARAMETERS;
600
601 /*
602 * TZMA supports only 2 access rights configuration
603 * for RAM ranges: secure or non-secure.
604 * Secure RAM range must start from RAM base address
605 * and non-secure RAM range must end at RAM top address.
606 */
607 switch (attr) {
608 case ETZPC_DECPROT_S_RW:
609 if (paddr != ram_base || size > ram_size)
610 return TEE_ERROR_BAD_PARAMETERS;
611 tzma_r0size = ram_size / SMALL_PAGE_SIZE;
612 break;
613 case ETZPC_DECPROT_NS_RW:
614 if (paddr < ram_base ||
615 paddr + size != ram_base + ram_size)
616 return TEE_ERROR_BAD_PARAMETERS;
617 tzma_r0size = (paddr - ram_base) / SMALL_PAGE_SIZE;
618 break;
619 default:
620 EMSG("Invalid TZMA mode %"PRIu32, mode);
621 return TEE_ERROR_BAD_PARAMETERS;
622 }
623
624 #ifdef CFG_STM32MP15
625 if (!pager_permits_decprot_config(id, attr))
626 return TEE_ERROR_ACCESS_DENIED;
627 #endif
628
629 if (tzma_is_locked(tzma_id)) {
630 if (etzpc_get_tzma(tzma_id) != tzma_r0size) {
631 EMSG("TZMA configuration locked");
632 return TEE_ERROR_ACCESS_DENIED;
633 }
634
635 return TEE_SUCCESS;
636 }
637
638 etzpc_configure_tzma(tzma_id, tzma_r0size);
639 if (lock)
640 etzpc_lock_tzma(tzma_id);
641 } else {
642 EMSG("Unknown firewall ID: %"PRIu32, id);
643
644 return TEE_ERROR_BAD_PARAMETERS;
645 }
646
647 return TEE_SUCCESS;
648 }
649
stm32_etzpc_configure(struct firewall_query * firewall)650 static TEE_Result stm32_etzpc_configure(struct firewall_query *firewall)
651 {
652 enum etzpc_decprot_attributes attr = ETZPC_DECPROT_MAX;
653 uint32_t id = 0;
654
655 if (firewall->arg_count != 1)
656 return TEE_ERROR_BAD_PARAMETERS;
657
658 id = firewall->args[0] & ETZPC_ID_MASK;
659
660 if (id < etzpc_device->ddata.num_per_sec) {
661 uint32_t mode = 0;
662
663 /*
664 * Peripheral configuration, we assume the configuration is as
665 * follows:
666 * firewall->args[0]: Firewall configuration to apply
667 */
668
669 mode = (firewall->args[0] & ETZPC_MODE_MASK) >>
670 ETZPC_MODE_SHIFT;
671 attr = etzpc_binding2decprot(mode);
672
673 if (decprot_is_locked(id)) {
674 if (etzpc_get_decprot(id) != attr) {
675 EMSG("Peripheral configuration locked");
676 return TEE_ERROR_ACCESS_DENIED;
677 }
678
679 DMSG("Compliant locked config for periph %"PRIu32" - attr %s",
680 id, etzpc_decprot_strings[attr]);
681
682 return TEE_SUCCESS;
683 }
684
685 #ifdef CFG_STM32MP15
686 if (!pager_permits_decprot_config(id, attr))
687 return TEE_ERROR_ACCESS_DENIED;
688 #endif
689
690 DMSG("Setting access config for periph %"PRIu32" - attr %s", id,
691 etzpc_decprot_strings[attr]);
692
693 etzpc_configure_decprot(id, attr);
694 if (firewall->args[0] & ETZPC_LOCK_MASK)
695 etzpc_lock_decprot(id);
696
697 return TEE_SUCCESS;
698 }
699 EMSG("Unknown firewall ID: %"PRIu32, id);
700
701 return TEE_ERROR_BAD_PARAMETERS;
702 }
703
stm32_etzpc_set_driverdata(void)704 static void stm32_etzpc_set_driverdata(void)
705 {
706 struct stm32_etzpc_driver_data *ddata = &etzpc_device->ddata;
707 vaddr_t base = etzpc_device->pdata.base.va;
708 uint32_t reg = io_read32(base + ETZPC_HWCFGR);
709
710 ddata->num_tzma = (reg & ETZPC_HWCFGR_NUM_TZMA_MASK) >>
711 ETZPC_HWCFGR_NUM_TZMA_SHIFT;
712 ddata->num_per_sec = (reg & ETZPC_HWCFGR_NUM_PER_SEC_MASK) >>
713 ETZPC_HWCFGR_NUM_PER_SEC_SHIFT;
714 ddata->num_ahb_sec = (reg & ETZPC_HWCFGR_NUM_AHB_SEC_MASK) >>
715 ETZPC_HWCFGR_NUM_AHB_SEC_SHIFT;
716
717 DMSG("ETZPC revision 0x%02"PRIx8", per_sec %u, ahb_sec %u, tzma %u",
718 io_read8(base + ETZPC_VERR),
719 ddata->num_per_sec, ddata->num_ahb_sec, ddata->num_tzma);
720 }
721
fdt_etzpc_conf_decprot(const void * fdt,int node)722 static void fdt_etzpc_conf_decprot(const void *fdt, int node)
723 {
724 const fdt32_t *cuint = NULL;
725 size_t i = 0;
726 int len = 0;
727
728 cuint = fdt_getprop(fdt, node, "st,decprot", &len);
729 if (!cuint) {
730 DMSG("No ETZPC DECPROT configuration in DT");
731 return;
732 }
733
734 clk_enable(etzpc_device->pdata.clk);
735
736 for (i = 0; i < len / sizeof(uint32_t); i++) {
737 uint32_t value = fdt32_to_cpu(cuint[i]);
738 uint32_t id = value & ETZPC_ID_MASK;
739 uint32_t mode = (value & ETZPC_MODE_MASK) >> ETZPC_MODE_SHIFT;
740 bool lock = value & ETZPC_LOCK_MASK;
741 enum etzpc_decprot_attributes attr = ETZPC_DECPROT_MAX;
742
743 if (!valid_decprot_id(id)) {
744 DMSG("Invalid DECPROT %"PRIu32, id);
745 panic();
746 }
747
748 attr = etzpc_binding2decprot(mode);
749
750 #ifdef CFG_STM32MP15
751 if (!pager_permits_decprot_config(id, attr))
752 panic();
753 #endif
754
755 etzpc_configure_decprot(id, attr);
756
757 if (lock)
758 etzpc_lock_decprot(id);
759 }
760
761 clk_disable(etzpc_device->pdata.clk);
762 }
763
764 static TEE_Result
stm32_etzpc_dt_probe_bus(const void * fdt,int node,struct firewall_controller * ctrl __maybe_unused)765 stm32_etzpc_dt_probe_bus(const void *fdt, int node,
766 struct firewall_controller *ctrl __maybe_unused)
767 {
768 TEE_Result res = TEE_ERROR_GENERIC;
769 struct firewall_query *fw = NULL;
770 int subnode = 0;
771
772 DMSG("Populating %s firewall bus", ctrl->name);
773
774 fdt_for_each_subnode(subnode, fdt, node) {
775 unsigned int i = 0;
776
777 if (fdt_get_status(fdt, subnode) == DT_STATUS_DISABLED)
778 continue;
779
780 if (IS_ENABLED(CFG_INSECURE) &&
781 stm32mp_allow_probe_shared_device(fdt, subnode)) {
782 DMSG("Skipping firewall attributes check for %s",
783 fdt_get_name(fdt, subnode, NULL));
784 goto skip_check;
785 }
786
787 DMSG("Acquiring firewall access for %s when probing bus",
788 fdt_get_name(fdt, subnode, NULL));
789
790 do {
791 /*
792 * The access-controllers property is mandatory for
793 * firewall bus devices
794 */
795 res = firewall_dt_get_by_index(fdt, subnode, i, &fw);
796 if (res == TEE_ERROR_ITEM_NOT_FOUND) {
797 /* Stop when nothing more to parse */
798 break;
799 } else if (res) {
800 EMSG("%s: Error on node %s: %#"PRIx32,
801 ctrl->name,
802 fdt_get_name(fdt, subnode, NULL), res);
803 panic();
804 }
805
806 res = firewall_acquire_access(fw);
807 if (res) {
808 EMSG("%s: %s not accessible: %#"PRIx32,
809 ctrl->name,
810 fdt_get_name(fdt, subnode, NULL), res);
811 panic();
812 }
813
814 firewall_put(fw);
815 i++;
816 } while (true);
817
818 skip_check:
819 res = dt_driver_maybe_add_probe_node(fdt, subnode);
820 if (res) {
821 EMSG("Failed on node %s with %#"PRIx32,
822 fdt_get_name(fdt, subnode, NULL), res);
823 panic();
824 }
825 }
826
827 return TEE_SUCCESS;
828 }
829
init_etzpc_from_dt(const void * fdt,int node)830 static TEE_Result init_etzpc_from_dt(const void *fdt, int node)
831 {
832 TEE_Result res = TEE_ERROR_GENERIC;
833 struct dt_node_info etzpc_info = { };
834 int len = 0;
835
836 fdt_fill_device_info(fdt, &etzpc_info, node);
837 if (etzpc_info.reg == DT_INFO_INVALID_REG ||
838 etzpc_info.reg_size == DT_INFO_INVALID_REG_SIZE)
839 return TEE_ERROR_ITEM_NOT_FOUND;
840
841 etzpc_device->pdata.base.pa = etzpc_info.reg;
842 etzpc_device->pdata.name = strdup(fdt_get_name(fdt, node, &len));
843 io_pa_or_va_secure(&etzpc_device->pdata.base, etzpc_info.reg_size);
844 res = clk_dt_get_by_index(fdt, node, 0, &etzpc_device->pdata.clk);
845 if (res)
846 return res;
847
848 stm32_etzpc_set_driverdata();
849
850 etzpc_device->pdata.periph_cfg =
851 calloc(etzpc_device->ddata.num_per_sec,
852 sizeof(*etzpc_device->pdata.periph_cfg));
853 if (!etzpc_device->pdata.periph_cfg)
854 return TEE_ERROR_OUT_OF_MEMORY;
855
856 etzpc_device->pdata.tzma_cfg =
857 calloc(etzpc_device->ddata.num_tzma,
858 sizeof(*etzpc_device->pdata.tzma_cfg));
859 if (!etzpc_device->pdata.tzma_cfg) {
860 free(etzpc_device->pdata.periph_cfg);
861 return TEE_ERROR_OUT_OF_MEMORY;
862 }
863
864 return TEE_SUCCESS;
865 }
866
867 static const struct firewall_controller_ops firewall_ops = {
868 .set_conf = stm32_etzpc_configure,
869 .set_memory_conf = stm32_etzpc_configure_memory,
870 .check_access = stm32_etzpc_check_access,
871 .acquire_access = stm32_etzpc_acquire_access,
872 .acquire_memory_access = stm32_etzpc_acquire_memory_access,
873 };
874
stm32_etzpc_probe(const void * fdt,int node,const void * compat_data __unused)875 static TEE_Result stm32_etzpc_probe(const void *fdt, int node,
876 const void *compat_data __unused)
877 {
878 TEE_Result res = TEE_ERROR_GENERIC;
879 struct firewall_controller *controller = NULL;
880
881 etzpc_device = calloc(1, sizeof(*etzpc_device));
882 if (!etzpc_device)
883 panic();
884
885 res = init_etzpc_from_dt(fdt, node);
886 if (res) {
887 free(etzpc_device->pdata.periph_cfg);
888 free(etzpc_device->pdata.tzma_cfg);
889 free(etzpc_device->pdata.name);
890 free(etzpc_device);
891 free(controller);
892 return res;
893 }
894
895 controller = calloc(1, sizeof(*controller));
896 if (!controller)
897 panic();
898
899 controller->base = &etzpc_device->pdata.base;
900 controller->name = etzpc_device->pdata.name;
901 controller->priv = etzpc_device;
902 controller->ops = &firewall_ops;
903
904 res = firewall_dt_controller_register(fdt, node, controller);
905 if (res)
906 panic("Cannot register ETZPC as a firewall controller");
907
908 fdt_etzpc_conf_decprot(fdt, node);
909
910 res = stm32_etzpc_dt_probe_bus(fdt, node, controller);
911 if (res)
912 panic("Cannot populate bus");
913
914 register_pm_core_service_cb(etzpc_pm, NULL, "stm32-etzpc");
915
916 return TEE_SUCCESS;
917 }
918
919 static const struct dt_device_match etzpc_match_table[] = {
920 { .compatible = "st,stm32-etzpc" },
921 { }
922 };
923
924 DEFINE_DT_DRIVER(etzpc_dt_driver) = {
925 .name = "stm32-etzpc",
926 .match_table = etzpc_match_table,
927 .probe = stm32_etzpc_probe,
928 };
929