1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2017-2024, STMicroelectronics 4 * Copyright (c) 2016-2018, Linaro Limited 5 */ 6 7 #include <boot_api.h> 8 #include <config.h> 9 #include <console.h> 10 #include <drivers/gic.h> 11 #include <drivers/pinctrl.h> 12 #include <drivers/stm32_etzpc.h> 13 #include <drivers/stm32_gpio.h> 14 #include <drivers/stm32_iwdg.h> 15 #include <drivers/stm32_tamp.h> 16 #include <drivers/stm32_uart.h> 17 #include <drivers/stm32mp_dt_bindings.h> 18 #include <io.h> 19 #include <kernel/boot.h> 20 #include <kernel/dt.h> 21 #include <kernel/misc.h> 22 #include <kernel/panic.h> 23 #include <kernel/spinlock.h> 24 #include <kernel/tee_misc.h> 25 #include <libfdt.h> 26 #include <mm/core_memprot.h> 27 #include <platform_config.h> 28 #include <sm/psci.h> 29 #include <stm32_util.h> 30 #include <string.h> 31 #include <trace.h> 32 33 register_phys_mem_pgdir(MEM_AREA_IO_NSEC, APB1_BASE, APB1_SIZE); 34 register_phys_mem_pgdir(MEM_AREA_IO_NSEC, APB2_BASE, APB2_SIZE); 35 register_phys_mem_pgdir(MEM_AREA_IO_NSEC, APB3_BASE, APB3_SIZE); 36 register_phys_mem_pgdir(MEM_AREA_IO_NSEC, APB4_BASE, APB4_SIZE); 37 register_phys_mem_pgdir(MEM_AREA_IO_NSEC, APB5_BASE, APB5_SIZE); 38 register_phys_mem_pgdir(MEM_AREA_IO_NSEC, AHB4_BASE, AHB4_SIZE); 39 register_phys_mem_pgdir(MEM_AREA_IO_NSEC, AHB5_BASE, AHB5_SIZE); 40 41 register_phys_mem_pgdir(MEM_AREA_IO_SEC, APB1_BASE, APB1_SIZE); 42 register_phys_mem_pgdir(MEM_AREA_IO_SEC, APB3_BASE, APB3_SIZE); 43 register_phys_mem_pgdir(MEM_AREA_IO_SEC, APB4_BASE, APB4_SIZE); 44 register_phys_mem_pgdir(MEM_AREA_IO_SEC, APB5_BASE, APB5_SIZE); 45 #ifdef CFG_STM32MP13 46 register_phys_mem_pgdir(MEM_AREA_IO_SEC, APB6_BASE, APB6_SIZE); 47 #endif 48 register_phys_mem_pgdir(MEM_AREA_IO_SEC, AHB4_BASE, AHB4_SIZE); 49 register_phys_mem_pgdir(MEM_AREA_IO_SEC, AHB5_BASE, AHB5_SIZE); 50 register_phys_mem_pgdir(MEM_AREA_IO_SEC, GIC_BASE, GIC_SIZE); 51 52 register_ddr(DDR_BASE, CFG_DRAM_SIZE); 53 54 #define _ID2STR(id) (#id) 55 #define ID2STR(id) _ID2STR(id) 56 57 static TEE_Result platform_banner(void) 58 { 59 IMSG("Platform stm32mp1: flavor %s - DT %s", 60 ID2STR(PLATFORM_FLAVOR), 61 ID2STR(CFG_EMBED_DTB_SOURCE_FILE)); 62 63 return TEE_SUCCESS; 64 } 65 service_init(platform_banner); 66 67 /* 68 * Console 69 * 70 * CFG_STM32_EARLY_CONSOLE_UART specifies the ID of the UART used for 71 * trace console. Value 0 disables the early console. 72 * 73 * We cannot use the generic serial_console support since probing 74 * the console requires the platform clock driver to be already 75 * up and ready which is done only once service_init are completed. 76 */ 77 static struct stm32_uart_pdata console_data; 78 79 void plat_console_init(void) 80 { 81 /* Early console initialization before MMU setup */ 82 struct uart { 83 paddr_t pa; 84 bool secure; 85 } uarts[] = { 86 [0] = { .pa = 0 }, 87 [1] = { .pa = USART1_BASE, .secure = true, }, 88 [2] = { .pa = USART2_BASE, .secure = false, }, 89 [3] = { .pa = USART3_BASE, .secure = false, }, 90 [4] = { .pa = UART4_BASE, .secure = false, }, 91 [5] = { .pa = UART5_BASE, .secure = false, }, 92 [6] = { .pa = USART6_BASE, .secure = false, }, 93 [7] = { .pa = UART7_BASE, .secure = false, }, 94 [8] = { .pa = UART8_BASE, .secure = false, }, 95 }; 96 97 COMPILE_TIME_ASSERT(ARRAY_SIZE(uarts) > CFG_STM32_EARLY_CONSOLE_UART); 98 99 if (!uarts[CFG_STM32_EARLY_CONSOLE_UART].pa) 100 return; 101 102 /* No clock yet bound to the UART console */ 103 console_data.clock = NULL; 104 105 console_data.secure = uarts[CFG_STM32_EARLY_CONSOLE_UART].secure; 106 stm32_uart_init(&console_data, uarts[CFG_STM32_EARLY_CONSOLE_UART].pa); 107 108 register_serial_console(&console_data.chip); 109 110 IMSG("Early console on UART#%u", CFG_STM32_EARLY_CONSOLE_UART); 111 } 112 113 static TEE_Result init_console_from_dt(void) 114 { 115 struct stm32_uart_pdata *pd = NULL; 116 void *fdt = NULL; 117 int node = 0; 118 TEE_Result res = TEE_ERROR_GENERIC; 119 120 fdt = get_embedded_dt(); 121 res = get_console_node_from_dt(fdt, &node, NULL, NULL); 122 if (res == TEE_ERROR_ITEM_NOT_FOUND) { 123 fdt = get_external_dt(); 124 res = get_console_node_from_dt(fdt, &node, NULL, NULL); 125 if (res == TEE_ERROR_ITEM_NOT_FOUND) 126 return TEE_SUCCESS; 127 if (res != TEE_SUCCESS) 128 return res; 129 } 130 131 pd = stm32_uart_init_from_dt_node(fdt, node); 132 if (!pd) { 133 IMSG("DTB disables console"); 134 register_serial_console(NULL); 135 return TEE_SUCCESS; 136 } 137 138 /* Replace early console with the new one */ 139 console_flush(); 140 console_data = *pd; 141 register_serial_console(&console_data.chip); 142 IMSG("DTB enables console (%ssecure)", pd->secure ? "" : "non-"); 143 free(pd); 144 145 return TEE_SUCCESS; 146 } 147 148 /* Probe console from DT once clock inits (service init level) are completed */ 149 service_init_late(init_console_from_dt); 150 151 /* 152 * GIC init, used also for primary/secondary boot core wake completion 153 */ 154 void boot_primary_init_intc(void) 155 { 156 gic_init(GIC_BASE + GICC_OFFSET, GIC_BASE + GICD_OFFSET); 157 158 stm32mp_register_online_cpu(); 159 } 160 161 void boot_secondary_init_intc(void) 162 { 163 gic_init_per_cpu(); 164 165 stm32mp_register_online_cpu(); 166 } 167 168 #ifdef CFG_STM32MP15 169 /* 170 * This concerns OP-TEE pager for STM32MP1 to use secure internal 171 * RAMs to execute. TZSRAM refers the TZSRAM_BASE/TZSRAM_SIZE 172 * used in boot.c to locate secure unpaged memory. 173 * 174 * STM32MP15 variants embed 640kB of contiguous securable SRAMs 175 * 176 * +--------------+ <-- SYSRAM_BASE 177 * | | lower part can be assigned to secure world 178 * | SYSRAM 256kB | 4kB granule boundary 179 * | | upper part can be assigned to secure world 180 * +--------------+ <-- SRAM1_BASE (= SYSRAM_BASE + SYSRAM_SIZE) 181 | | full range assigned to non-secure world or 182 * | SRAM1 128kB | to secure world, or to- Cortex-M4 exclusive access 183 * +--------------+ <-- SRAM2_BASE (= SRAM1_BASE + SRAM1_SIZE) 184 | | full range assigned to non-secure world or 185 * | SRAM2 128kB | to secure world, or to- Cortex-M4 exclusive access 186 * +--------------+ <-- SRAM3_BASE (= SRAM2_BASE + SRAM2_SIZE) 187 | | full range assigned to non-secure world or 188 * | SRAM3 64kB | to secure world, or to- Cortex-M4 exclusive access 189 * +--------------+ <-- SRAM4_BASE (= SRAM3_BASE + SRAM3_SIZE) 190 | | full range assigned to non-secure world or 191 * | SRAM4 64kB | to secure world, or to- Cortex-M4 exclusive access 192 * +--------------+ <-- SRAM4_BASE + SRAM4_SIZE 193 * 194 * If SRAMx memories are not used for the companion Cortex-M4 195 * processor, OP-TEE can use this memory. 196 * 197 * SYSRAM configuration for secure/non-secure boundaries requires the 198 * secure SYSRAM memory to start at the SYSRAM physical base address and grow 199 * from there while the non-secure SYSRAM range lies at SYSRAM end addresses 200 * with a 4KB page granule. 201 * 202 * SRAM1, SRAM2, SRAM3 and SRAM4 are independently assigned to secure world, 203 * to non-secure world or possibly to Cortex-M4 exclusive access. Each 204 * assignment covers the full related SRAMx memory range. 205 * 206 * Using non-secure SYSRAM or one of the SRAMx for SCMI message communication 207 * can be done using CFG_STM32MP1_SCMI_SHM_BASE/CFG_STM32MP1_SCMI_SHM_SIZE. 208 * This imposes related memory area is assigned to non-secure world. 209 210 * Using secure internal memories (SYSRAM and/or some SRAMx) with STM32MP15 211 * shall meet this constraints known the TZSRAM physical memory range shall 212 * be contiguous. 213 */ 214 215 #define SYSRAM_END (SYSRAM_BASE + SYSRAM_SIZE) 216 #define SYSRAM_SEC_END (SYSRAM_BASE + SYSRAM_SEC_SIZE) 217 #define SRAMS_END (SRAM4_BASE + SRAM4_SIZE) 218 #define SRAMS_START SRAM1_BASE 219 #define TZSRAM_END (CFG_TZSRAM_START + CFG_TZSRAM_SIZE) 220 221 #define SCMI_SHM_IS_IN_SRAMX ((CFG_STM32MP1_SCMI_SHM_BASE >= SRAM1_BASE) && \ 222 (CFG_STM32MP1_SCMI_SHM_BASE + \ 223 CFG_STM32MP1_SCMI_SHM_SIZE) <= SRAMS_END) 224 225 #define TZSRAM_FITS_IN_SYSRAM_SEC ((CFG_TZSRAM_START >= SYSRAM_BASE) && \ 226 (TZSRAM_END <= SYSRAM_SEC_END)) 227 228 #define TZSRAM_FITS_IN_SYSRAM_AND_SRAMS ((CFG_TZSRAM_START >= SYSRAM_BASE) && \ 229 (CFG_TZSRAM_START < SYSRAM_END) && \ 230 (TZSRAM_END > SYSRAM_END) && \ 231 (TZSRAM_END <= SRAMS_END) && \ 232 (SYSRAM_SIZE == SYSRAM_SEC_SIZE)) 233 234 #define TZSRAM_FITS_IN_SRAMS ((CFG_TZSRAM_START >= SRAMS_START) && \ 235 (CFG_TZSRAM_START < SRAMS_END) && \ 236 (TZSRAM_END <= SRAMS_END)) 237 238 #define TZSRAM_IS_IN_DRAM (CFG_TZSRAM_START >= CFG_DRAM_BASE) 239 240 #ifdef CFG_WITH_PAGER 241 /* 242 * At build time, we enforce that, when pager is used, 243 * either TZSRAM fully fits inside SYSRAM secure address range, 244 * or TZSRAM fully fits inside the full SYSRAM and spread inside SRAMx orderly, 245 * or TZSRAM fully fits some inside SRAMs address range, 246 * or TZSRAM is in DDR for debug and test purpose. 247 */ 248 static_assert(TZSRAM_FITS_IN_SYSRAM_SEC || TZSRAM_FITS_IN_SYSRAM_AND_SRAMS || 249 TZSRAM_FITS_IN_SRAMS || TZSRAM_IS_IN_DRAM); 250 #endif 251 252 #if TZSRAM_FITS_IN_SYSRAM_AND_SRAMS || TZSRAM_FITS_IN_SRAMS || \ 253 SCMI_SHM_IS_IN_SRAMX 254 /* At run time we enforce that SRAM1 to SRAM4 are properly assigned if used */ 255 static TEE_Result init_stm32mp15_secure_srams(void) 256 { 257 if (IS_ENABLED(CFG_WITH_PAGER)) { 258 if (core_is_buffer_intersect(CFG_TZSRAM_START, CFG_TZSRAM_SIZE, 259 SRAM1_BASE, SRAM1_SIZE)) 260 stm32mp_register_secure_periph_iomem(SRAM1_BASE); 261 262 if (core_is_buffer_intersect(CFG_TZSRAM_START, CFG_TZSRAM_SIZE, 263 SRAM2_BASE, SRAM2_SIZE)) 264 stm32mp_register_secure_periph_iomem(SRAM2_BASE); 265 266 if (core_is_buffer_intersect(CFG_TZSRAM_START, CFG_TZSRAM_SIZE, 267 SRAM3_BASE, SRAM3_SIZE)) 268 stm32mp_register_secure_periph_iomem(SRAM3_BASE); 269 270 if (core_is_buffer_intersect(CFG_TZSRAM_START, CFG_TZSRAM_SIZE, 271 SRAM4_BASE, SRAM4_SIZE)) 272 stm32mp_register_secure_periph_iomem(SRAM4_BASE); 273 } 274 275 if (SCMI_SHM_IS_IN_SRAMX) { 276 if (core_is_buffer_intersect(CFG_STM32MP1_SCMI_SHM_BASE, 277 CFG_STM32MP1_SCMI_SHM_SIZE, 278 SRAM1_BASE, SRAM1_SIZE)) 279 stm32mp_register_non_secure_periph_iomem(SRAM1_BASE); 280 281 if (core_is_buffer_intersect(CFG_STM32MP1_SCMI_SHM_BASE, 282 CFG_STM32MP1_SCMI_SHM_SIZE, 283 SRAM2_BASE, SRAM2_SIZE)) 284 stm32mp_register_non_secure_periph_iomem(SRAM2_BASE); 285 286 if (core_is_buffer_intersect(CFG_STM32MP1_SCMI_SHM_BASE, 287 CFG_STM32MP1_SCMI_SHM_SIZE, 288 SRAM3_BASE, SRAM3_SIZE)) 289 stm32mp_register_non_secure_periph_iomem(SRAM3_BASE); 290 291 if (core_is_buffer_intersect(CFG_STM32MP1_SCMI_SHM_BASE, 292 CFG_STM32MP1_SCMI_SHM_SIZE, 293 SRAM4_BASE, SRAM4_SIZE)) 294 stm32mp_register_non_secure_periph_iomem(SRAM4_BASE); 295 } 296 297 return TEE_SUCCESS; 298 } 299 300 service_init_late(init_stm32mp15_secure_srams); 301 #endif /* TZSRAM_FITS_IN_SYSRAM_AND_SRAMS || TZSRAM_FITS_IN_SRAMS */ 302 #endif /* CFG_STM32MP15 && CFG_TZSRAM_START */ 303 304 static TEE_Result init_stm32mp1_drivers(void) 305 { 306 #if defined(CFG_STM32_ETZPC) 307 etzpc_configure_tzma(1, SYSRAM_SEC_SIZE >> SMALL_PAGE_SHIFT); 308 309 if (SYSRAM_SIZE > SYSRAM_SEC_SIZE) { 310 size_t nsec_size = SYSRAM_SIZE - SYSRAM_SEC_SIZE; 311 paddr_t nsec_start = SYSRAM_BASE + SYSRAM_SEC_SIZE; 312 uint8_t *va = phys_to_virt(nsec_start, MEM_AREA_IO_NSEC, 313 nsec_size); 314 315 IMSG("Non-secure SYSRAM [%p %p]", va, va + nsec_size - 1); 316 317 /* Clear content from the non-secure part */ 318 memset(va, 0, nsec_size); 319 } 320 #endif /* CFG_STM32_ETZPC */ 321 322 return TEE_SUCCESS; 323 } 324 325 service_init_late(init_stm32mp1_drivers); 326 327 static TEE_Result init_late_stm32mp1_drivers(void) 328 { 329 TEE_Result res = TEE_ERROR_GENERIC; 330 331 /* Set access permission to TAM backup registers */ 332 if (IS_ENABLED(CFG_STM32_TAMP)) { 333 struct stm32_bkpregs_conf conf = { 334 .nb_zone1_regs = TAMP_BKP_REGISTER_ZONE1_COUNT, 335 .nb_zone2_regs = TAMP_BKP_REGISTER_ZONE2_COUNT, 336 }; 337 338 res = stm32_tamp_set_secure_bkpregs(&conf); 339 if (res == TEE_ERROR_DEFER_DRIVER_INIT) { 340 /* TAMP driver was not probed if disabled in the DT */ 341 res = TEE_SUCCESS; 342 } 343 if (res) 344 panic(); 345 } 346 347 return TEE_SUCCESS; 348 } 349 350 driver_init_late(init_late_stm32mp1_drivers); 351 352 vaddr_t stm32_rcc_base(void) 353 { 354 static struct io_pa_va base = { .pa = RCC_BASE }; 355 356 return io_pa_or_va_secure(&base, 1); 357 } 358 359 vaddr_t get_gicd_base(void) 360 { 361 struct io_pa_va base = { .pa = GIC_BASE + GICD_OFFSET }; 362 363 return io_pa_or_va_secure(&base, 1); 364 } 365 366 void stm32mp_get_bsec_static_cfg(struct stm32_bsec_static_cfg *cfg) 367 { 368 cfg->base = BSEC_BASE; 369 cfg->upper_start = STM32MP1_UPPER_OTP_START; 370 cfg->max_id = STM32MP1_OTP_MAX_ID; 371 } 372 373 bool __weak stm32mp_with_pmic(void) 374 { 375 return false; 376 } 377 378 uint32_t may_spin_lock(unsigned int *lock) 379 { 380 if (!lock || !cpu_mmu_enabled()) 381 return 0; 382 383 return cpu_spin_lock_xsave(lock); 384 } 385 386 void may_spin_unlock(unsigned int *lock, uint32_t exceptions) 387 { 388 if (!lock || !cpu_mmu_enabled()) 389 return; 390 391 cpu_spin_unlock_xrestore(lock, exceptions); 392 } 393 394 static vaddr_t stm32_tamp_base(void) 395 { 396 static struct io_pa_va base = { .pa = TAMP_BASE }; 397 398 return io_pa_or_va_secure(&base, 1); 399 } 400 401 static vaddr_t bkpreg_base(void) 402 { 403 return stm32_tamp_base() + TAMP_BKP_REGISTER_OFF; 404 } 405 406 vaddr_t stm32mp_bkpreg(unsigned int idx) 407 { 408 return bkpreg_base() + (idx * sizeof(uint32_t)); 409 } 410 411 static bool __maybe_unused bank_is_valid(unsigned int bank) 412 { 413 if (IS_ENABLED(CFG_STM32MP15)) 414 return bank == GPIO_BANK_Z || bank <= GPIO_BANK_K; 415 416 if (IS_ENABLED(CFG_STM32MP13)) 417 return bank <= GPIO_BANK_I; 418 419 panic(); 420 } 421 422 #ifdef CFG_STM32_IWDG 423 TEE_Result stm32_get_iwdg_otp_config(paddr_t pbase, 424 struct stm32_iwdg_otp_data *otp_data) 425 { 426 unsigned int idx = 0; 427 uint32_t otp_id = 0; 428 size_t bit_len = 0; 429 uint8_t bit_offset = 0; 430 uint32_t otp_value = 0; 431 432 switch (pbase) { 433 case IWDG1_BASE: 434 idx = 0; 435 break; 436 case IWDG2_BASE: 437 idx = 1; 438 break; 439 default: 440 panic(); 441 } 442 443 if (stm32_bsec_find_otp_in_nvmem_layout("hw2_otp", &otp_id, &bit_offset, 444 &bit_len) || 445 bit_len != 32 || bit_offset != 0) 446 panic(); 447 448 if (stm32_bsec_read_otp(&otp_value, otp_id)) 449 panic(); 450 451 otp_data->hw_enabled = otp_value & 452 BIT(idx + HW2_OTP_IWDG_HW_ENABLE_SHIFT); 453 otp_data->disable_on_stop = otp_value & 454 BIT(idx + HW2_OTP_IWDG_FZ_STOP_SHIFT); 455 otp_data->disable_on_standby = otp_value & 456 BIT(idx + HW2_OTP_IWDG_FZ_STANDBY_SHIFT); 457 458 return TEE_SUCCESS; 459 } 460 #endif /*CFG_STM32_IWDG*/ 461 462 #ifdef CFG_STM32_DEBUG_ACCESS 463 static TEE_Result init_debug(void) 464 { 465 TEE_Result res = TEE_SUCCESS; 466 uint32_t conf = stm32_bsec_read_debug_conf(); 467 struct clk *dbg_clk = stm32mp_rcc_clock_id_to_clk(CK_DBG); 468 uint32_t state = 0; 469 470 res = stm32_bsec_get_state(&state); 471 if (res) 472 return res; 473 474 if (state != BSEC_STATE_SEC_CLOSED && conf) { 475 if (IS_ENABLED(CFG_INSECURE)) 476 IMSG("WARNING: All debug accesses are allowed"); 477 478 res = stm32_bsec_write_debug_conf(conf | BSEC_DEBUG_ALL); 479 if (res) 480 return res; 481 482 /* 483 * Enable DBG clock as used to access coprocessor 484 * debug registers 485 */ 486 clk_enable(dbg_clk); 487 } 488 489 return TEE_SUCCESS; 490 } 491 early_init_late(init_debug); 492 #endif /* CFG_STM32_DEBUG_ACCESS */ 493 494 /* Some generic resources need to be unpaged */ 495 DECLARE_KEEP_PAGER(pinctrl_apply_state); 496 497 bool stm32mp_allow_probe_shared_device(const void *fdt, int node) 498 { 499 static int uart_console_node = -1; 500 const char *compat = NULL; 501 static bool once; 502 503 if (IS_ENABLED(CFG_STM32_ALLOW_UNSAFE_PROBE)) 504 return true; 505 506 if (!once) { 507 get_console_node_from_dt((void *)fdt, &uart_console_node, 508 NULL, NULL); 509 once = true; 510 } 511 512 compat = fdt_stringlist_get(fdt, node, "compatible", 0, NULL); 513 514 /* 515 * Allow OP-TEE console and MP15 I2C and RNG to be shared 516 * with non-secure world. 517 */ 518 if (node == uart_console_node || 519 !strcmp(compat, "st,stm32mp15-i2c-non-secure") || 520 (!strcmp(compat, "st,stm32-rng") && 521 IS_ENABLED(CFG_WITH_SOFTWARE_PRNG))) 522 return true; 523 524 return false; 525 } 526