feat(ethos-n): add protected NPU TZMP1 regions

TZMP1 protected memory regions have been added in the Juno platform to store sensitive data for the Arm(R) Ethos(TM)-N NPU This is enabled when building TF-A with ARM_ETHOSN_NPU_TZMP1. The NPU uses two protected memory regions: 1) Firmware region to protect the NPU's firmware from being modified from the non-secure world 2) Data region for sensitive data used by the NPU Respective memory region can only be accessed with their unique NSAID. Signed-off-by: Bjorn Engstrom <bjoern.engstroem@arm.com> Signed-off-by: Mikael Olsson <mikael.olsson@arm.com> Signed-off-by: Rob Hughes <robert.hughes@arm.com> Change-Id: I65200047f10364ca18681ce348a6edb2ffb9b095
2 years ago · d77c11e896
2 changed files with 63 additions and 6 deletions
--- a/plat/arm/board/juno/juno_ethosn_tzmp1_def.h
+++ b/plat/arm/board/juno/juno_ethosn_tzmp1_def.h
@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 2023, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef JUNO_ETHOSN_TZMP1_DEF_H
+#define JUNO_ETHOSN_TZMP1_DEF_H
+
+#define JUNO_ETHOSN_TZC400_NSAID_FW_PROT        7
+#define JUNO_ETHOSN_TZC400_NSAID_DATA_PROT      8
+
+#define JUNO_ETHOSN_FW_TZC_PROT_DRAM2_SIZE      UL(0x000400000) /* 4 MB */
+#define JUNO_ETHOSN_FW_TZC_PROT_DRAM2_BASE      (ARM_DRAM2_BASE)
+#define JUNO_ETHOSN_FW_TZC_PROT_DRAM2_END       (ARM_DRAM2_BASE +		    \
+						 JUNO_ETHOSN_FW_TZC_PROT_DRAM2_SIZE \
+						 - 1U)
+
+#define JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_SIZE    UL(0x004000000) /* 64 MB */
+#define JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_BASE    ( \
+		JUNO_ETHOSN_FW_TZC_PROT_DRAM2_END + 1)
+#define JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_END     (      \
+		JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_BASE + \
+		JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_SIZE - 1U)
+
+#define JUNO_ETHOSN_NS_DRAM2_BASE       (JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_END + \
+					 1)
+#define JUNO_ETHOSN_NS_DRAM2_END        (ARM_DRAM2_END)
+#define JUNO_ETHOSN_NS_DRAM2_SIZE       (ARM_DRAM2_SIZE - \
+					 JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_END)
+
+#define JUNO_FW_TZC_PROT_ACCESS	\
+	(TZC_REGION_ACCESS_RDWR(JUNO_ETHOSN_TZC400_NSAID_FW_PROT))
+#define JUNO_DATA_TZC_PROT_ACCESS \
+	(TZC_REGION_ACCESS_RDWR(JUNO_ETHOSN_TZC400_NSAID_DATA_PROT))
+
+#define JUNO_ETHOSN_TZMP_REGIONS_DEF					  \
+	{ ARM_AP_TZC_DRAM1_BASE, ARM_EL3_TZC_DRAM1_END + ARM_L1_GPT_SIZE, \
+	  TZC_REGION_S_RDWR, 0 },					  \
+	{ ARM_NS_DRAM1_BASE, ARM_NS_DRAM1_END,				  \
+	  ARM_TZC_NS_DRAM_S_ACCESS, PLAT_ARM_TZC_NS_DEV_ACCESS },	  \
+	{ JUNO_ETHOSN_FW_TZC_PROT_DRAM2_BASE,				  \
+	  JUNO_ETHOSN_FW_TZC_PROT_DRAM2_END,				  \
+	  TZC_REGION_S_RDWR, JUNO_FW_TZC_PROT_ACCESS },			  \
+	{ JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_BASE,				  \
+	  JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_END,				  \
+	  TZC_REGION_S_NONE, JUNO_DATA_TZC_PROT_ACCESS },		  \
+	{ JUNO_ETHOSN_NS_DRAM2_BASE, JUNO_ETHOSN_NS_DRAM2_END,		  \
+	  ARM_TZC_NS_DRAM_S_ACCESS, PLAT_ARM_TZC_NS_DEV_ACCESS }
+
+#endif /* JUNO_ETHOSN_TZMP1_DEF_H */
--- a/plat/arm/board/juno/juno_security.c
+++ b/plat/arm/board/juno/juno_security.c
@ -13,6 +13,7 @@
 #include <plat/arm/soc/common/soc_css.h>
 #include <plat/common/platform.h>

+#include "juno_ethosn_tzmp1_def.h"
 #include "juno_tzmp1_def.h"

 #ifdef JUNO_TZMP1
@ -79,12 +80,9 @@ static void init_v550(void)
 #endif /* JUNO_TZMP1 */

 #ifdef JUNO_ETHOSN_TZMP1
-/*
- * Currently use the default regions defined in ARM_TZC_REGIONS_DEF.
- * See the definition in /include/plat/arm/common/plat_arm.h
- */
+
 static const arm_tzc_regions_info_t juno_ethosn_tzmp1_tzc_regions[] = {
-	ARM_TZC_REGIONS_DEF, /* See define in /include/plat/arm/common/plat_arm.h */
+	JUNO_ETHOSN_TZMP_REGIONS_DEF,
 	{},
 };

@ -154,7 +152,15 @@ void plat_arm_security_setup(void)
 	     (void *)JUNO_AP_TZC_SHARE_DRAM1_END);
 #elif defined(JUNO_ETHOSN_TZMP1)
 	arm_tzc400_setup(PLAT_ARM_TZC_BASE, juno_ethosn_tzmp1_tzc_regions);
-	INFO("TZC set up with default settings for NPU TZMP usecase\n");
+	INFO("TZC protected shared memory range for NPU TZMP usecase: %p - %p\n",
+	     (void *)JUNO_ETHOSN_NS_DRAM2_BASE,
+	     (void *)JUNO_ETHOSN_NS_DRAM2_END);
+	INFO("TZC protected Data memory range for NPU TZMP usecase: %p - %p\n",
+	     (void *)JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_BASE,
+	     (void *)JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_END);
+	INFO("TZC protected FW memory range for NPU TZMP usecase: %p - %p\n",
+	     (void *)JUNO_ETHOSN_FW_TZC_PROT_DRAM2_BASE,
+	     (void *)JUNO_ETHOSN_FW_TZC_PROT_DRAM2_END);
 #else
 	arm_tzc400_setup(PLAT_ARM_TZC_BASE, NULL);
 #endif