feat(ethos-n): add protected NPU TZMP1 regions

TZMP1 protected memory regions have been added in the Juno platform to
store sensitive data for the Arm(R) Ethos(TM)-N NPU
This is enabled when building TF-A with ARM_ETHOSN_NPU_TZMP1.

The NPU uses two protected memory regions:
 1) Firmware region to protect the NPU's firmware from being modified
    from the non-secure world
 2) Data region for sensitive data used by the NPU

Respective memory region can only be accessed with their unique NSAID.

Signed-off-by: Bjorn Engstrom <bjoern.engstroem@arm.com>
Signed-off-by: Mikael Olsson <mikael.olsson@arm.com>
Signed-off-by: Rob Hughes <robert.hughes@arm.com>
Change-Id: I65200047f10364ca18681ce348a6edb2ffb9b095

diff --git a/plat/arm/board/juno/juno_ethosn_tzmp1_def.h b/plat/arm/board/juno/juno_ethosn_tzmp1_def.h
new file mode 100644 (file)
index 0000000..131adcd
--- /dev/null
+++ b/plat/arm/board/juno/juno_ethosn_tzmp1_def.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 2023, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef JUNO_ETHOSN_TZMP1_DEF_H
+#define JUNO_ETHOSN_TZMP1_DEF_H
+
+#define JUNO_ETHOSN_TZC400_NSAID_FW_PROT        7
+#define JUNO_ETHOSN_TZC400_NSAID_DATA_PROT      8
+
+#define JUNO_ETHOSN_FW_TZC_PROT_DRAM2_SIZE      UL(0x000400000) /* 4 MB */
+#define JUNO_ETHOSN_FW_TZC_PROT_DRAM2_BASE      (ARM_DRAM2_BASE)
+#define JUNO_ETHOSN_FW_TZC_PROT_DRAM2_END       (ARM_DRAM2_BASE +                  \
+                                                JUNO_ETHOSN_FW_TZC_PROT_DRAM2_SIZE \
+                                                - 1U)
+
+#define JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_SIZE    UL(0x004000000) /* 64 MB */
+#define JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_BASE    ( \
+               JUNO_ETHOSN_FW_TZC_PROT_DRAM2_END + 1)
+#define JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_END     (      \
+               JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_BASE + \
+               JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_SIZE - 1U)
+
+#define JUNO_ETHOSN_NS_DRAM2_BASE       (JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_END + \
+                                        1)
+#define JUNO_ETHOSN_NS_DRAM2_END        (ARM_DRAM2_END)
+#define JUNO_ETHOSN_NS_DRAM2_SIZE       (ARM_DRAM2_SIZE - \
+                                        JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_END)
+
+#define JUNO_FW_TZC_PROT_ACCESS        \
+       (TZC_REGION_ACCESS_RDWR(JUNO_ETHOSN_TZC400_NSAID_FW_PROT))
+#define JUNO_DATA_TZC_PROT_ACCESS \
+       (TZC_REGION_ACCESS_RDWR(JUNO_ETHOSN_TZC400_NSAID_DATA_PROT))
+
+#define JUNO_ETHOSN_TZMP_REGIONS_DEF                                     \
+       { ARM_AP_TZC_DRAM1_BASE, ARM_EL3_TZC_DRAM1_END + ARM_L1_GPT_SIZE, \
+         TZC_REGION_S_RDWR, 0 },                                         \
+       { ARM_NS_DRAM1_BASE, ARM_NS_DRAM1_END,                            \
+         ARM_TZC_NS_DRAM_S_ACCESS, PLAT_ARM_TZC_NS_DEV_ACCESS },         \
+       { JUNO_ETHOSN_FW_TZC_PROT_DRAM2_BASE,                             \
+         JUNO_ETHOSN_FW_TZC_PROT_DRAM2_END,                              \
+         TZC_REGION_S_RDWR, JUNO_FW_TZC_PROT_ACCESS },                   \
+       { JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_BASE,                           \
+         JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_END,                            \
+         TZC_REGION_S_NONE, JUNO_DATA_TZC_PROT_ACCESS },                 \
+       { JUNO_ETHOSN_NS_DRAM2_BASE, JUNO_ETHOSN_NS_DRAM2_END,            \
+         ARM_TZC_NS_DRAM_S_ACCESS, PLAT_ARM_TZC_NS_DEV_ACCESS }
+
+#endif /* JUNO_ETHOSN_TZMP1_DEF_H */

diff --git a/plat/arm/board/juno/juno_security.c b/plat/arm/board/juno/juno_security.c
index a0fd36ce7448808ce5776bcb68aef267fe62cfa2..72e7e78379aae60aa4787ebe11fc00c4aa5584a9 100644 (file)
--- a/plat/arm/board/juno/juno_security.c
+++ b/plat/arm/board/juno/juno_security.c
@@ -13,6 +13,7 @@
 #include <plat/arm/soc/common/soc_css.h>
 #include <plat/common/platform.h>
 
+#include "juno_ethosn_tzmp1_def.h"
 #include "juno_tzmp1_def.h"
 
 #ifdef JUNO_TZMP1
@@ -79,12 +80,9 @@ static void init_v550(void)
 #endif /* JUNO_TZMP1 */
 
 #ifdef JUNO_ETHOSN_TZMP1
-/*
- * Currently use the default regions defined in ARM_TZC_REGIONS_DEF.
- * See the definition in /include/plat/arm/common/plat_arm.h
- */
+
 static const arm_tzc_regions_info_t juno_ethosn_tzmp1_tzc_regions[] = {
-       ARM_TZC_REGIONS_DEF, /* See define in /include/plat/arm/common/plat_arm.h */
+       JUNO_ETHOSN_TZMP_REGIONS_DEF,
        {},
 };
 
@@ -154,7 +152,15 @@ void plat_arm_security_setup(void)
             (void *)JUNO_AP_TZC_SHARE_DRAM1_END);
 #elif defined(JUNO_ETHOSN_TZMP1)
        arm_tzc400_setup(PLAT_ARM_TZC_BASE, juno_ethosn_tzmp1_tzc_regions);
-       INFO("TZC set up with default settings for NPU TZMP usecase\n");
+       INFO("TZC protected shared memory range for NPU TZMP usecase: %p - %p\n",
+            (void *)JUNO_ETHOSN_NS_DRAM2_BASE,
+            (void *)JUNO_ETHOSN_NS_DRAM2_END);
+       INFO("TZC protected Data memory range for NPU TZMP usecase: %p - %p\n",
+            (void *)JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_BASE,
+            (void *)JUNO_ETHOSN_DATA_TZC_PROT_DRAM2_END);
+       INFO("TZC protected FW memory range for NPU TZMP usecase: %p - %p\n",
+            (void *)JUNO_ETHOSN_FW_TZC_PROT_DRAM2_BASE,
+            (void *)JUNO_ETHOSN_FW_TZC_PROT_DRAM2_END);
 #else
        arm_tzc400_setup(PLAT_ARM_TZC_BASE, NULL);
 #endif