| Message ID | 20251128184125.3220124-1-m-chawdhry@ti.com |
|---|---|
| State | Accepted |
| Delegated to: | Ryan Eatmon |
| Headers | show |
| Series | [meta-ti,scarthgap,v2] trusted-firmware-a/optee-os: Add LPM support on few platforms | expand |
meta-ti / na / 20251128184125.3220124-1-m-chawdhry PRC Results: PASS ========================================================= check-yocto-patches: PASS ========================================================= Patches ---------------------------------------- All patches passed ========================================================= apply-yocto-patch: PASS ========================================================= scarthgap ===================== Summary: - Patch Series: [meta-ti][scarthgap][PATCH v2] trusted-firmware-a/optee-os: Add LPM support on few platforms - Submitter: From: Manorit Chawdhry <m-chawdhry@ti.com> +From: Abhash Kumar Jha <a-kumar2@ti.com> +From: Richard Genoud <richard.genoud@bootlin.com> +From: Abhash Kumar Jha <a-kumar2@ti.com> +From: Prasanth Babu Mantena <p-mantena@ti.com> - Date: Date: Sat, 29 Nov 2025 00:11:25 +0530 +Date: Mon, 20 Oct 2025 11:26:17 +0530 +Date: Tue, 11 Feb 2025 18:20:17 +0100 +Date: Tue, 28 Oct 2025 23:24:22 +0530 +Date: Mon, 3 Nov 2025 12:42:57 +0530 - Num Patches: 1 - Mailing List (public inbox) Commit SHA: 05b2c0da811d5bfe41469fe96455cdc64b5d9f11 Applied to: - Repository: lcpd-prc-meta-ti - Base Branch: scarthgap-wip - Commit Author: Randolph Sapp <rs@ti.com> - Commit Subject: layer: add github MIRRORS definitions - Commit SHA: ea43ed2a3963a6073097711476caa0530745a8e6 Patches ---------------------------------------- All patches applied ========================================================= check-yocto-repo: PASS ========================================================= scarthgap ===================== PASS ========================================================= yocto-check-layers: PASS ========================================================= scarthgap - PASS ===================== All checks passed
This patch failed to apply on scarthgap.
the version of trusted-firmware-a is 2.10.4, the patch is not suitable for this version.
NOTE: Applying patch '0001-feat-k3-choose-cluster_start_id-depending-on-the-soc.patch' (../layers/meta-ti/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0001-feat-k3-choose-cluster_start_id-depending-on-the-soc.patch)
NOTE: Applying patch '0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch' (../layers/meta-ti/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch)
ERROR: Applying patch '0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch' on target directory '/build-ti/tmp-glibc/work/ti_j78xx-wrs-linux/trusted-firmware-a/2.10+git/git'
CmdError('quilt --quiltrc /build-ti/tmp-glibc/work/ti_j78xx-wrs-linux/trusted-firmware-a/2.10+git/recipe-sysroot-native/etc/quiltrc push', 0, "stdout: Applying patch 0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch
can't find file to patch at input line 39
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|From c79ff3679a4360bb848b01d4036c365533fcf791 Mon Sep 17 00:00:00 2001
|From: Richard Genoud <richard.genoud@bootlin.com>
|Date: Tue, 11 Feb 2025 18:20:17 +0100
|Subject: [PATCH 2/3] feat(ti): add message to encrypt tfa during suspend
|
|At suspend, BL31 with its context will be encrypted by TIFS in DDR.
|Encryption is needed for security matters, so that the BL31 is not
|modified before entering suspend or early at resume.
|
|We only need the encryption function here because the decryption message
|will be send by the R5 SPL at resume.
|
|Also introduce the LPM_ENCRYPT_IMAGE cap signals that FW has the support
|to encrypt the image using the TISCI_MSG_LPM_ENCRYPT tisci message.
|
|This is useful in suspend to ram cases where we would like to
|store the encrypted image of a secure fw instead of the original image
|itself in the DDR.
|
|Check for LPM_ENCRYPT_IMAGE flag in the FW capabilities, and only then
|call encrypt.
|
|Upstream-Status: Pending
|
|Change-Id: I266472da87dd0821493019b2d9853f8886f33811
|Signed-off-by: Richard Genoud <richard.genoud@bootlin.com>
|Signed-off-by: Abhash Kumar Jha <a-kumar2@ti.com>
|---
| drivers/ti/ti_sci/ti_sci.c | 36 +++++++++++++++++++++++++++++
| drivers/ti/ti_sci/ti_sci.h | 7 ++++++
| drivers/ti/ti_sci/ti_sci_protocol.h | 32 +++++++++++++++++++++++++
| plat/ti/k3/common/k3_psci.c | 10 ++++++++
| 4 files changed, 85 insertions(+)
|
|diff --git a/drivers/ti/ti_sci/ti_sci.c b/drivers/ti/ti_sci/ti_sci.c
|index f0813e5b0..ee5f7166f 100644
|--- a/drivers/ti/ti_sci/ti_sci.c
|+++ b/drivers/ti/ti_sci/ti_sci.c
--------------------------
No file to patch. Skipping patch.
1 out of 1 hunk ignored
can't find file to patch at input line 83
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git a/drivers/ti/ti_sci/ti_sci.h b/drivers/ti/ti_sci/ti_sci.h
|index 1f1963274..2afa11317 100644
|--- a/drivers/ti/ti_sci/ti_sci.h
|+++ b/drivers/ti/ti_sci/ti_sci.h
--------------------------
No file to patch. Skipping patch.
2 out of 2 hunks ignored
can't find file to patch at input line 107
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git a/drivers/ti/ti_sci/ti_sci_protocol.h b/drivers/ti/ti_sci/ti_sci_protocol.h
|index bdd24622a..a165cda99 100644
|--- a/drivers/ti/ti_sci/ti_sci_protocol.h
|+++ b/drivers/ti/ti_sci/ti_sci_protocol.h
--------------------------
No file to patch. Skipping patch.
3 out of 3 hunks ignored
patching file plat/ti/k3/common/k3_psci.c
Hunk #2 succeeded at 269 with fuzz 1 (offset -14 lines).
Hunk #3 succeeded at 321 (offset -32 lines).
Patch 0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch does not apply (enforce with -f)
On 12/20/2025 9:08 AM, Yan, Haixiao (CN) via lists.yoctoproject.org wrote: > This patch failed to apply on scarthgap. > the version of trusted-firmware-a is 2.10.4, the patch is not suitable for this version. The recipe in meta-ti-bsp that applies this patch, also moves the version to 2.13+. So I'm not sure how you are trying to apply this patch to meta-ti scarthgap against a 2.10 trusted-firmware-a version. Clearly you are trying to do something more than taking meta-ti-bsp scarthgap at face value. Do you have your own layer in your build that is also changing the SRCREV of trusted-firmware-a to a version that might not accept these patches? > NOTE: Applying patch '0001-feat-k3-choose-cluster_start_id-depending-on-the-soc.patch' (../layers/meta-ti/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0001-feat-k3-choose-cluster_start_id-depending-on-the-soc.patch) > NOTE: Applying patch '0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch' (../layers/meta-ti/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch) > ERROR: Applying patch '0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch' on target directory '/build-ti/tmp-glibc/work/ti_j78xx-wrs-linux/trusted-firmware-a/2.10+git/git' > CmdError('quilt --quiltrc /build-ti/tmp-glibc/work/ti_j78xx-wrs-linux/trusted-firmware-a/2.10+git/recipe-sysroot-native/etc/quiltrc push', 0, "stdout: Applying patch 0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch > can't find file to patch at input line 39 > Perhaps you used the wrong -p or --strip option? > The text leading up to this was: > -------------------------- > |From c79ff3679a4360bb848b01d4036c365533fcf791 Mon Sep 17 00:00:00 2001 > |From: Richard Genoud <richard.genoud@bootlin.com> > |Date: Tue, 11 Feb 2025 18:20:17 +0100 > |Subject: [PATCH 2/3] feat(ti): add message to encrypt tfa during suspend > | > |At suspend, BL31 with its context will be encrypted by TIFS in DDR. > |Encryption is needed for security matters, so that the BL31 is not > |modified before entering suspend or early at resume. > | > |We only need the encryption function here because the decryption message > |will be send by the R5 SPL at resume. > | > |Also introduce the LPM_ENCRYPT_IMAGE cap signals that FW has the support > |to encrypt the image using the TISCI_MSG_LPM_ENCRYPT tisci message. > | > |This is useful in suspend to ram cases where we would like to > |store the encrypted image of a secure fw instead of the original image > |itself in the DDR. > | > |Check for LPM_ENCRYPT_IMAGE flag in the FW capabilities, and only then > |call encrypt. > | > |Upstream-Status: Pending > | > |Change-Id: I266472da87dd0821493019b2d9853f8886f33811 > |Signed-off-by: Richard Genoud <richard.genoud@bootlin.com> > |Signed-off-by: Abhash Kumar Jha <a-kumar2@ti.com> > |--- > | drivers/ti/ti_sci/ti_sci.c | 36 +++++++++++++++++++++++++++++ > | drivers/ti/ti_sci/ti_sci.h | 7 ++++++ > | drivers/ti/ti_sci/ti_sci_protocol.h | 32 +++++++++++++++++++++++++ > | plat/ti/k3/common/k3_psci.c | 10 ++++++++ > | 4 files changed, 85 insertions(+) > | > |diff --git a/drivers/ti/ti_sci/ti_sci.c b/drivers/ti/ti_sci/ti_sci.c > |index f0813e5b0..ee5f7166f 100644 > |--- a/drivers/ti/ti_sci/ti_sci.c > |+++ b/drivers/ti/ti_sci/ti_sci.c > -------------------------- > No file to patch. Skipping patch. > 1 out of 1 hunk ignored > can't find file to patch at input line 83 > Perhaps you used the wrong -p or --strip option? > The text leading up to this was: > -------------------------- > |diff --git a/drivers/ti/ti_sci/ti_sci.h b/drivers/ti/ti_sci/ti_sci.h > |index 1f1963274..2afa11317 100644 > |--- a/drivers/ti/ti_sci/ti_sci.h > |+++ b/drivers/ti/ti_sci/ti_sci.h > -------------------------- > No file to patch. Skipping patch. > 2 out of 2 hunks ignored > can't find file to patch at input line 107 > Perhaps you used the wrong -p or --strip option? > The text leading up to this was: > -------------------------- > |diff --git a/drivers/ti/ti_sci/ti_sci_protocol.h b/drivers/ti/ti_sci/ti_sci_protocol.h > |index bdd24622a..a165cda99 100644 > |--- a/drivers/ti/ti_sci/ti_sci_protocol.h > |+++ b/drivers/ti/ti_sci/ti_sci_protocol.h > -------------------------- > No file to patch. Skipping patch. > 3 out of 3 hunks ignored > patching file plat/ti/k3/common/k3_psci.c > Hunk #2 succeeded at 269 with fuzz 1 (offset -14 lines). > Hunk #3 succeeded at 321 (offset -32 lines). > Patch 0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch does not apply (enforce with -f)
On 12/21/2025 1:10 AM, Ryan Eatmon via lists.yoctoproject.org wrote: > CAUTION: This email comes from a non Wind River email account! > Do not click links or open attachments unless you recognize the sender > and know the content is safe. > > On 12/20/2025 9:08 AM, Yan, Haixiao (CN) via lists.yoctoproject.org > wrote: >> This patch failed to apply on scarthgap. >> the version of trusted-firmware-a is 2.10.4, the patch is not >> suitable for this version. > > The recipe in meta-ti-bsp that applies this patch, also moves the > version to 2.13+. So I'm not sure how you are trying to apply this > patch to meta-ti scarthgap against a 2.10 trusted-firmware-a version. > > Clearly you are trying to do something more than taking meta-ti-bsp > scarthgap at face value. Do you have your own layer in your build that > is also changing the SRCREV of trusted-firmware-a to a version that > might not accept these patches? > > There is no 2.13+ version trusted-firmware-a on scarthgap. https://git.yoctoproject.org/meta-arm/tree/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.4.bb?h=scarthgap $ bitbake-layers show-recipes trusted-firmware-a NOTE: Starting bitbake server... Loading cache: 100% |#####################################################################| Time: 0:00:02 Loaded 15169 entries from dependency cache. === Matching recipes: === trusted-firmware-a: meta-arm 2.10+git $ bitbake-layers show-appends | grep trusted-firmware-a trusted-firmware-a_2.10.4.bb: layers/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend layers/meta-ti/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend layers/ti-j7xxx/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend trusted-firmware-a_2.10.4.bb (skipped): layers/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend layers/meta-ti/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend layers/ti-j7xxx/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend Thanks, Haixiao >> NOTE: Applying patch >> '0001-feat-k3-choose-cluster_start_id-depending-on-the-soc.patch' >> (../layers/meta-ti/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0001-feat-k3-choose-cluster_start_id-depending-on-the-soc.patch) >> >> NOTE: Applying patch >> '0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch' >> (../layers/meta-ti/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch) >> ERROR: Applying patch >> '0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch' on >> target directory >> '/build-ti/tmp-glibc/work/ti_j78xx-wrs-linux/trusted-firmware-a/2.10+git/git' >> CmdError('quilt --quiltrc >> /build-ti/tmp-glibc/work/ti_j78xx-wrs-linux/trusted-firmware-a/2.10+git/recipe-sysroot-native/etc/quiltrc >> push', 0, "stdout: Applying patch >> 0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch >> can't find file to patch at input line 39 >> Perhaps you used the wrong -p or --strip option? >> The text leading up to this was: >> -------------------------- >> |From c79ff3679a4360bb848b01d4036c365533fcf791 Mon Sep 17 00:00:00 2001 >> |From: Richard Genoud <richard.genoud@bootlin.com> >> |Date: Tue, 11 Feb 2025 18:20:17 +0100 >> |Subject: [PATCH 2/3] feat(ti): add message to encrypt tfa during >> suspend >> | >> |At suspend, BL31 with its context will be encrypted by TIFS in DDR. >> |Encryption is needed for security matters, so that the BL31 is not >> |modified before entering suspend or early at resume. >> | >> |We only need the encryption function here because the decryption >> message >> |will be send by the R5 SPL at resume. >> | >> |Also introduce the LPM_ENCRYPT_IMAGE cap signals that FW has the >> support >> |to encrypt the image using the TISCI_MSG_LPM_ENCRYPT tisci message. >> | >> |This is useful in suspend to ram cases where we would like to >> |store the encrypted image of a secure fw instead of the original image >> |itself in the DDR. >> | >> |Check for LPM_ENCRYPT_IMAGE flag in the FW capabilities, and only then >> |call encrypt. >> | >> |Upstream-Status: Pending >> | >> |Change-Id: I266472da87dd0821493019b2d9853f8886f33811 >> |Signed-off-by: Richard Genoud <richard.genoud@bootlin.com> >> |Signed-off-by: Abhash Kumar Jha <a-kumar2@ti.com> >> |--- >> | drivers/ti/ti_sci/ti_sci.c | 36 +++++++++++++++++++++++++++++ >> | drivers/ti/ti_sci/ti_sci.h | 7 ++++++ >> | drivers/ti/ti_sci/ti_sci_protocol.h | 32 +++++++++++++++++++++++++ >> | plat/ti/k3/common/k3_psci.c | 10 ++++++++ >> | 4 files changed, 85 insertions(+) >> | >> |diff --git a/drivers/ti/ti_sci/ti_sci.c b/drivers/ti/ti_sci/ti_sci.c >> |index f0813e5b0..ee5f7166f 100644 >> |--- a/drivers/ti/ti_sci/ti_sci.c >> |+++ b/drivers/ti/ti_sci/ti_sci.c >> -------------------------- >> No file to patch. Skipping patch. >> 1 out of 1 hunk ignored >> can't find file to patch at input line 83 >> Perhaps you used the wrong -p or --strip option? >> The text leading up to this was: >> -------------------------- >> |diff --git a/drivers/ti/ti_sci/ti_sci.h b/drivers/ti/ti_sci/ti_sci.h >> |index 1f1963274..2afa11317 100644 >> |--- a/drivers/ti/ti_sci/ti_sci.h >> |+++ b/drivers/ti/ti_sci/ti_sci.h >> -------------------------- >> No file to patch. Skipping patch. >> 2 out of 2 hunks ignored >> can't find file to patch at input line 107 >> Perhaps you used the wrong -p or --strip option? >> The text leading up to this was: >> -------------------------- >> |diff --git a/drivers/ti/ti_sci/ti_sci_protocol.h >> b/drivers/ti/ti_sci/ti_sci_protocol.h >> |index bdd24622a..a165cda99 100644 >> |--- a/drivers/ti/ti_sci/ti_sci_protocol.h >> |+++ b/drivers/ti/ti_sci/ti_sci_protocol.h >> -------------------------- >> No file to patch. Skipping patch. >> 3 out of 3 hunks ignored >> patching file plat/ti/k3/common/k3_psci.c >> Hunk #2 succeeded at 269 with fuzz 1 (offset -14 lines). >> Hunk #3 succeeded at 321 (offset -32 lines). >> Patch 0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch >> does not apply (enforce with -f) > > -- > Ryan Eatmon reatmon@ti.com > ----------------------------------------- > Texas Instruments, Inc. - LCPD - MGTS > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#19385): https://lists.yoctoproject.org/g/meta-ti/message/19385 > Mute This Topic: https://lists.yoctoproject.org/mt/116517214/8599992 > Group Owner: meta-ti+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/meta-ti/unsub [Haixiao.Yan.CN@windriver.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On Sun, Dec 21, 2025 at 08:09:57AM +0800, Yan, Haixiao (CN) via lists.yoctoproject.org wrote: > > On 12/21/2025 1:10 AM, Ryan Eatmon via lists.yoctoproject.org wrote: > >CAUTION: This email comes from a non Wind River email account! > >Do not click links or open attachments unless you recognize the > >sender and know the content is safe. > > > >On 12/20/2025 9:08 AM, Yan, Haixiao (CN) via > >lists.yoctoproject.org wrote: > >>This patch failed to apply on scarthgap. > >>the version of trusted-firmware-a is 2.10.4, the patch is not > >>suitable for this version. > > > >The recipe in meta-ti-bsp that applies this patch, also moves the > >version to 2.13+. So I'm not sure how you are trying to apply this > >patch to meta-ti scarthgap against a 2.10 trusted-firmware-a version. > > > >Clearly you are trying to do something more than taking meta-ti-bsp > >scarthgap at face value. Do you have your own layer in your build that > >is also changing the SRCREV of trusted-firmware-a to a version that > >might not accept these patches? > > > > > > There is no 2.13+ version trusted-firmware-a on scarthgap. > > https://git.yoctoproject.org/meta-arm/tree/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.4.bb?h=scarthgap > > $ bitbake-layers show-recipes trusted-firmware-a > NOTE: Starting bitbake server... > Loading cache: 100% |#####################################################################| > Time: 0:00:02 > Loaded 15169 entries from dependency cache. > === Matching recipes: === > trusted-firmware-a: > meta-arm 2.10+git > > $ bitbake-layers show-appends | grep trusted-firmware-a > trusted-firmware-a_2.10.4.bb: > layers/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend > layers/meta-ti/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend ^^^ This bbappend in meta-ti-bsp conditionally includes the following file: https://git.yoctoproject.org/meta-ti/tree/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-ti.inc?h=scarthgap Which bumps the version from meta-arm to 2.13+, as Ryan explained above. > layers/ti-j7xxx/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend ^^^ I would recommend inspecting this bbappend in your "ti-j7xxx" layer to see if it conflicts with the one in meta-ti-bsp... > trusted-firmware-a_2.10.4.bb (skipped): > layers/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend > layers/meta-ti/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend > > layers/ti-j7xxx/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend > > > Thanks, > > Haixiao > > >>NOTE: Applying patch > >>'0001-feat-k3-choose-cluster_start_id-depending-on-the-soc.patch' (../layers/meta-ti/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0001-feat-k3-choose-cluster_start_id-depending-on-the-soc.patch) > >> > >>NOTE: Applying patch > >>'0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch' (../layers/meta-ti/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch) > >>ERROR: Applying patch > >>'0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch' > >>on target directory '/build-ti/tmp-glibc/work/ti_j78xx-wrs-linux/trusted-firmware-a/2.10+git/git' > >>CmdError('quilt --quiltrc /build-ti/tmp-glibc/work/ti_j78xx-wrs-linux/trusted-firmware-a/2.10+git/recipe-sysroot-native/etc/quiltrc > >>push', 0, "stdout: Applying patch > >>0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch > >>can't find file to patch at input line 39 > >>Perhaps you used the wrong -p or --strip option? > >>The text leading up to this was: > >>-------------------------- > >>|From c79ff3679a4360bb848b01d4036c365533fcf791 Mon Sep 17 00:00:00 2001 > >>|From: Richard Genoud <richard.genoud@bootlin.com> > >>|Date: Tue, 11 Feb 2025 18:20:17 +0100 > >>|Subject: [PATCH 2/3] feat(ti): add message to encrypt tfa > >>during suspend > >>| > >>|At suspend, BL31 with its context will be encrypted by TIFS in DDR. > >>|Encryption is needed for security matters, so that the BL31 is not > >>|modified before entering suspend or early at resume. > >>| > >>|We only need the encryption function here because the > >>decryption message > >>|will be send by the R5 SPL at resume. > >>| > >>|Also introduce the LPM_ENCRYPT_IMAGE cap signals that FW has > >>the support > >>|to encrypt the image using the TISCI_MSG_LPM_ENCRYPT tisci message. > >>| > >>|This is useful in suspend to ram cases where we would like to > >>|store the encrypted image of a secure fw instead of the original image > >>|itself in the DDR. > >>| > >>|Check for LPM_ENCRYPT_IMAGE flag in the FW capabilities, and only then > >>|call encrypt. > >>| > >>|Upstream-Status: Pending > >>| > >>|Change-Id: I266472da87dd0821493019b2d9853f8886f33811 > >>|Signed-off-by: Richard Genoud <richard.genoud@bootlin.com> > >>|Signed-off-by: Abhash Kumar Jha <a-kumar2@ti.com> > >>|--- > >>| drivers/ti/ti_sci/ti_sci.c | 36 +++++++++++++++++++++++++++++ > >>| drivers/ti/ti_sci/ti_sci.h | 7 ++++++ > >>| drivers/ti/ti_sci/ti_sci_protocol.h | 32 +++++++++++++++++++++++++ > >>| plat/ti/k3/common/k3_psci.c | 10 ++++++++ > >>| 4 files changed, 85 insertions(+) > >>| > >>|diff --git a/drivers/ti/ti_sci/ti_sci.c b/drivers/ti/ti_sci/ti_sci.c > >>|index f0813e5b0..ee5f7166f 100644 > >>|--- a/drivers/ti/ti_sci/ti_sci.c > >>|+++ b/drivers/ti/ti_sci/ti_sci.c > >>-------------------------- > >>No file to patch. Skipping patch. > >>1 out of 1 hunk ignored > >>can't find file to patch at input line 83 > >>Perhaps you used the wrong -p or --strip option? > >>The text leading up to this was: > >>-------------------------- > >>|diff --git a/drivers/ti/ti_sci/ti_sci.h b/drivers/ti/ti_sci/ti_sci.h > >>|index 1f1963274..2afa11317 100644 > >>|--- a/drivers/ti/ti_sci/ti_sci.h > >>|+++ b/drivers/ti/ti_sci/ti_sci.h > >>-------------------------- > >>No file to patch. Skipping patch. > >>2 out of 2 hunks ignored > >>can't find file to patch at input line 107 > >>Perhaps you used the wrong -p or --strip option? > >>The text leading up to this was: > >>-------------------------- > >>|diff --git a/drivers/ti/ti_sci/ti_sci_protocol.h > >>b/drivers/ti/ti_sci/ti_sci_protocol.h > >>|index bdd24622a..a165cda99 100644 > >>|--- a/drivers/ti/ti_sci/ti_sci_protocol.h > >>|+++ b/drivers/ti/ti_sci/ti_sci_protocol.h > >>-------------------------- > >>No file to patch. Skipping patch. > >>3 out of 3 hunks ignored > >>patching file plat/ti/k3/common/k3_psci.c > >>Hunk #2 succeeded at 269 with fuzz 1 (offset -14 lines). > >>Hunk #3 succeeded at 321 (offset -32 lines). > >>Patch > >>0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch > >>does not apply (enforce with -f)
diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-ti.inc b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-ti.inc index f188f35ee740..27d6924101c4 100644 --- a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-ti.inc +++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-ti.inc @@ -1,5 +1,7 @@ # NOTE: This .inc file with customizations only gets included for K3 platforms +FILESEXTRAPATHS:prepend := "${THISDIR}/trusted-firmware-a:" + PV = "2.13+git" LIC_FILES_CHKSUM = "file://docs/license.rst;md5=6ed7bace7b0bc63021c6eba7b524039e" @@ -28,3 +30,14 @@ EXTRA_OEMAKE += "${@ 'BL32_BASE=' + d.getVar('TFA_K3_BL32_BASE') if d.getVar('TF EXTRA_OEMAKE += "${@ 'PRELOADED_BL33_BASE=' + d.getVar('TFA_K3_PRELOADED_BL33') if d.getVar('TFA_K3_PRELOADED_BL33') else ''}" EXTRA_OEMAKE += "${@ 'K3_PM_SYSTEM_SUSPEND=' + d.getVar('TFA_K3_SYSTEM_SUSPEND') if d.getVar('TFA_K3_SYSTEM_SUSPEND') else ''}" EXTRA_OEMAKE:append:ti-falcon = " PRELOADED_BL33_BASE=0x82000000 K3_HW_CONFIG_BASE=0x88000000" + +# LPM support patches for Jacinto platforms (J7200, J742S2, J784S4) +TFA_JACINTO_LPM_PATCHES = " \ + file://0001-feat-k3-choose-cluster_start_id-depending-on-the-soc.patch \ + file://0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch \ + file://0003-feat-k3-handle-suspend-in-case-of-LPM_BOARDCFG_MANAG.patch \ +" + +SRC_URI:append:j7200 = " ${TFA_JACINTO_LPM_PATCHES}" +SRC_URI:append:j742s2 = " ${TFA_JACINTO_LPM_PATCHES}" +SRC_URI:append:j784s4 = " ${TFA_JACINTO_LPM_PATCHES}" diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0001-feat-k3-choose-cluster_start_id-depending-on-the-soc.patch b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0001-feat-k3-choose-cluster_start_id-depending-on-the-soc.patch new file mode 100644 index 000000000000..05d930dd3d38 --- /dev/null +++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0001-feat-k3-choose-cluster_start_id-depending-on-the-soc.patch @@ -0,0 +1,116 @@ +From 3de4f871d9bfe29c3862860e494bfa70ba72af3e Mon Sep 17 00:00:00 2001 +From: Abhash Kumar Jha <a-kumar2@ti.com> +Date: Mon, 20 Oct 2025 11:26:17 +0530 +Subject: [PATCH 1/3] feat(k3): choose cluster_start_id depending on the soc + +The CLUSTER_DEVICE_START_ID denotes the device id of the A-core cluster. +It is utilized when powering off the entire cluster. + +J7200, J721E and J721S2 have a different cluster_start_id than their +"generic" counterparts. + +Query the JTAG_ID register to get the part id and choose the +cluster_start_id depending on that. + +Upstream-Status: Pending + +Change-Id: I44d3ac0ec646c39019e4c0167d34f410015a147a +Signed-off-by: Abhash Kumar Jha <a-kumar2@ti.com> +--- + plat/ti/k3/common/k3_bl31_setup.c | 1 + + plat/ti/k3/common/k3_psci.c | 25 ++++++++++++++++++++++++- + plat/ti/k3/include/platform_def.h | 16 ++++++++++++++++ + 3 files changed, 41 insertions(+), 1 deletion(-) + +diff --git a/plat/ti/k3/common/k3_bl31_setup.c b/plat/ti/k3/common/k3_bl31_setup.c +index 1b93dc860..79a9c924c 100644 +--- a/plat/ti/k3/common/k3_bl31_setup.c ++++ b/plat/ti/k3/common/k3_bl31_setup.c +@@ -20,6 +20,7 @@ const mmap_region_t plat_k3_mmap[] = { + K3_MAP_REGION_FLAT(SEC_PROXY_RT_BASE, SEC_PROXY_RT_SIZE, MT_DEVICE | MT_RW | MT_SECURE), + K3_MAP_REGION_FLAT(SEC_PROXY_SCFG_BASE, SEC_PROXY_SCFG_SIZE, MT_DEVICE | MT_RW | MT_SECURE), + K3_MAP_REGION_FLAT(SEC_PROXY_DATA_BASE, SEC_PROXY_DATA_SIZE, MT_DEVICE | MT_RW | MT_SECURE), ++ K3_MAP_REGION_FLAT(WKUP_CTRL_MMR0_BASE, WKUP_CTRL_MMR0_SIZE, MT_DEVICE | MT_RW | MT_SECURE), + { /* sentinel */ } + }; + +diff --git a/plat/ti/k3/common/k3_psci.c b/plat/ti/k3/common/k3_psci.c +index ec37d9f4c..a443dd851 100644 +--- a/plat/ti/k3/common/k3_psci.c ++++ b/plat/ti/k3/common/k3_psci.c +@@ -11,6 +11,8 @@ + #include <common/debug.h> + #include <lib/el3_runtime/cpu_data.h> + #include <lib/psci/psci.h> ++#include <lib/mmio.h> ++#include <lib/utils_def.h> + #include <plat/common/platform.h> + + #include <ti_sci_protocol.h> +@@ -83,6 +85,27 @@ static int k3_pwr_domain_on(u_register_t mpidr) + return PSCI_E_SUCCESS; + } + ++uint32_t get_plat_cluster_start_id() ++{ ++ static uint32_t cluster_id; ++ uint32_t part_id, jtag_id_reg; ++ ++ if (cluster_id) { ++ return cluster_id; ++ } ++ ++ jtag_id_reg = mmio_read_32(WKUP_CTRL_MMR0_BASE + JTAG_ID); ++ part_id = EXTRACT(JTAG_PART_ID, jtag_id_reg); ++ ++ if ((part_id == J7200_PART_ID) || (part_id == J721E_PART_ID) || (part_id == J721S2_PART_ID)) { ++ cluster_id = J7_PLAT_CLUSTER_DEVICE_START_ID; ++ } else { ++ cluster_id = PLAT_CLUSTER_DEVICE_START_ID; ++ } ++ ++ return cluster_id; ++} ++ + void k3_pwr_domain_off(const psci_power_state_t *target_state) + { + int core, cluster, proc_id, device_id, cluster_id, ret; +@@ -97,7 +120,7 @@ void k3_pwr_domain_off(const psci_power_state_t *target_state) + cluster = MPIDR_AFFLVL1_VAL(read_mpidr_el1()); + proc_id = PLAT_PROC_START_ID + core; + device_id = PLAT_PROC_DEVICE_START_ID + core; +- cluster_id = PLAT_CLUSTER_DEVICE_START_ID + (cluster * 2); ++ cluster_id = get_plat_cluster_start_id() + (cluster * 2); + + /* + * If we are the last core in the cluster then we take a reference to +diff --git a/plat/ti/k3/include/platform_def.h b/plat/ti/k3/include/platform_def.h +index db5e31d95..d191781a6 100644 +--- a/plat/ti/k3/include/platform_def.h ++++ b/plat/ti/k3/include/platform_def.h +@@ -25,6 +25,22 @@ + #define SEC_PROXY_RT_SIZE 0x80000 + #endif /* K3_SEC_PROXY_LITE */ + ++#define WKUP_CTRL_MMR0_BASE UL(0x43000000) ++#define WKUP_CTRL_MMR0_SIZE UL(0x20000) ++#define JTAG_ID U(0x14) ++#define JTAG_PART_ID_MASK GENMASK(27, 12) ++ ++#define J721E_PART_ID U(0xBB64) ++#define J7200_PART_ID U(0xBB6D) ++#define J721S2_PART_ID U(0xBB75) ++#define J784S4_J742S2_PART_ID U(0xBB80) ++ ++#define JTAG_PART_ID_WIDTH U(0x10) ++#define JTAG_PART_ID_SHIFT U(0xC) ++ ++/* A-core Cluster Device ID for j721e, j7200 and j721s2 */ ++#define J7_PLAT_CLUSTER_DEVICE_START_ID U(0x4) ++ + #define SEC_PROXY_TIMEOUT_US 1000000 + #define SEC_PROXY_MAX_MESSAGE_SIZE 56 + +-- +2.34.1 + diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch new file mode 100644 index 000000000000..1a0cf0334715 --- /dev/null +++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch @@ -0,0 +1,195 @@ +From c79ff3679a4360bb848b01d4036c365533fcf791 Mon Sep 17 00:00:00 2001 +From: Richard Genoud <richard.genoud@bootlin.com> +Date: Tue, 11 Feb 2025 18:20:17 +0100 +Subject: [PATCH 2/3] feat(ti): add message to encrypt tfa during suspend + +At suspend, BL31 with its context will be encrypted by TIFS in DDR. +Encryption is needed for security matters, so that the BL31 is not +modified before entering suspend or early at resume. + +We only need the encryption function here because the decryption message +will be send by the R5 SPL at resume. + +Also introduce the LPM_ENCRYPT_IMAGE cap signals that FW has the support +to encrypt the image using the TISCI_MSG_LPM_ENCRYPT tisci message. + +This is useful in suspend to ram cases where we would like to +store the encrypted image of a secure fw instead of the original image +itself in the DDR. + +Check for LPM_ENCRYPT_IMAGE flag in the FW capabilities, and only then +call encrypt. + +Upstream-Status: Pending + +Change-Id: I266472da87dd0821493019b2d9853f8886f33811 +Signed-off-by: Richard Genoud <richard.genoud@bootlin.com> +Signed-off-by: Abhash Kumar Jha <a-kumar2@ti.com> +--- + drivers/ti/ti_sci/ti_sci.c | 36 +++++++++++++++++++++++++++++ + drivers/ti/ti_sci/ti_sci.h | 7 ++++++ + drivers/ti/ti_sci/ti_sci_protocol.h | 32 +++++++++++++++++++++++++ + plat/ti/k3/common/k3_psci.c | 10 ++++++++ + 4 files changed, 85 insertions(+) + +diff --git a/drivers/ti/ti_sci/ti_sci.c b/drivers/ti/ti_sci/ti_sci.c +index f0813e5b0..ee5f7166f 100644 +--- a/drivers/ti/ti_sci/ti_sci.c ++++ b/drivers/ti/ti_sci/ti_sci.c +@@ -1784,3 +1784,39 @@ int ti_sci_lpm_get_next_sys_mode(uint8_t *next_mode) + + return 0; + } ++/* ++ * ti_sci_encrypt_tfa - Ask TIFS to encrypt TFA at a specific address ++ * ++ * @src_tfa_addr: Address where the TFA lies unencrypted ++ * @src_tfa_len: Size of the TFA unencrypted ++ * ++ * Return: 0 if all goes well, else appropriate error message ++ */ ++int ti_sci_encrypt_tfa(uint64_t src_tfa_addr, ++ uint32_t src_tfa_len) ++{ ++ struct ti_sci_msg_req_encrypt_tfa req = { 0 }; ++ struct ti_sci_msg_resp_encrypt_tfa resp = { 0 }; ++ struct ti_sci_xfer xfer; ++ int ret; ++ ++ ret = ti_sci_setup_one_xfer(TISCI_MSG_LPM_ENCRYPT_TFA, 0, ++ &req, sizeof(req), ++ &resp, sizeof(resp), ++ &xfer); ++ if (ret != 0U) { ++ ERROR("Message alloc failed (%d)\n", ret); ++ return ret; ++ } ++ ++ req.src_tfa_addr = src_tfa_addr; ++ req.src_tfa_len = src_tfa_len; ++ ++ ret = ti_sci_do_xfer(&xfer); ++ if (ret != 0U) { ++ ERROR("Transfer send failed (%d)\n", ret); ++ return ret; ++ } ++ ++ return 0; ++} +diff --git a/drivers/ti/ti_sci/ti_sci.h b/drivers/ti/ti_sci/ti_sci.h +index 1f1963274..2afa11317 100644 +--- a/drivers/ti/ti_sci/ti_sci.h ++++ b/drivers/ti/ti_sci/ti_sci.h +@@ -258,6 +258,11 @@ int ti_sci_proc_wait_boot_status_no_wait(uint8_t proc_id, + * + * Return: 0 if all goes well, else appropriate error message + * ++ * - ti_sci_encrypt_tfa - Ask TIFS to encrypt TFA at a specific address ++ * ++ * @src_tfa_addr: Address where the TFA lies unencrypted ++ * @src_tfa_len: Size of the TFA unencrypted ++ * + * NOTE: for all these functions, the following are generic in nature: + * Returns 0 for successful request, else returns corresponding error message. + */ +@@ -265,5 +270,7 @@ int ti_sci_enter_sleep(uint8_t proc_id, + uint8_t mode, + uint64_t core_resume_addr); + int ti_sci_lpm_get_next_sys_mode(uint8_t *next_mode); ++int ti_sci_encrypt_tfa(uint64_t src_tfa_addr, ++ uint32_t src_tfa_len); + + #endif /* TI_SCI_H */ +diff --git a/drivers/ti/ti_sci/ti_sci_protocol.h b/drivers/ti/ti_sci/ti_sci_protocol.h +index bdd24622a..a165cda99 100644 +--- a/drivers/ti/ti_sci/ti_sci_protocol.h ++++ b/drivers/ti/ti_sci/ti_sci_protocol.h +@@ -53,6 +53,9 @@ + #define TISCI_MSG_GET_PROC_BOOT_STATUS 0xc400 + #define TISCI_MSG_WAIT_PROC_BOOT_STATUS 0xc401 + ++/* TFA encrypt/decrypt messages */ ++#define TISCI_MSG_LPM_ENCRYPT_TFA 0x030F ++ + /** + * struct ti_sci_secure_msg_hdr - Header that prefixes all TISCI messages sent + * via secure transport. +@@ -160,6 +163,7 @@ struct ti_sci_msg_resp_query_fw_caps { + #define MSG_FLAG_CAPS_LPM_STANDBY TI_SCI_MSG_FLAG(3) + #define MSG_FLAG_CAPS_LPM_PARTIAL_IO TI_SCI_MSG_FLAG(4) + #define MSG_FLAG_CAPS_LPM_DM_MANAGED TI_SCI_MSG_FLAG(5) ++#define MSG_FLAG_CAPS_LPM_ENCRYPT_IMAGE TI_SCI_MSG_FLAG(11) + uint64_t fw_caps; + } __packed; + +@@ -810,4 +814,32 @@ struct ti_sci_msg_resp_lpm_get_next_sys_mode { + uint8_t mode; + } __packed; + ++/* ++ * struct ti_sci_msg_req_encrypt_tfa - Request for TISCI_MSG_LPM_ENCRYPT_TFA. ++ * ++ * @hdr Generic Header ++ * @src_tfa_addr: Address where the TFA lies unencrypted ++ * @src_tfa_len: Size of the TFA unencrypted ++ * ++ * This message is to be sent when the system is going in suspend, just before ++ * TI_SCI_MSG_ENTER_SLEEP. ++ * The TIFS will then encrypt the TFA and store it in RAM, along with a private ++ * header. ++ * Upon resume, the SPL will ask TIFS to decrypt it back. ++ */ ++struct ti_sci_msg_req_encrypt_tfa { ++ struct ti_sci_msg_hdr hdr; ++ uint64_t src_tfa_addr; ++ uint32_t src_tfa_len; ++} __packed; ++ ++/* ++ * struct ti_sci_msg_req_encrypt_tfa - Request for TISCI_MSG_LPM_ENCRYPT_TFA. ++ * ++ * @hdr Generic Header ++ */ ++struct ti_sci_msg_resp_encrypt_tfa { ++ struct ti_sci_msg_hdr hdr; ++} __packed; ++ + #endif /* TI_SCI_PROTOCOL_H */ +diff --git a/plat/ti/k3/common/k3_psci.c b/plat/ti/k3/common/k3_psci.c +index a443dd851..c2017666b 100644 +--- a/plat/ti/k3/common/k3_psci.c ++++ b/plat/ti/k3/common/k3_psci.c +@@ -24,6 +24,7 @@ + #define SYSTEM_PWR_STATE(state) ((state)->pwr_domain_state[PLAT_MAX_PWR_LVL]) + + uintptr_t k3_sec_entrypoint; ++bool encrypt_image; + + static void k3_cpu_standby(plat_local_state_t cpu_state) + { +@@ -282,6 +283,11 @@ static void k3_pwr_domain_suspend_to_mode(const psci_power_state_t *target_state + k3_gic_cpuif_disable(); + k3_gic_save_context(); + ++ if (encrypt_image) ++ { ++ ti_sci_encrypt_tfa((uint64_t)__TEXT_START__, BL31_SIZE); ++ } ++ + k3_pwr_domain_off(target_state); + + ti_sci_enter_sleep(proc_id, mode, k3_sec_entrypoint); +@@ -347,6 +353,10 @@ int plat_setup_psci_ops(uintptr_t sec_entrypoint, + ERROR("Unable to query firmware capabilities (%d)\n", ret); + } + ++ if (fw_caps & MSG_FLAG_CAPS_LPM_ENCRYPT_IMAGE) { ++ encrypt_image = true; ++ } ++ + /* If firmware does not support any known suspend mode */ + if (!(fw_caps & (MSG_FLAG_CAPS_LPM_DEEP_SLEEP | + MSG_FLAG_CAPS_LPM_MCU_ONLY | +-- +2.34.1 + diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0003-feat-k3-handle-suspend-in-case-of-LPM_BOARDCFG_MANAG.patch b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0003-feat-k3-handle-suspend-in-case-of-LPM_BOARDCFG_MANAG.patch new file mode 100644 index 000000000000..b91b336e0778 --- /dev/null +++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0003-feat-k3-handle-suspend-in-case-of-LPM_BOARDCFG_MANAG.patch @@ -0,0 +1,69 @@ +From 470cf022d03e350beab36605d4250944d2c92ffe Mon Sep 17 00:00:00 2001 +From: Abhash Kumar Jha <a-kumar2@ti.com> +Date: Tue, 28 Oct 2025 23:24:22 +0530 +Subject: [PATCH 3/3] feat(k3): handle suspend in case of LPM_BOARDCFG_MANAGED + +The J7 platforms support LPM_BOARDCFG_MANAGED capability where the +low power mode configuration is done statically for the DM via the +pm-boardcfg. + +This is entirely opposite to the case of DM_MANAGED, where the DM fw +decides the low power mode to enter into. + +Introduce LPM_BOARDCFG_MANAGED cap to handle suspend for those +platforms as well. + +Upstream-Status: Pending + +Change-Id: Iaa0ab478cbe0db6652f61e9d733c0fddb4bab234 +Signed-off-by: Abhash Kumar Jha <a-kumar2@ti.com> +--- + drivers/ti/ti_sci/ti_sci_protocol.h | 1 + + plat/ti/k3/common/k3_psci.c | 13 ++++++++----- + 2 files changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/ti/ti_sci/ti_sci_protocol.h b/drivers/ti/ti_sci/ti_sci_protocol.h +index a165cda99..b83174b0d 100644 +--- a/drivers/ti/ti_sci/ti_sci_protocol.h ++++ b/drivers/ti/ti_sci/ti_sci_protocol.h +@@ -164,6 +164,7 @@ struct ti_sci_msg_resp_query_fw_caps { + #define MSG_FLAG_CAPS_LPM_PARTIAL_IO TI_SCI_MSG_FLAG(4) + #define MSG_FLAG_CAPS_LPM_DM_MANAGED TI_SCI_MSG_FLAG(5) + #define MSG_FLAG_CAPS_LPM_ENCRYPT_IMAGE TI_SCI_MSG_FLAG(11) ++#define MSG_FLAG_CAPS_LPM_BOARDCFG_MANAGED TI_SCI_MSG_FLAG(12) + uint64_t fw_caps; + } __packed; + +diff --git a/plat/ti/k3/common/k3_psci.c b/plat/ti/k3/common/k3_psci.c +index c2017666b..9cf41b4cb 100644 +--- a/plat/ti/k3/common/k3_psci.c ++++ b/plat/ti/k3/common/k3_psci.c +@@ -357,17 +357,20 @@ int plat_setup_psci_ops(uintptr_t sec_entrypoint, + encrypt_image = true; + } + +- /* If firmware does not support any known suspend mode */ +- if (!(fw_caps & (MSG_FLAG_CAPS_LPM_DEEP_SLEEP | ++ /* If firmware is capabale of low power modes */ ++ if (fw_caps & (MSG_FLAG_CAPS_LPM_DM_MANAGED | ++ MSG_FLAG_CAPS_LPM_BOARDCFG_MANAGED)) { ++ k3_plat_psci_ops.pwr_domain_suspend = k3_pwr_domain_suspend_dm_managed; ++ } else if (!(fw_caps & (MSG_FLAG_CAPS_LPM_DEEP_SLEEP | + MSG_FLAG_CAPS_LPM_MCU_ONLY | + MSG_FLAG_CAPS_LPM_STANDBY | + MSG_FLAG_CAPS_LPM_PARTIAL_IO))) { +- /* Disable PSCI suspend support */ ++ /* If firmware does not support any known suspend mode ++ * disable PSCI suspend support ++ */ + k3_plat_psci_ops.pwr_domain_suspend = NULL; + k3_plat_psci_ops.pwr_domain_suspend_finish = NULL; + k3_plat_psci_ops.get_sys_suspend_power_state = NULL; +- } else if (fw_caps & MSG_FLAG_CAPS_LPM_DM_MANAGED) { +- k3_plat_psci_ops.pwr_domain_suspend = k3_pwr_domain_suspend_dm_managed; + } + + *psci_ops = &k3_plat_psci_ops; +-- +2.34.1 + diff --git a/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc index 61a74a069886..d636ae006216 100644 --- a/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc +++ b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc @@ -1,6 +1,8 @@ # Use TI SECDEV for signing inherit ti-secdev +FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os:" + EXTRA_OEMAKE:remove = "CFG_MAP_EXT_DT_SECURE=y" EXTRA_OEMAKE:append:k3 = " ${@ 'CFG_CONSOLE_UART='+ d.getVar('OPTEE_K3_USART') if d.getVar('OPTEE_K3_USART') else ''}" @@ -76,3 +78,12 @@ RDEPENDS:${PN} += "${PN}-ta" # This is needed for bl32.elf INSANE_SKIP:${PN}:append:k3 = " textrel" + +# LPM support patch for Jacinto platforms (J7200, J742S2, J784S4) +OPTEE_JACINTO_LPM_PATCHES = " \ + file://0001-plat-k3-drivers-Open-TRNG-firewall-for-TIFS-on-all-k.patch \ +" + +SRC_URI:append:j7200 = " ${OPTEE_JACINTO_LPM_PATCHES}" +SRC_URI:append:j742s2 = " ${OPTEE_JACINTO_LPM_PATCHES}" +SRC_URI:append:j784s4 = " ${OPTEE_JACINTO_LPM_PATCHES}" diff --git a/meta-ti-bsp/recipes-security/optee/optee-os/0001-plat-k3-drivers-Open-TRNG-firewall-for-TIFS-on-all-k.patch b/meta-ti-bsp/recipes-security/optee/optee-os/0001-plat-k3-drivers-Open-TRNG-firewall-for-TIFS-on-all-k.patch new file mode 100644 index 000000000000..a19fe1036470 --- /dev/null +++ b/meta-ti-bsp/recipes-security/optee/optee-os/0001-plat-k3-drivers-Open-TRNG-firewall-for-TIFS-on-all-k.patch @@ -0,0 +1,46 @@ +From 00f74ba2ab00088d51e6da3c0eefe50599ef5c82 Mon Sep 17 00:00:00 2001 +From: Prasanth Babu Mantena <p-mantena@ti.com> +Date: Mon, 3 Nov 2025 12:42:57 +0530 +Subject: [PATCH] plat-k3: drivers: Open TRNG firewall for TIFS on all k3 devs + +On k3 devices, TRNG is firewalled to be accessed only by OPTEE. + +TIFS needs this for the encryption and decryption services to support +different low power modes. So, open firewall to TIFS as well. + +There is no concurrent usage of TRNG, as TIFS uses TRNG only at suspend +when OPTEE is down and resume, when firewalls are restored but OPTEE is +not up yet. + +As this is a firewall that required to be shared along with TIFS on all +devices, making this a common change and open on all devs. + +Upstream-Status: Submitted [https://github.com/OP-TEE/optee_os/pull/7582] + +Signed-off-by: Prasanth Babu Mantena <p-mantena@ti.com> +Reviewed-by: Manorit Chawdhry <m-chawdhry@ti.com> +Reviewed-by: Andrew Davis <afd@ti.com> +--- + core/arch/arm/plat-k3/drivers/sa2ul.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/core/arch/arm/plat-k3/drivers/sa2ul.c b/core/arch/arm/plat-k3/drivers/sa2ul.c +index c50757b2c..e10bde131 100644 +--- a/core/arch/arm/plat-k3/drivers/sa2ul.c ++++ b/core/arch/arm/plat-k3/drivers/sa2ul.c +@@ -121,12 +121,7 @@ static TEE_Result sa2ul_init(void) + start_address = RNG_BASE; + end_address = RNG_BASE + RNG_REG_SIZE - 1; + permissions[num_perm++] = (FW_BIG_ARM_PRIVID << 16) | FW_SECURE_ONLY; +-#if defined(PLATFORM_FLAVOR_am62x) || \ +- defined(PLATFORM_FLAVOR_am62ax) || \ +- defined(PLATFORM_FLAVOR_am62px) +- + permissions[num_perm++] = (FW_TIFS_PRIVID << 16) | FW_NON_SECURE; +-#endif + ret = ti_sci_set_fwl_region(fwl_id, rng_region, num_perm, + control, permissions, + start_address, end_address); +-- +2.34.1 +
Adds the required TF-A and OP-TEE patches to enable LPM support on J7200, J784s4, J742s2. Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com> --- v1->v2: Ryan: - Variablized the repeated patchfiles - Remove the meta-ti-bsp prefix .../trusted-firmware-a-ti.inc | 13 ++ ...luster_start_id-depending-on-the-soc.patch | 116 +++++++++++ ...essage-to-encrypt-tfa-during-suspend.patch | 195 ++++++++++++++++++ ...uspend-in-case-of-LPM_BOARDCFG_MANAG.patch | 69 +++++++ .../optee/optee-os-ti-overrides.inc | 11 + ...Open-TRNG-firewall-for-TIFS-on-all-k.patch | 46 +++++ 6 files changed, 450 insertions(+) create mode 100644 meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0001-feat-k3-choose-cluster_start_id-depending-on-the-soc.patch create mode 100644 meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch create mode 100644 meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0003-feat-k3-handle-suspend-in-case-of-LPM_BOARDCFG_MANAG.patch create mode 100644 meta-ti-bsp/recipes-security/optee/optee-os/0001-plat-k3-drivers-Open-TRNG-firewall-for-TIFS-on-all-k.patch