From patchwork Fri Nov 28 18:41:25 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Manorit Chawdhry X-Patchwork-Id: 75559 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 83669D116EA for ; Fri, 28 Nov 2025 18:41:50 +0000 (UTC) Received: from CH4PR04CU002.outbound.protection.outlook.com (CH4PR04CU002.outbound.protection.outlook.com [40.107.201.17]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1712.1764355304667597083 for ; Fri, 28 Nov 2025 10:41:45 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@ti.com header.s=selector1 header.b=q8Sr2H1t; spf=permerror, err=parse error for token &{10 18 spf.protection.outlook.com}: limit exceeded (domain: ti.com, ip: 40.107.201.17, mailfrom: m-chawdhry@ti.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=rKzr0z7xMcqIBZt/ebCFxEyreUWwsvSVnLczKjy0QTLEG0ad30CLB5qrgFWZkU+yuacSGjNHyYipVqu8008g2yREQ0PDbSkwmGAt3gYhqaPmnVCxPtDsxRH13JdvQx7EID9JFLopiubzg+fDNhWKvtv/o4XEBPrjahuTwpr6t7TJdpoE+rvO0XI/Q3mLBexGvaRHz8wn4NuXqIpnO6qCyukC95wyDQsR8eWnBrsIqOXju9zTLlSxunDbB01MQqH52aGe/LFirOwN2GIuCLH7IAHzvbU4DmfO3lUKchzc2a6jRYzJoMpGCK3B5DAQQcu5HG/9jkBMZ14XmjcN1i2vJA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=IaF90wetyrhwVotFZkWzHr51E7//6Dq3GvdgHobcaw8=; b=UAOGVYs6i3wsGk6WyK3/TK3tOwkfOijS4zKWpqHEwHihmC8LZyrjJjz5f8FdVbcKq6pYWS/3ioIXe7FQf84IwhuhZ93hY/9nTjFshQD+Vd6KVkpzYFX1uHF5kgesxlnMm9GO6Q+GVhTG0xsT0kwAa0/QCPlCsNCJuNlxi3v5eUprBdQVUo3gjevAzbGqUDBSpUg+ttKgKUeum45PkrwewMyiUzwvjcaJObO6HF03qBAuL5PNmajzGGV0IypndIFysIpMcGfTJGgLrt3bGYTFTk6TBGnvW3ZDChpUakYnZDqC9QfzOG5wfzyHGknf7LGYvtTGYqQfPJKT4CCFdRcohA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 198.47.21.195) smtp.rcpttodomain=lists.yoctoproject.org smtp.mailfrom=ti.com; dmarc=pass (p=quarantine sp=none pct=100) action=none header.from=ti.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ti.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IaF90wetyrhwVotFZkWzHr51E7//6Dq3GvdgHobcaw8=; b=q8Sr2H1tRMgnG99mkutviD+cP/rgtHm36x+iK2KuxiTFcy3mdqkssdMugi7KZebs9OYTjy3lC3UqR3UxWo8nP5b+08fi19zxqqI7/H4jT9Xxpz9eP/qwQMknAhuq4fhxzIR1L7ZU2dUZaQQ0Z8PeUKCIAWMevkbl8swGefhSQJ4= Received: from CH0PR03CA0420.namprd03.prod.outlook.com (2603:10b6:610:11b::25) by SA1PR10MB997558.namprd10.prod.outlook.com (2603:10b6:806:4ba::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9343.17; Fri, 28 Nov 2025 18:41:42 +0000 Received: from CH2PEPF00000149.namprd02.prod.outlook.com (2603:10b6:610:11b:cafe::fe) by CH0PR03CA0420.outlook.office365.com (2603:10b6:610:11b::25) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9366.17 via Frontend Transport; Fri, 28 Nov 2025 18:41:21 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 198.47.21.195) smtp.mailfrom=ti.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=ti.com; Received-SPF: Pass (protection.outlook.com: domain of ti.com designates 198.47.21.195 as permitted sender) receiver=protection.outlook.com; client-ip=198.47.21.195; helo=flwvzet201.ext.ti.com; pr=C Received: from flwvzet201.ext.ti.com (198.47.21.195) by CH2PEPF00000149.mail.protection.outlook.com (10.167.244.106) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9388.8 via Frontend Transport; Fri, 28 Nov 2025 18:41:40 +0000 Received: from DFLE200.ent.ti.com (10.64.6.58) by flwvzet201.ext.ti.com (10.248.192.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Fri, 28 Nov 2025 12:41:36 -0600 Received: from DFLE214.ent.ti.com (10.64.6.72) by DFLE200.ent.ti.com (10.64.6.58) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Fri, 28 Nov 2025 12:41:36 -0600 Received: from lelvem-mr05.itg.ti.com (10.180.75.9) by DFLE214.ent.ti.com (10.64.6.72) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20 via Frontend Transport; Fri, 28 Nov 2025 12:41:36 -0600 Received: from uda0497581-HP.dhcp.ti.com (uda0497581-hp.dhcp.ti.com [172.24.234.240]) by lelvem-mr05.itg.ti.com (8.18.1/8.18.1) with ESMTP id 5ASIfXqf713913; Fri, 28 Nov 2025 12:41:33 -0600 From: Manorit Chawdhry To: , Ryan Eatmon CC: Aniket Limaye , Praneeth Bajjuri , "Denys Dmytriyenko" , Udit Kumar , Manorit Chawdhry , Hari Prasath Gujulan Elango Subject: [meta-ti][scarthgap][PATCH v2] trusted-firmware-a/optee-os: Add LPM support on few platforms Date: Sat, 29 Nov 2025 00:11:25 +0530 Message-ID: <20251128184125.3220124-1-m-chawdhry@ti.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-C2ProcessedOrg: 333ef613-75bf-4e12-a4b1-8e3623f5dcea X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PEPF00000149:EE_|SA1PR10MB997558:EE_ X-MS-Office365-Filtering-Correlation-Id: e0e99cf5-338b-4fd8-a00d-08de2eadc56f X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|36860700013|376014|82310400026|1800799024; X-Microsoft-Antispam-Message-Info: /JIUejP7PBoTHqpjVcWNYxCIdRNpZZKwjdolt/zOnS+BQvskOBwZvuFB45ioCoJQeU4ZA9Om3yUEW4QBs/J2biK3Sb/Gho4FqexzCGkNUZXj1l127f6ZC1xi7jKXCH71UDJhAGjasnW8VZJf4mXOVomOM5XjRAY93d56YYqP6ACJaWbBsO/bNu6k/jGiW/JDE7KnBMA7a+3BM9tO5K+LYYvmJ8KFRruKj3wORddsSytnA8Yp41nAq6LCWtNL/13oHYh8HkDeFjS+XZUGL//bCLGHV0ogQYaB/sZTogudwMKdl9wUNq/7jQLo/Uo/ozSOJJ5RnDhKNF4sEt7RYf6E0M+K82aSHxGeaSBSuFuYSxnNxueRBpGaHK18jYvzdsYsZUsxKaD0w6NjFmRjtEr8tXz+6lAHVuJ8MUCTWS/5WsKL6PiidB9AHxP8jxK/lIlu7WZdN3+eZxzPPEMmTW9l+iuv6W/vgTwdqNtJrIogZRyV8isWQ8pTlZzu6rUncbAyjmddkwlqaeV7X8etJgvG235X1GmIjpWtKD9gwz5bC+O8xRBT4VMQ5o+qfqFq47jGlxY9CJapydC4jNWm94pvfiwnok8FK06MQGgsJl1NueVqcnOJx+roh9e926VK9SGf5YBVQx3UFvBa/PUkwxlESaySt2QNVSofls7DrXdaxTe2QQsGBVjJY2NhzqJlm7LljDWb7dr6h1D+O3LLtXVlyED5sBIiK9kTs5VN5zyWWNiulu/DyZx3VitZSELbImFeiZ4rigPwjvd2FivU8HER/7EHeRRjX+Vl756kwAEZtCrCELY6fz7J+purKI2T5rZNn0ojnQogFlTXoS3N5ZRPcH/OdE3qASU9E7t+3cdkBPAW35uvNSbEaXDcaapdPcmeHFb4Z3uTOm7euvLqXCz/v19gPWroVT06n5L5E9mYbjN+H6Ce+UDhfHQxCln71gcQfnwWG6xzR9UQz3ZX6I85U5dto5ENguOCRaO8GsJ0ogvwmEM+9w131SONbdHbA7YJvZFLxIJvkHwrLLWNW7EH7gZyR86BmIO8dZaO5FhfEhgu3ilpVyf3FOhEPQQ5L9NYvG65VJ5RbV7To41x0EiGfmxNSv2XTQfEBJZ0Z51ApOAr+FtRr4vlN+a1a0NQwQ7CC9VNsSiqCBvy3Sfvq6w0l7HCNtT7kiI7WwzHDucdAc0Ms8lz3z0Ej5z8A0birnGDwZI6NHqUVtz4ZD3akYWm7UBLD7WA7oxr/iJXVpQ+IVTQ83TN/L5NkVFF7cHZkP+9oA2S/ALr5iTY0IZK4OaIV9txQHqCGjWxol/ewFjJV2lzhYJvHpQ2oVz/+G9KF7ifJdz9hGMW2rt3Avof//d77a/NOjKvZnx7qPweC2HJ7yk1kHKEc9YqOwFWoSneFnqYutAo+7D3Q1qE/2ODYqbwlYZq+IPK2DNGJbzylFlDL5O/PA8TVWOITiWAc91OKF4TlTofpW3t/S1pW2mxgAKYKC7uFtXD5oemBD4M+UtaUEcXp4F6F8auLJQGej5/k4kZxyK+w1gZwt7ZI6JnjqqG8O1rhaiTGjU8ktI/PUG1LVI= X-Forefront-Antispam-Report: CIP:198.47.21.195;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:flwvzet201.ext.ti.com;PTR:ErrorRetry;CAT:NONE;SFS:(13230040)(36860700013)(376014)(82310400026)(1800799024);DIR:OUT;SFP:1101; X-OriginatorOrg: ti.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Nov 2025 18:41:40.9105 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: e0e99cf5-338b-4fd8-a00d-08de2eadc56f X-MS-Exchange-CrossTenant-Id: e5b49634-450b-4709-8abb-1e2b19b982b7 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=e5b49634-450b-4709-8abb-1e2b19b982b7;Ip=[198.47.21.195];Helo=[flwvzet201.ext.ti.com] X-MS-Exchange-CrossTenant-AuthSource: CH2PEPF00000149.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR10MB997558 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Nov 2025 18:41:50 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-ti/message/19306 Adds the required TF-A and OP-TEE patches to enable LPM support on J7200, J784s4, J742s2. Signed-off-by: Manorit Chawdhry --- v1->v2: Ryan: - Variablized the repeated patchfiles - Remove the meta-ti-bsp prefix .../trusted-firmware-a-ti.inc | 13 ++ ...luster_start_id-depending-on-the-soc.patch | 116 +++++++++++ ...essage-to-encrypt-tfa-during-suspend.patch | 195 ++++++++++++++++++ ...uspend-in-case-of-LPM_BOARDCFG_MANAG.patch | 69 +++++++ .../optee/optee-os-ti-overrides.inc | 11 + ...Open-TRNG-firewall-for-TIFS-on-all-k.patch | 46 +++++ 6 files changed, 450 insertions(+) create mode 100644 meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0001-feat-k3-choose-cluster_start_id-depending-on-the-soc.patch create mode 100644 meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch create mode 100644 meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0003-feat-k3-handle-suspend-in-case-of-LPM_BOARDCFG_MANAG.patch create mode 100644 meta-ti-bsp/recipes-security/optee/optee-os/0001-plat-k3-drivers-Open-TRNG-firewall-for-TIFS-on-all-k.patch diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-ti.inc b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-ti.inc index f188f35ee740..27d6924101c4 100644 --- a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-ti.inc +++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-ti.inc @@ -1,5 +1,7 @@ # NOTE: This .inc file with customizations only gets included for K3 platforms +FILESEXTRAPATHS:prepend := "${THISDIR}/trusted-firmware-a:" + PV = "2.13+git" LIC_FILES_CHKSUM = "file://docs/license.rst;md5=6ed7bace7b0bc63021c6eba7b524039e" @@ -28,3 +30,14 @@ EXTRA_OEMAKE += "${@ 'BL32_BASE=' + d.getVar('TFA_K3_BL32_BASE') if d.getVar('TF EXTRA_OEMAKE += "${@ 'PRELOADED_BL33_BASE=' + d.getVar('TFA_K3_PRELOADED_BL33') if d.getVar('TFA_K3_PRELOADED_BL33') else ''}" EXTRA_OEMAKE += "${@ 'K3_PM_SYSTEM_SUSPEND=' + d.getVar('TFA_K3_SYSTEM_SUSPEND') if d.getVar('TFA_K3_SYSTEM_SUSPEND') else ''}" EXTRA_OEMAKE:append:ti-falcon = " PRELOADED_BL33_BASE=0x82000000 K3_HW_CONFIG_BASE=0x88000000" + +# LPM support patches for Jacinto platforms (J7200, J742S2, J784S4) +TFA_JACINTO_LPM_PATCHES = " \ + file://0001-feat-k3-choose-cluster_start_id-depending-on-the-soc.patch \ + file://0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch \ + file://0003-feat-k3-handle-suspend-in-case-of-LPM_BOARDCFG_MANAG.patch \ +" + +SRC_URI:append:j7200 = " ${TFA_JACINTO_LPM_PATCHES}" +SRC_URI:append:j742s2 = " ${TFA_JACINTO_LPM_PATCHES}" +SRC_URI:append:j784s4 = " ${TFA_JACINTO_LPM_PATCHES}" diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0001-feat-k3-choose-cluster_start_id-depending-on-the-soc.patch b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0001-feat-k3-choose-cluster_start_id-depending-on-the-soc.patch new file mode 100644 index 000000000000..05d930dd3d38 --- /dev/null +++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0001-feat-k3-choose-cluster_start_id-depending-on-the-soc.patch @@ -0,0 +1,116 @@ +From 3de4f871d9bfe29c3862860e494bfa70ba72af3e Mon Sep 17 00:00:00 2001 +From: Abhash Kumar Jha +Date: Mon, 20 Oct 2025 11:26:17 +0530 +Subject: [PATCH 1/3] feat(k3): choose cluster_start_id depending on the soc + +The CLUSTER_DEVICE_START_ID denotes the device id of the A-core cluster. +It is utilized when powering off the entire cluster. + +J7200, J721E and J721S2 have a different cluster_start_id than their +"generic" counterparts. + +Query the JTAG_ID register to get the part id and choose the +cluster_start_id depending on that. + +Upstream-Status: Pending + +Change-Id: I44d3ac0ec646c39019e4c0167d34f410015a147a +Signed-off-by: Abhash Kumar Jha +--- + plat/ti/k3/common/k3_bl31_setup.c | 1 + + plat/ti/k3/common/k3_psci.c | 25 ++++++++++++++++++++++++- + plat/ti/k3/include/platform_def.h | 16 ++++++++++++++++ + 3 files changed, 41 insertions(+), 1 deletion(-) + +diff --git a/plat/ti/k3/common/k3_bl31_setup.c b/plat/ti/k3/common/k3_bl31_setup.c +index 1b93dc860..79a9c924c 100644 +--- a/plat/ti/k3/common/k3_bl31_setup.c ++++ b/plat/ti/k3/common/k3_bl31_setup.c +@@ -20,6 +20,7 @@ const mmap_region_t plat_k3_mmap[] = { + K3_MAP_REGION_FLAT(SEC_PROXY_RT_BASE, SEC_PROXY_RT_SIZE, MT_DEVICE | MT_RW | MT_SECURE), + K3_MAP_REGION_FLAT(SEC_PROXY_SCFG_BASE, SEC_PROXY_SCFG_SIZE, MT_DEVICE | MT_RW | MT_SECURE), + K3_MAP_REGION_FLAT(SEC_PROXY_DATA_BASE, SEC_PROXY_DATA_SIZE, MT_DEVICE | MT_RW | MT_SECURE), ++ K3_MAP_REGION_FLAT(WKUP_CTRL_MMR0_BASE, WKUP_CTRL_MMR0_SIZE, MT_DEVICE | MT_RW | MT_SECURE), + { /* sentinel */ } + }; + +diff --git a/plat/ti/k3/common/k3_psci.c b/plat/ti/k3/common/k3_psci.c +index ec37d9f4c..a443dd851 100644 +--- a/plat/ti/k3/common/k3_psci.c ++++ b/plat/ti/k3/common/k3_psci.c +@@ -11,6 +11,8 @@ + #include + #include + #include ++#include ++#include + #include + + #include +@@ -83,6 +85,27 @@ static int k3_pwr_domain_on(u_register_t mpidr) + return PSCI_E_SUCCESS; + } + ++uint32_t get_plat_cluster_start_id() ++{ ++ static uint32_t cluster_id; ++ uint32_t part_id, jtag_id_reg; ++ ++ if (cluster_id) { ++ return cluster_id; ++ } ++ ++ jtag_id_reg = mmio_read_32(WKUP_CTRL_MMR0_BASE + JTAG_ID); ++ part_id = EXTRACT(JTAG_PART_ID, jtag_id_reg); ++ ++ if ((part_id == J7200_PART_ID) || (part_id == J721E_PART_ID) || (part_id == J721S2_PART_ID)) { ++ cluster_id = J7_PLAT_CLUSTER_DEVICE_START_ID; ++ } else { ++ cluster_id = PLAT_CLUSTER_DEVICE_START_ID; ++ } ++ ++ return cluster_id; ++} ++ + void k3_pwr_domain_off(const psci_power_state_t *target_state) + { + int core, cluster, proc_id, device_id, cluster_id, ret; +@@ -97,7 +120,7 @@ void k3_pwr_domain_off(const psci_power_state_t *target_state) + cluster = MPIDR_AFFLVL1_VAL(read_mpidr_el1()); + proc_id = PLAT_PROC_START_ID + core; + device_id = PLAT_PROC_DEVICE_START_ID + core; +- cluster_id = PLAT_CLUSTER_DEVICE_START_ID + (cluster * 2); ++ cluster_id = get_plat_cluster_start_id() + (cluster * 2); + + /* + * If we are the last core in the cluster then we take a reference to +diff --git a/plat/ti/k3/include/platform_def.h b/plat/ti/k3/include/platform_def.h +index db5e31d95..d191781a6 100644 +--- a/plat/ti/k3/include/platform_def.h ++++ b/plat/ti/k3/include/platform_def.h +@@ -25,6 +25,22 @@ + #define SEC_PROXY_RT_SIZE 0x80000 + #endif /* K3_SEC_PROXY_LITE */ + ++#define WKUP_CTRL_MMR0_BASE UL(0x43000000) ++#define WKUP_CTRL_MMR0_SIZE UL(0x20000) ++#define JTAG_ID U(0x14) ++#define JTAG_PART_ID_MASK GENMASK(27, 12) ++ ++#define J721E_PART_ID U(0xBB64) ++#define J7200_PART_ID U(0xBB6D) ++#define J721S2_PART_ID U(0xBB75) ++#define J784S4_J742S2_PART_ID U(0xBB80) ++ ++#define JTAG_PART_ID_WIDTH U(0x10) ++#define JTAG_PART_ID_SHIFT U(0xC) ++ ++/* A-core Cluster Device ID for j721e, j7200 and j721s2 */ ++#define J7_PLAT_CLUSTER_DEVICE_START_ID U(0x4) ++ + #define SEC_PROXY_TIMEOUT_US 1000000 + #define SEC_PROXY_MAX_MESSAGE_SIZE 56 + +-- +2.34.1 + diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch new file mode 100644 index 000000000000..1a0cf0334715 --- /dev/null +++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch @@ -0,0 +1,195 @@ +From c79ff3679a4360bb848b01d4036c365533fcf791 Mon Sep 17 00:00:00 2001 +From: Richard Genoud +Date: Tue, 11 Feb 2025 18:20:17 +0100 +Subject: [PATCH 2/3] feat(ti): add message to encrypt tfa during suspend + +At suspend, BL31 with its context will be encrypted by TIFS in DDR. +Encryption is needed for security matters, so that the BL31 is not +modified before entering suspend or early at resume. + +We only need the encryption function here because the decryption message +will be send by the R5 SPL at resume. + +Also introduce the LPM_ENCRYPT_IMAGE cap signals that FW has the support +to encrypt the image using the TISCI_MSG_LPM_ENCRYPT tisci message. + +This is useful in suspend to ram cases where we would like to +store the encrypted image of a secure fw instead of the original image +itself in the DDR. + +Check for LPM_ENCRYPT_IMAGE flag in the FW capabilities, and only then +call encrypt. + +Upstream-Status: Pending + +Change-Id: I266472da87dd0821493019b2d9853f8886f33811 +Signed-off-by: Richard Genoud +Signed-off-by: Abhash Kumar Jha +--- + drivers/ti/ti_sci/ti_sci.c | 36 +++++++++++++++++++++++++++++ + drivers/ti/ti_sci/ti_sci.h | 7 ++++++ + drivers/ti/ti_sci/ti_sci_protocol.h | 32 +++++++++++++++++++++++++ + plat/ti/k3/common/k3_psci.c | 10 ++++++++ + 4 files changed, 85 insertions(+) + +diff --git a/drivers/ti/ti_sci/ti_sci.c b/drivers/ti/ti_sci/ti_sci.c +index f0813e5b0..ee5f7166f 100644 +--- a/drivers/ti/ti_sci/ti_sci.c ++++ b/drivers/ti/ti_sci/ti_sci.c +@@ -1784,3 +1784,39 @@ int ti_sci_lpm_get_next_sys_mode(uint8_t *next_mode) + + return 0; + } ++/* ++ * ti_sci_encrypt_tfa - Ask TIFS to encrypt TFA at a specific address ++ * ++ * @src_tfa_addr: Address where the TFA lies unencrypted ++ * @src_tfa_len: Size of the TFA unencrypted ++ * ++ * Return: 0 if all goes well, else appropriate error message ++ */ ++int ti_sci_encrypt_tfa(uint64_t src_tfa_addr, ++ uint32_t src_tfa_len) ++{ ++ struct ti_sci_msg_req_encrypt_tfa req = { 0 }; ++ struct ti_sci_msg_resp_encrypt_tfa resp = { 0 }; ++ struct ti_sci_xfer xfer; ++ int ret; ++ ++ ret = ti_sci_setup_one_xfer(TISCI_MSG_LPM_ENCRYPT_TFA, 0, ++ &req, sizeof(req), ++ &resp, sizeof(resp), ++ &xfer); ++ if (ret != 0U) { ++ ERROR("Message alloc failed (%d)\n", ret); ++ return ret; ++ } ++ ++ req.src_tfa_addr = src_tfa_addr; ++ req.src_tfa_len = src_tfa_len; ++ ++ ret = ti_sci_do_xfer(&xfer); ++ if (ret != 0U) { ++ ERROR("Transfer send failed (%d)\n", ret); ++ return ret; ++ } ++ ++ return 0; ++} +diff --git a/drivers/ti/ti_sci/ti_sci.h b/drivers/ti/ti_sci/ti_sci.h +index 1f1963274..2afa11317 100644 +--- a/drivers/ti/ti_sci/ti_sci.h ++++ b/drivers/ti/ti_sci/ti_sci.h +@@ -258,6 +258,11 @@ int ti_sci_proc_wait_boot_status_no_wait(uint8_t proc_id, + * + * Return: 0 if all goes well, else appropriate error message + * ++ * - ti_sci_encrypt_tfa - Ask TIFS to encrypt TFA at a specific address ++ * ++ * @src_tfa_addr: Address where the TFA lies unencrypted ++ * @src_tfa_len: Size of the TFA unencrypted ++ * + * NOTE: for all these functions, the following are generic in nature: + * Returns 0 for successful request, else returns corresponding error message. + */ +@@ -265,5 +270,7 @@ int ti_sci_enter_sleep(uint8_t proc_id, + uint8_t mode, + uint64_t core_resume_addr); + int ti_sci_lpm_get_next_sys_mode(uint8_t *next_mode); ++int ti_sci_encrypt_tfa(uint64_t src_tfa_addr, ++ uint32_t src_tfa_len); + + #endif /* TI_SCI_H */ +diff --git a/drivers/ti/ti_sci/ti_sci_protocol.h b/drivers/ti/ti_sci/ti_sci_protocol.h +index bdd24622a..a165cda99 100644 +--- a/drivers/ti/ti_sci/ti_sci_protocol.h ++++ b/drivers/ti/ti_sci/ti_sci_protocol.h +@@ -53,6 +53,9 @@ + #define TISCI_MSG_GET_PROC_BOOT_STATUS 0xc400 + #define TISCI_MSG_WAIT_PROC_BOOT_STATUS 0xc401 + ++/* TFA encrypt/decrypt messages */ ++#define TISCI_MSG_LPM_ENCRYPT_TFA 0x030F ++ + /** + * struct ti_sci_secure_msg_hdr - Header that prefixes all TISCI messages sent + * via secure transport. +@@ -160,6 +163,7 @@ struct ti_sci_msg_resp_query_fw_caps { + #define MSG_FLAG_CAPS_LPM_STANDBY TI_SCI_MSG_FLAG(3) + #define MSG_FLAG_CAPS_LPM_PARTIAL_IO TI_SCI_MSG_FLAG(4) + #define MSG_FLAG_CAPS_LPM_DM_MANAGED TI_SCI_MSG_FLAG(5) ++#define MSG_FLAG_CAPS_LPM_ENCRYPT_IMAGE TI_SCI_MSG_FLAG(11) + uint64_t fw_caps; + } __packed; + +@@ -810,4 +814,32 @@ struct ti_sci_msg_resp_lpm_get_next_sys_mode { + uint8_t mode; + } __packed; + ++/* ++ * struct ti_sci_msg_req_encrypt_tfa - Request for TISCI_MSG_LPM_ENCRYPT_TFA. ++ * ++ * @hdr Generic Header ++ * @src_tfa_addr: Address where the TFA lies unencrypted ++ * @src_tfa_len: Size of the TFA unencrypted ++ * ++ * This message is to be sent when the system is going in suspend, just before ++ * TI_SCI_MSG_ENTER_SLEEP. ++ * The TIFS will then encrypt the TFA and store it in RAM, along with a private ++ * header. ++ * Upon resume, the SPL will ask TIFS to decrypt it back. ++ */ ++struct ti_sci_msg_req_encrypt_tfa { ++ struct ti_sci_msg_hdr hdr; ++ uint64_t src_tfa_addr; ++ uint32_t src_tfa_len; ++} __packed; ++ ++/* ++ * struct ti_sci_msg_req_encrypt_tfa - Request for TISCI_MSG_LPM_ENCRYPT_TFA. ++ * ++ * @hdr Generic Header ++ */ ++struct ti_sci_msg_resp_encrypt_tfa { ++ struct ti_sci_msg_hdr hdr; ++} __packed; ++ + #endif /* TI_SCI_PROTOCOL_H */ +diff --git a/plat/ti/k3/common/k3_psci.c b/plat/ti/k3/common/k3_psci.c +index a443dd851..c2017666b 100644 +--- a/plat/ti/k3/common/k3_psci.c ++++ b/plat/ti/k3/common/k3_psci.c +@@ -24,6 +24,7 @@ + #define SYSTEM_PWR_STATE(state) ((state)->pwr_domain_state[PLAT_MAX_PWR_LVL]) + + uintptr_t k3_sec_entrypoint; ++bool encrypt_image; + + static void k3_cpu_standby(plat_local_state_t cpu_state) + { +@@ -282,6 +283,11 @@ static void k3_pwr_domain_suspend_to_mode(const psci_power_state_t *target_state + k3_gic_cpuif_disable(); + k3_gic_save_context(); + ++ if (encrypt_image) ++ { ++ ti_sci_encrypt_tfa((uint64_t)__TEXT_START__, BL31_SIZE); ++ } ++ + k3_pwr_domain_off(target_state); + + ti_sci_enter_sleep(proc_id, mode, k3_sec_entrypoint); +@@ -347,6 +353,10 @@ int plat_setup_psci_ops(uintptr_t sec_entrypoint, + ERROR("Unable to query firmware capabilities (%d)\n", ret); + } + ++ if (fw_caps & MSG_FLAG_CAPS_LPM_ENCRYPT_IMAGE) { ++ encrypt_image = true; ++ } ++ + /* If firmware does not support any known suspend mode */ + if (!(fw_caps & (MSG_FLAG_CAPS_LPM_DEEP_SLEEP | + MSG_FLAG_CAPS_LPM_MCU_ONLY | +-- +2.34.1 + diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0003-feat-k3-handle-suspend-in-case-of-LPM_BOARDCFG_MANAG.patch b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0003-feat-k3-handle-suspend-in-case-of-LPM_BOARDCFG_MANAG.patch new file mode 100644 index 000000000000..b91b336e0778 --- /dev/null +++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0003-feat-k3-handle-suspend-in-case-of-LPM_BOARDCFG_MANAG.patch @@ -0,0 +1,69 @@ +From 470cf022d03e350beab36605d4250944d2c92ffe Mon Sep 17 00:00:00 2001 +From: Abhash Kumar Jha +Date: Tue, 28 Oct 2025 23:24:22 +0530 +Subject: [PATCH 3/3] feat(k3): handle suspend in case of LPM_BOARDCFG_MANAGED + +The J7 platforms support LPM_BOARDCFG_MANAGED capability where the +low power mode configuration is done statically for the DM via the +pm-boardcfg. + +This is entirely opposite to the case of DM_MANAGED, where the DM fw +decides the low power mode to enter into. + +Introduce LPM_BOARDCFG_MANAGED cap to handle suspend for those +platforms as well. + +Upstream-Status: Pending + +Change-Id: Iaa0ab478cbe0db6652f61e9d733c0fddb4bab234 +Signed-off-by: Abhash Kumar Jha +--- + drivers/ti/ti_sci/ti_sci_protocol.h | 1 + + plat/ti/k3/common/k3_psci.c | 13 ++++++++----- + 2 files changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/ti/ti_sci/ti_sci_protocol.h b/drivers/ti/ti_sci/ti_sci_protocol.h +index a165cda99..b83174b0d 100644 +--- a/drivers/ti/ti_sci/ti_sci_protocol.h ++++ b/drivers/ti/ti_sci/ti_sci_protocol.h +@@ -164,6 +164,7 @@ struct ti_sci_msg_resp_query_fw_caps { + #define MSG_FLAG_CAPS_LPM_PARTIAL_IO TI_SCI_MSG_FLAG(4) + #define MSG_FLAG_CAPS_LPM_DM_MANAGED TI_SCI_MSG_FLAG(5) + #define MSG_FLAG_CAPS_LPM_ENCRYPT_IMAGE TI_SCI_MSG_FLAG(11) ++#define MSG_FLAG_CAPS_LPM_BOARDCFG_MANAGED TI_SCI_MSG_FLAG(12) + uint64_t fw_caps; + } __packed; + +diff --git a/plat/ti/k3/common/k3_psci.c b/plat/ti/k3/common/k3_psci.c +index c2017666b..9cf41b4cb 100644 +--- a/plat/ti/k3/common/k3_psci.c ++++ b/plat/ti/k3/common/k3_psci.c +@@ -357,17 +357,20 @@ int plat_setup_psci_ops(uintptr_t sec_entrypoint, + encrypt_image = true; + } + +- /* If firmware does not support any known suspend mode */ +- if (!(fw_caps & (MSG_FLAG_CAPS_LPM_DEEP_SLEEP | ++ /* If firmware is capabale of low power modes */ ++ if (fw_caps & (MSG_FLAG_CAPS_LPM_DM_MANAGED | ++ MSG_FLAG_CAPS_LPM_BOARDCFG_MANAGED)) { ++ k3_plat_psci_ops.pwr_domain_suspend = k3_pwr_domain_suspend_dm_managed; ++ } else if (!(fw_caps & (MSG_FLAG_CAPS_LPM_DEEP_SLEEP | + MSG_FLAG_CAPS_LPM_MCU_ONLY | + MSG_FLAG_CAPS_LPM_STANDBY | + MSG_FLAG_CAPS_LPM_PARTIAL_IO))) { +- /* Disable PSCI suspend support */ ++ /* If firmware does not support any known suspend mode ++ * disable PSCI suspend support ++ */ + k3_plat_psci_ops.pwr_domain_suspend = NULL; + k3_plat_psci_ops.pwr_domain_suspend_finish = NULL; + k3_plat_psci_ops.get_sys_suspend_power_state = NULL; +- } else if (fw_caps & MSG_FLAG_CAPS_LPM_DM_MANAGED) { +- k3_plat_psci_ops.pwr_domain_suspend = k3_pwr_domain_suspend_dm_managed; + } + + *psci_ops = &k3_plat_psci_ops; +-- +2.34.1 + diff --git a/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc index 61a74a069886..d636ae006216 100644 --- a/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc +++ b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc @@ -1,6 +1,8 @@ # Use TI SECDEV for signing inherit ti-secdev +FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os:" + EXTRA_OEMAKE:remove = "CFG_MAP_EXT_DT_SECURE=y" EXTRA_OEMAKE:append:k3 = " ${@ 'CFG_CONSOLE_UART='+ d.getVar('OPTEE_K3_USART') if d.getVar('OPTEE_K3_USART') else ''}" @@ -76,3 +78,12 @@ RDEPENDS:${PN} += "${PN}-ta" # This is needed for bl32.elf INSANE_SKIP:${PN}:append:k3 = " textrel" + +# LPM support patch for Jacinto platforms (J7200, J742S2, J784S4) +OPTEE_JACINTO_LPM_PATCHES = " \ + file://0001-plat-k3-drivers-Open-TRNG-firewall-for-TIFS-on-all-k.patch \ +" + +SRC_URI:append:j7200 = " ${OPTEE_JACINTO_LPM_PATCHES}" +SRC_URI:append:j742s2 = " ${OPTEE_JACINTO_LPM_PATCHES}" +SRC_URI:append:j784s4 = " ${OPTEE_JACINTO_LPM_PATCHES}" diff --git a/meta-ti-bsp/recipes-security/optee/optee-os/0001-plat-k3-drivers-Open-TRNG-firewall-for-TIFS-on-all-k.patch b/meta-ti-bsp/recipes-security/optee/optee-os/0001-plat-k3-drivers-Open-TRNG-firewall-for-TIFS-on-all-k.patch new file mode 100644 index 000000000000..a19fe1036470 --- /dev/null +++ b/meta-ti-bsp/recipes-security/optee/optee-os/0001-plat-k3-drivers-Open-TRNG-firewall-for-TIFS-on-all-k.patch @@ -0,0 +1,46 @@ +From 00f74ba2ab00088d51e6da3c0eefe50599ef5c82 Mon Sep 17 00:00:00 2001 +From: Prasanth Babu Mantena +Date: Mon, 3 Nov 2025 12:42:57 +0530 +Subject: [PATCH] plat-k3: drivers: Open TRNG firewall for TIFS on all k3 devs + +On k3 devices, TRNG is firewalled to be accessed only by OPTEE. + +TIFS needs this for the encryption and decryption services to support +different low power modes. So, open firewall to TIFS as well. + +There is no concurrent usage of TRNG, as TIFS uses TRNG only at suspend +when OPTEE is down and resume, when firewalls are restored but OPTEE is +not up yet. + +As this is a firewall that required to be shared along with TIFS on all +devices, making this a common change and open on all devs. + +Upstream-Status: Submitted [https://github.com/OP-TEE/optee_os/pull/7582] + +Signed-off-by: Prasanth Babu Mantena +Reviewed-by: Manorit Chawdhry +Reviewed-by: Andrew Davis +--- + core/arch/arm/plat-k3/drivers/sa2ul.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/core/arch/arm/plat-k3/drivers/sa2ul.c b/core/arch/arm/plat-k3/drivers/sa2ul.c +index c50757b2c..e10bde131 100644 +--- a/core/arch/arm/plat-k3/drivers/sa2ul.c ++++ b/core/arch/arm/plat-k3/drivers/sa2ul.c +@@ -121,12 +121,7 @@ static TEE_Result sa2ul_init(void) + start_address = RNG_BASE; + end_address = RNG_BASE + RNG_REG_SIZE - 1; + permissions[num_perm++] = (FW_BIG_ARM_PRIVID << 16) | FW_SECURE_ONLY; +-#if defined(PLATFORM_FLAVOR_am62x) || \ +- defined(PLATFORM_FLAVOR_am62ax) || \ +- defined(PLATFORM_FLAVOR_am62px) +- + permissions[num_perm++] = (FW_TIFS_PRIVID << 16) | FW_NON_SECURE; +-#endif + ret = ti_sci_set_fwl_region(fwl_id, rng_region, num_perm, + control, permissions, + start_address, end_address); +-- +2.34.1 +