Merge pull request #1007 from soby-mathew/sm/ccint

Enable integration of ARM TrustZone Cryptocell for TBB

Merge pull request #1007 from soby-mathew/sm/ccint
Enable integration of ARM TrustZone Cryptocell for TBB
aa5b843f · danh-arm · GitHub · 1979ee13 · f143cafe · aa5b843f
Commit aa5b843f authored Jun 28, 2017 by danh-arm Committed by GitHub Jun 28, 2017
--- a/plat/arm/board/common/board_common.mk
+++ b/plat/arm/board/common/board_common.mk
@@ -17,6 +17,7 @@ BL2_SOURCES		+=	plat/arm/board/common/drivers/norflash/norflash.c
 #BL31_SOURCES		+=
 ifneq (${TRUSTED_BOARD_BOOT},0)
+  ifneq (${ARM_CRYPTOCELL_INTEG}, 1)
    # ROTPK hash location
    ifeq (${ARM_ROTPK_LOCATION}, regs)
        ARM_ROTPK_LOCATION_ID = ARM_ROTPK_REGS_ID
@@ -31,7 +32,12 @@ ifneq (${TRUSTED_BOARD_BOOT},0)
    # ARM development platforms
    TFW_NVCTR_VAL	?=	31
    NTFW_NVCTR_VAL	?=	223
+  else
+    # Certificate NV-Counters when CryptoCell is integrated. For development
+    # platforms we set the counter to first valid value.
+    TFW_NVCTR_VAL	?=	0
+    NTFW_NVCTR_VAL	?=	0
+  endif
    BL1_SOURCES		+=	plat/arm/board/common/board_arm_trusted_boot.c
    BL2_SOURCES		+=	plat/arm/board/common/board_arm_trusted_boot.c
 endif

--- a/plat/arm/board/juno/include/platform_def.h
+++ b/plat/arm/board/juno/include/platform_def.h
@@ -26,6 +26,9 @@
 #define PLATFORM_CORE_COUNT		(JUNO_CLUSTER0_CORE_COUNT + \
 					JUNO_CLUSTER1_CORE_COUNT)
+/* Cryptocell HW Base address */
+#define PLAT_CRYPTOCELL_BASE		0x60050000
 /*
 * Other platform porting definitions are provided by included headers
 */

--- a/plat/arm/common/aarch64/arm_helpers.S
+++ b/plat/arm/common/aarch64/arm_helpers.S
@@ -115,3 +115,51 @@ func arm_disable_spe
 	ret
 endfunc arm_disable_spe
 #endif
+/*
+ * Need to use coherent stack when ARM Cryptocell is used to autheticate images
+ * since Cryptocell uses DMA to transfer data and it is not coherent with the
+ * AP CPU.
+ */
+#if ARM_CRYPTOCELL_INTEG
+#if defined(IMAGE_BL1) || defined(IMAGE_BL2)
+	.globl	plat_get_my_stack
+	.globl	plat_set_my_stack
+	.local	platform_coherent_stacks
+	/* -------------------------------------------------------
+	 * uintptr_t plat_get_my_stack ()
+	 *
+	 * For cold-boot BL images, only the primary CPU needs a
+	 * stack. This function returns the stack pointer for a
+	 * stack allocated in coherent memory.
+	 * -------------------------------------------------------
+	 */
+func plat_get_my_stack
+	get_up_stack platform_coherent_stacks, PLATFORM_STACK_SIZE
+	ret
+endfunc plat_get_my_stack
+	/* -------------------------------------------------------
+	 * void plat_set_my_stack ()
+	 *
+	 * For cold-boot BL images, only the primary CPU needs a
+	 * stack. This function sets the stack pointer to a stack
+	 * allocated in coherent memory.
+	 * -------------------------------------------------------
+	 */
+func plat_set_my_stack
+	get_up_stack platform_coherent_stacks, PLATFORM_STACK_SIZE
+	mov sp, x0
+	ret
+endfunc plat_set_my_stack
+	/* ----------------------------------------------------
+	 * Single cpu stack in coherent memory.
+	 * ----------------------------------------------------
+	 */
+declare_stack platform_coherent_stacks, tzfw_coherent_mem, \
+		PLATFORM_STACK_SIZE, 1, CACHE_WRITEBACK_GRANULE
+#endif	/* defined(IMAGE_BL1) || defined(IMAGE_BL2) */
+#endif	/* ARM_CRYPTOCELL_INTEG */
--- a/plat/arm/common/arm_common.mk
+++ b/plat/arm/common/arm_common.mk
@@ -94,6 +94,11 @@ LOAD_IMAGE_V2			:=	1
 # Use generic OID definition (tbbr_oid.h)
 USE_TBBR_DEFS			:=	1
+# Disable ARM Cryptocell by default
+ARM_CRYPTOCELL_INTEG		:=	0
+$(eval $(call assert_boolean,ARM_CRYPTOCELL_INTEG))
+$(eval $(call add_define,ARM_CRYPTOCELL_INTEG))
 PLAT_INCLUDES		+=	-Iinclude/common/tbbr				\
 				-Iinclude/plat/arm/common
@@ -181,7 +186,11 @@ ifneq (${TRUSTED_BOARD_BOOT},0)
    TF_MBEDTLS_KEY_ALG	:=	${KEY_ALG}
    # We expect to locate the *.mk files under the directories specified below
+ifeq (${ARM_CRYPTOCELL_INTEG},0)
    CRYPTO_LIB_MK := drivers/auth/mbedtls/mbedtls_crypto.mk
+else
+    CRYPTO_LIB_MK := drivers/auth/cryptocell/cryptocell_crypto.mk
+endif
    IMG_PARSER_LIB_MK := drivers/auth/mbedtls/mbedtls_x509.mk
    $(info Including ${CRYPTO_LIB_MK})

--- a/plat/arm/common/arm_tzc400.c
+++ b/plat/arm/common/arm_tzc400.c
@@ -34,6 +34,7 @@ void arm_tzc400_setup(void)
 	tzc400_disable_filters();
 #ifndef EL3_PAYLOAD_BASE
 	/* Region 0 set to no access by default */
 	tzc400_configure_region0(TZC_REGION_S_NONE, 0);
@@ -47,13 +48,13 @@ void arm_tzc400_setup(void)
 	 * Apply the same configuration to given filters in the TZC. */
 	tzc400_configure_region(PLAT_ARM_TZC_FILTERS, 2,
 			ARM_NS_DRAM1_BASE, ARM_NS_DRAM1_END,
-			TZC_REGION_S_NONE,
+			ARM_TZC_NS_DRAM_S_ACCESS,
 			PLAT_ARM_TZC_NS_DEV_ACCESS);
 	/* Region 3 set to cover Non-Secure access to 2nd DRAM address range */
 	tzc400_configure_region(PLAT_ARM_TZC_FILTERS, 3,
 			ARM_DRAM2_BASE, ARM_DRAM2_END,
-			TZC_REGION_S_NONE,
+			ARM_TZC_NS_DRAM_S_ACCESS,
 			PLAT_ARM_TZC_NS_DEV_ACCESS);
 #else
 	/* Allow secure access only to DRAM for EL3 payloads. */

--- a/plat/arm/common/arm_tzc_dmc500.c
+++ b/plat/arm/common/arm_tzc_dmc500.c
@@ -41,14 +41,14 @@ void arm_tzc_dmc500_setup(tzc_dmc500_driver_data_t *plat_driver_data)
 	tzc_dmc500_configure_region(2,
 		ARM_NS_DRAM1_BASE,
 		ARM_NS_DRAM1_END,
-		TZC_REGION_S_NONE,
+		ARM_TZC_NS_DRAM_S_ACCESS,
 		PLAT_ARM_TZC_NS_DEV_ACCESS);
 	/* Region 3 set to cover Non-Secure access to 2nd DRAM address range */
 	tzc_dmc500_configure_region(3,
 		ARM_DRAM2_BASE,
 		ARM_DRAM2_END,
-		TZC_REGION_S_NONE,
+		ARM_TZC_NS_DRAM_S_ACCESS,
 		PLAT_ARM_TZC_NS_DEV_ACCESS);
 #else
 	/* Allow secure access only to DRAM for EL3 payloads */