RSS: Enable SIC and XIP mode

Change-Id: I19222bc4b668ccc41e087927f822ae25757e33bd
Signed-off-by: Raef Coles <[email protected]>

Author: RcColes

bl2/ext/mcuboot/bl2_main.c

@@ -48,6 +48,7 @@ __asm("  .global __ARM_use_no_argv\n");
 
 /* Static buffer to be used by mbedtls for memory allocation */
 static uint8_t mbedtls_mem_buf[BL2_MBEDTLS_MEM_BUF_LEN];
+struct boot_rsp rsp;
 
 static void do_boot(struct boot_rsp *rsp)
 {
@@ -88,7 +89,6 @@ static void do_boot(struct boot_rsp *rsp)
 
 int main(void)
 {
-    struct boot_rsp rsp;
     fih_int fih_rc = FIH_FAILURE;
     enum tfm_plat_err_t plat_err;
     int32_t image_id;

docs/platform/arm/rss/readme.rst

@@ -97,13 +97,32 @@ run the following ``srec_cat`` commands::
         <SCP BL1 image> -Binary -offset 0x320000 \
         -o flash.bin -Binary
 
+If XIP mode is enabled, the following ``srec_cat`` command should be run to
+create the flash image::
+
+    srec_cat \
+        bl2_signed.bin -Binary -offset 0x0 \
+        bl2_signed.bin -Binary -offset 0x10000 \
+        tfm_s.bin -Binary -offset 0x020000 \
+        tfm_ns.bin -Binary -offset 0x080000 \
+        tfm_s.bin -Binary -offset 0x0E0000 \
+        tfm_ns.bin -Binary -offset 0x140000 \
+        <Host AP BL1 image> -Binary -offset 0x1A0000 \
+        <SCP BL1 image> -Binary -offset 0x220000 \
+        <Host AP BL1 image>  -Binary -offset 0x2A0000 \
+        <SCP BL1 image> -Binary -offset 0x320000 \
+        tfm_s_sic_tables_signed.bin -Binary -offset 0x3A0000 \
+        tfm_ns_sic_tables_signed.bin -Binary -offset 0x3AA000 \
+        tfm_s_sic_tables_signed.bin -Binary -offset 0x3B4000 \
+        tfm_ns_sic_tables_signed.bin -Binary -offset 0x3BE000 \
+        -o flash.bin -Binary
 
 Once the flash image is created, it can be combined with the host FIP to create
 a combined host flash image::
 
     srec_cat \
             fip-tc.bin -Binary -offset 0x0\
-            flash.bin -Binary -offset 0x00400000 \
+            flash.bin -Binary -offset 0x02200000 \
             -o host_flash.bin -Binary
 
 For development purposes, the OTP image is included as a provisioning bundle in
@@ -114,8 +133,8 @@ with the higher version number.
 
 The ROM binary should be placed in RSS ROM at ``0x11000000`` and the host flash
 binary should be placed at the base of the host flash. For the TC platform,
-this is at ``0x84000000``.
+this is at ``0x08000000``.
 
 --------------
 
-*Copyright (c) 2022, Arm Limited. All rights reserved.*
+*Copyright (c) 2022-2023, Arm Limited. All rights reserved.*

platform/ext/target/arm/rss/common/CMakeLists.txt

@@ -18,6 +18,11 @@ target_include_directories(platform_region_defs
         cc312
 )
 
+target_compile_definitions(platform_region_defs
+    INTERFACE
+        $<$<BOOL:${RSS_XIP}>:RSS_XIP>
+)
+
 #========================= Platform common defs ===============================#
 
 # Specify the location of platform specific build dependencies.

platform/ext/target/arm/rss/common/bl2/provisioning.c

@@ -23,6 +23,8 @@ __PACKED_STRUCT bl2_assembly_and_test_provisioning_data_t {
     uint8_t bl2_rotpk_1[32];
     uint8_t bl2_rotpk_2[32];
     uint8_t bl2_rotpk_3[32];
+    uint8_t s_image_encryption_key[32];
+    uint8_t ns_image_encryption_key[32];
 
 #ifdef PLATFORM_PSA_ADAC_SECURE_DEBUG
     uint8_t secure_debug_pk[32];
@@ -94,6 +96,21 @@ static const struct bl2_assembly_and_test_provisioning_data_t bl2_assembly_and_t
 #error "No public key available for given signing algorithm."
 #endif /* MCUBOOT_SIGN_RSA_LEN */
 
+    /* Secure image encryption key; */
+    {
+        0xfc, 0x57, 0x01, 0xdc, 0x61, 0x35, 0xe1, 0x32,
+        0x38, 0x47, 0xbd, 0xc4, 0x0f, 0x04, 0xd2, 0xe5,
+        0xbe, 0xe5, 0x83, 0x3b, 0x23, 0xc2, 0x9f, 0x93,
+        0x59, 0x3d, 0x00, 0x01, 0x8c, 0xfa, 0x99, 0x94,
+    },
+    /* Non-secure image encryption key; */
+    {
+        0xfc, 0x57, 0x01, 0xdc, 0x61, 0x35, 0xe1, 0x32,
+        0x38, 0x47, 0xbd, 0xc4, 0x0f, 0x04, 0xd2, 0xe5,
+        0xbe, 0xe5, 0x83, 0x3b, 0x23, 0xc2, 0x9f, 0x93,
+        0x59, 0x3d, 0x00, 0x01, 0x8c, 0xfa, 0x99, 0x94,
+    },
+
 #ifdef PLATFORM_PSA_ADAC_SECURE_DEBUG
     {
         0xf4, 0x0c, 0x8f, 0xbf, 0x12, 0xdb, 0x78, 0x2a,
@@ -167,6 +184,19 @@ enum tfm_plat_err_t provision_assembly_and_test(void)
         return err;
     }
 
+    err = tfm_plat_otp_write(PLAT_OTP_ID_KEY_SECURE_ENCRYPTION,
+                             sizeof(bl2_assembly_and_test_prov_data.s_image_encryption_key),
+                             bl2_assembly_and_test_prov_data.s_image_encryption_key);
+    if (err != TFM_PLAT_ERR_SUCCESS && err != TFM_PLAT_ERR_UNSUPPORTED) {
+        return err;
+    }
+    err = tfm_plat_otp_write(PLAT_OTP_ID_KEY_NON_SECURE_ENCRYPTION,
+                             sizeof(bl2_assembly_and_test_prov_data.ns_image_encryption_key),
+                             bl2_assembly_and_test_prov_data.ns_image_encryption_key);
+    if (err != TFM_PLAT_ERR_SUCCESS && err != TFM_PLAT_ERR_UNSUPPORTED) {
+        return err;
+    }
+
 #ifdef PLATFORM_PSA_ADAC_SECURE_DEBUG
     err = tfm_plat_otp_write(PLAT_OTP_ID_SECURE_DEBUG_PK,
                              sizeof(bl2_assembly_and_test_prov_data.secure_debug_pk),

platform/ext/target/arm/rss/common/otp_lcm.c

@@ -26,6 +26,8 @@ __PACKED_STRUCT plat_user_area_layout_t {
     uint32_t iak_id_zero_bits;
     uint32_t bl2_rotpk_zero_bits[3];
     uint32_t bl2_encryption_key_zero_bits;
+    uint32_t s_image_encryption_key_zero_bits;
+    uint32_t ns_image_encryption_key_zero_bits;
     uint32_t bl1_2_image_hash_zero_bits;
     uint32_t bl2_image_hash_zero_bits;
     uint32_t bl1_rotpk_0_zero_bits;
@@ -49,6 +51,9 @@ __PACKED_STRUCT plat_user_area_layout_t {
     uint32_t bl2_nv_counter[4][128];
 
     uint32_t bl2_encryption_key[8];
+    uint32_t s_image_encryption_key[8];
+    uint32_t ns_image_encryption_key[8];
+
     uint32_t bl1_2_image_hash[8];
     uint32_t bl2_image_hash[8];
     uint32_t bl1_nv_counter[128];
@@ -233,6 +238,19 @@ static enum tfm_plat_err_t check_keys_for_tampering(void)
         }
     }
 
+    err = verify_zero_bits_count(USER_AREA_OFFSET(s_image_encryption_key),
+                                 USER_AREA_SIZE(s_image_encryption_key),
+                                 USER_AREA_OFFSET(s_image_encryption_key_zero_bits));
+    if (err != TFM_PLAT_ERR_SUCCESS) {
+        return err;
+    }
+    err = verify_zero_bits_count(USER_AREA_OFFSET(ns_image_encryption_key),
+                                 USER_AREA_SIZE(ns_image_encryption_key),
+                                 USER_AREA_OFFSET(ns_image_encryption_key_zero_bits));
+    if (err != TFM_PLAT_ERR_SUCCESS) {
+        return err;
+    }
+
 #ifdef BL1
     err = verify_zero_bits_count(USER_AREA_OFFSET(bl2_encryption_key),
                                  USER_AREA_SIZE(bl2_encryption_key),
@@ -480,6 +498,12 @@ enum tfm_plat_err_t tfm_plat_otp_read(enum tfm_otp_element_id_t id,
         return otp_read(USER_AREA_OFFSET(host_nv_counter[2]),
                         USER_AREA_SIZE(host_nv_counter[2]), out_len, out);
 
+    case PLAT_OTP_ID_KEY_SECURE_ENCRYPTION:
+        return otp_read(USER_AREA_OFFSET(s_image_encryption_key),
+                        USER_AREA_SIZE(s_image_encryption_key), out_len, out);
+    case PLAT_OTP_ID_KEY_NON_SECURE_ENCRYPTION:
+        return otp_read(USER_AREA_OFFSET(ns_image_encryption_key),
+                        USER_AREA_SIZE(ns_image_encryption_key), out_len, out);
 #ifdef BL1
     case PLAT_OTP_ID_KEY_BL2_ENCRYPTION:
         return otp_read(USER_AREA_OFFSET(bl2_encryption_key),
@@ -624,6 +648,14 @@ enum tfm_plat_err_t tfm_plat_otp_write(enum tfm_otp_element_id_t id,
         return otp_write(USER_AREA_OFFSET(host_nv_counter[2]),
                          USER_AREA_SIZE(host_nv_counter[2]), in_len, in, 0);
 
+    case PLAT_OTP_ID_KEY_SECURE_ENCRYPTION:
+        return otp_write(USER_AREA_OFFSET(s_image_encryption_key),
+                         USER_AREA_SIZE(s_image_encryption_key), in_len, in,
+                         USER_AREA_OFFSET(s_image_encryption_key_zero_bits));
+    case PLAT_OTP_ID_KEY_NON_SECURE_ENCRYPTION:
+        return otp_write(USER_AREA_OFFSET(ns_image_encryption_key),
+                         USER_AREA_SIZE(ns_image_encryption_key), in_len, in,
+                         USER_AREA_OFFSET(ns_image_encryption_key_zero_bits));
 #ifdef BL1
     case PLAT_OTP_ID_KEY_BL2_ENCRYPTION:
         return otp_write(USER_AREA_OFFSET(bl2_encryption_key),
@@ -749,6 +781,12 @@ enum tfm_plat_err_t tfm_plat_otp_get_size(enum tfm_otp_element_id_t id,
         *size = USER_AREA_SIZE(host_nv_counter[2]);
         break;
 
+    case PLAT_OTP_ID_KEY_SECURE_ENCRYPTION:
+        *size = USER_AREA_SIZE(s_image_encryption_key);
+        break;
+    case PLAT_OTP_ID_KEY_NON_SECURE_ENCRYPTION:
+        *size = USER_AREA_SIZE(ns_image_encryption_key);
+        break;
 #ifdef BL1
     case PLAT_OTP_ID_KEY_BL2_ENCRYPTION:
         *size = USER_AREA_SIZE(bl2_encryption_key);

platform/ext/target/arm/rss/common/partition/platform_base_address.h

@@ -145,6 +145,12 @@
 #define FWU_HOST_IMAGE_BASE_S            (HOST_ACCESS_BASE_S + 0x000000) /* Region to allow writing new RSS FW images */
 #define HOST_COMMS_MAPPABLE_BASE_S       (HOST_ACCESS_BASE_S + 0x100000) /* Region into which to map host comms pointers */
 
+/* SIC regions open in BL2 and runtime */
+#define RSS_RUNTIME_S_XIP_BASE_S         SIC_HOST_BASE_S              /* RSS runtime secure image XIP secure address */
+#define RSS_RUNTIME_NS_XIP_BASE_S        (SIC_HOST_BASE_S + 0x060000) /* RSS runtime non-secure image XIP secure address */
+
+#define RSS_RUNTIME_NS_XIP_BASE_NS       (SIC_HOST_BASE_NS + 0x060000) /* RSS runtime non-secure image XIP non-secure address */
+
 /* Memory map addresses exempt from memory attribution by both the SAU and IDAU */
 #define RSS_EWIC_BASE                    0xE0047000 /* External Wakeup Interrupt Controller
                                                      * Access from Non-secure software is only allowed

platform/ext/target/arm/rss/common/partition/region_defs.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019-2022 Arm Limited. All rights reserved.
+ * Copyright (c) 2019-2023 Arm Limited. All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -107,9 +107,14 @@
             (FLASH_NS_PARTITION_SIZE - BL2_HEADER_SIZE - BL2_TRAILER_SIZE)
 
 /* Secure regions */
-/* Secure Code executes from VM0 */
+/* Secure Code executes from VM0, or XIP from flash via the SIC */
+#ifdef RSS_XIP
+#define S_CODE_START    (RSS_RUNTIME_S_XIP_BASE_S)
+#define S_CODE_SIZE     (FLASH_S_PARTITION_SIZE)
+#else
 #define S_CODE_START    (S_IMAGE_LOAD_ADDRESS + BL2_HEADER_SIZE)
 #define S_CODE_SIZE     (IMAGE_S_CODE_SIZE)
+#endif /* RSS_XIP */
 #define S_CODE_LIMIT    (S_CODE_START + S_CODE_SIZE - 1)
 
 /* Secure Data stored in VM0. Size defined in flash layout */
@@ -120,19 +125,31 @@
 #define S_CODE_VECTOR_TABLE_SIZE    (0x1C0)
 
 /* Non-secure regions */
-/* Non-Secure Code executes from VM1 */
+/* Non-Secure Code executes from VM1, or XIP from flash via the SIC */
+#ifdef RSS_XIP
+#define NS_CODE_START   (RSS_RUNTIME_NS_XIP_BASE_NS)
+#define NS_CODE_SIZE    (FLASH_NS_PARTITION_SIZE)
+#else
 #define NS_CODE_START   (VM1_BASE_NS + NS_DATA_SIZE + BL2_HEADER_SIZE)
 #define NS_CODE_SIZE    (IMAGE_NS_CODE_SIZE)
+#endif /* RSS_XIP */
 #define NS_CODE_LIMIT   (NS_CODE_START + NS_CODE_SIZE - 1)
 
-/* Non-Secure Data stored in VM1. */
+/* Non-Secure Data stored after secure data, or in VM1. */
+#ifdef RSS_XIP
+#define NS_DATA_START   (VM0_BASE_NS + S_DATA_SIZE)
+#else
 #define NS_DATA_START   (VM1_BASE_NS)
+#endif
 #define NS_DATA_LIMIT   (NS_DATA_START + NS_DATA_SIZE - 1)
 
 /* NS partition information is used for MPC and SAU configuration */
+#ifdef RSS_XIP
+#define NS_PARTITION_START RSS_RUNTIME_NS_XIP_BASE_NS
+#else
 #define NS_PARTITION_START (NS_CODE_START)
-#define NS_PARTITION_SIZE (FLASH_NS_PARTITION_SIZE - BL2_HEADER_SIZE \
-                           - BL2_TRAILER_SIZE)
+#endif /* RSS_XIP */
+#define NS_PARTITION_SIZE (NS_CODE_SIZE)
 
 #define SECONDARY_PARTITION_START (FWU_HOST_IMAGE_BASE_S)
 #define SECONDARY_PARTITION_SIZE (0x100000)

platform/ext/target/arm/rss/common/platform_otp_ids.h

@@ -44,6 +44,9 @@ enum tfm_otp_element_id_t {
     PLAT_OTP_ID_NV_COUNTER_NS_2,
 
     PLAT_OTP_ID_KEY_BL2_ENCRYPTION,
+    PLAT_OTP_ID_KEY_SECURE_ENCRYPTION,
+    PLAT_OTP_ID_KEY_NON_SECURE_ENCRYPTION,
+
     PLAT_OTP_ID_BL1_2_IMAGE,
     PLAT_OTP_ID_BL1_2_IMAGE_HASH,
     PLAT_OTP_ID_BL2_IMAGE_HASH,

platform/ext/target/arm/rss/common/rss_comms/rss_comms_atu_hal.h

@@ -8,7 +8,12 @@
 #ifndef __RSS_COMMS_ATU_HAL_H__
 #define __RSS_COMMS_ATU_HAL_H__
 
+#ifndef RSS_XIP
 #define RSS_COMMS_ATU_REGION_MIN        0
+#else
+#define RSS_COMMS_ATU_REGION_MIN        2
+#endif /* !RSS_XIP */
+
 #define RSS_COMMS_ATU_REGION_MAX        15
 /* There must be at least one region */
 #define RSS_COMMS_ATU_REGION_AM         (RSS_COMMS_ATU_REGION_MAX - \

platform/ext/target/arm/rss/common/target_cfg.c

@@ -338,6 +338,12 @@ enum tfm_plat_err_t mpc_init_cfg(void)
     if (ret != ARM_DRIVER_OK) {
         return TFM_PLAT_ERR_SYSTEM_ERR;
     }
+#ifdef RSS_XIP
+    ret = Driver_SIC_MPC.Initialize();
+    if (ret != ARM_DRIVER_OK) {
+        return TFM_PLAT_ERR_SYSTEM_ERR;
+    }
+#endif /* RSS_XIP */
 
     /* Configuring primary non-secure partition.
      * It is ensured in flash_layout.h that these memory regions are located in
@@ -349,9 +355,16 @@ enum tfm_plat_err_t mpc_init_cfg(void)
     if (ret != ARM_DRIVER_OK) {
         return TFM_PLAT_ERR_SYSTEM_ERR;
     }
+
+#ifdef RSS_XIP
+    ret = Driver_SIC_MPC.ConfigRegion(memory_regions.non_secure_partition_base,
+                                      memory_regions.non_secure_partition_limit,
+                                      ARM_MPC_ATTR_NONSECURE);
+#else
     ret = Driver_VM1_MPC.ConfigRegion(memory_regions.non_secure_partition_base,
                                       memory_regions.non_secure_partition_limit,
                                       ARM_MPC_ATTR_NONSECURE);
+#endif /* !RSS_XIP */
     if (ret != ARM_DRIVER_OK) {
         return TFM_PLAT_ERR_SYSTEM_ERR;
     }
@@ -366,6 +379,12 @@ enum tfm_plat_err_t mpc_init_cfg(void)
     if (ret != ARM_DRIVER_OK) {
         return ret;
     }
+#ifdef RSS_XIP
+    ret = Driver_SIC_MPC.LockDown();
+    if (ret != ARM_DRIVER_OK) {
+        return ret;
+    }
+#endif /* RSS_XIP */
 
     /* Add barriers to assure the MPC configuration is done before continue
      * the execution.
@@ -380,6 +399,9 @@ void mpc_clear_irq(void)
 {
     Driver_VM0_MPC.ClearInterrupt();
     Driver_VM1_MPC.ClearInterrupt();
+#ifdef RSS_XIP
+    Driver_SIC_MPC.ClearInterrupt();
+#endif /* RSS_XIP */
 }
 
 /*------------------- PPC configuration functions -------------------------*/