• State Resolved
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 98 subscribers
  • Views 559 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Original question:

PROCESSOR-SDK-DRA8X-TDA4X: How to Set Up Firewall For MMCSD0_CFG

TDA4VM: About the concept of Firewall IDs

felix_123
Expert 1251 points
Part Number: TDA4VM


Hi TI,

I have some questions about the firewall concept for TDA4VM:

As far as I have understood, there are two possibilities to set up a firewall:

1) U-Boot, which is currently not supported (see also this thread https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1004837/tda4vm-how-to-apply-j721e_firewall_data-c-file-to-boot-process)

2) In the application itself (There es a demo app in PDK called sciclient_fw_testapp which shows the concept of firewalls)

For getting the appropriate firewall settings, I can use the k3-respart-tool, which has a dedicated section about configuring firewalls. Here I need some additional clarification. Lets assume, I want to configure a firewall for PCIe. So I choose "Device to be protected" in k3-respart-tool as "PCIE Main". This sets up all the firewall IDs (fwl_id), which are needed for the 4 PCIe slots of TDA4VM (i.e. 2528, 2529, 2530, 2531, 2532, 2533, 2534, 2535, 2560, 2561, 2562, 2563). Additionally, the start address is set to 0x000002900000 (which corresponds to PCIE0_CORE_PCIE_INTD_CFG_INTD_CFG register) and the end address is set to 0x004417FFFFFF (which corresponds to PCIE3_DAT0 register).

Q1: Does that mean, that the whole memory region from 0x000002900000 - 0x004417FFFFFF is firewalled? It makes sense, that these are the boundaries of the firewall region, but there are other registers included here as well, which are then not accessible anymore from another core?

Q2: What is the purpose of Firewall IDs (fwl_id)? Are these only needed to give an appropriate error message when trying to access the register defined with start and end address?

Q3: I only want to secure the data registers of PCIe. So do I only have to set the start and end address to the correct registers? Do I have to do this for all fwl_id of PCIe?

Thanks for your help and best regards,

Felix

  • 0
    TI__Guru** 123271 points

    Hi Felix,

    Regarding (1), will need to check with team if this feature is planned.

    Regarding (2),

    Q1, the defined memory range would have the same firewall permissions applied to it for all addresses within that range.  

    Q2, the fwl_id is a unique identifier for each firewall, it is required to identify the firewall that is being programmed / read.

    Q3, in general same answer as Q1.  The firewall permissions will be applied to the address ranges specified for the region that is being programmed.

    The firewall FAQ in SDK documentation has some additional informaiton:

    https://software-dl.ti.com/tisci/esd/20_08_00/6_topic_user_guides/firewall_faq.html 

    Regards,

    kb

  • 0 in reply to KB
    Expert 1251 points

    Hi KB,

    I found out, that if I use the following code to configure firewalls for the PCIe Module (I added all corresponding fwl_ids, not only 2528 like in the code snippet)

        struct tisci_msg_fwl_set_firewall_region_req req_fw_set = {
        .fwl_id = (uint16_t) 2528,
        .region = (uint16_t) 0,
        .n_permission_regs = (uint32_t) 1,
        .control = (uint32_t) 0x20A,
        .permissions = (uint32_t) (privId << 16) | perm_for_access,
        .start_address = 0x2900000,
        .end_address = 0x4417FFFFFF
        };

    Only those regions are firewalled, which correspond to the PCIe Registers. 

    As far as I have unterstood the concept, the firewall for PCIe is a Peripheral Firewall. So each fwl_id for PCIE is responsible for some registers and the start and end address only define the region, where to look for those registers. Is this correct?

    Thanks again and best regards,

    Felix

  • +1 in reply to felix_123
    TI__Guru** 123271 points

    Hi Felix,

    I'm not following the PCIe use case, so instead will focus on the req_fw_set provided above:

    • This set request is for FWL_ID 2528, which from looking at header files is for CSL_STD_FW_PCIE0_PCIE_SLV_HP_ID.
    • The setting being done is for region 0, and sets the address range for 0x2900000 to 0x4417FFFFFF.
    • A privId is or'd with the permissions, to create the permissions for this address range.
    • Once the firewall is applied, any transaction destined for PCIE0_HP on the interconnect, that has a destination address with the range specified for region0, and originated by "privId", will be subject to the permission specified by "perm_for_access".  No other privId will have permissions to this memory range.

    Please note this was not tested, only looking at the code snippet provided above.

    Regards,

    kb