• State Resolved
  • Locked Locked
  • Replies 4 replies
  • Subscribers 100 subscribers
  • Views 378 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Original question:

AM6442: Firewalls & Virtualization on Sitara

AM623: Understanding Firewall for DMA

M K
Prodigy 50 points
Part Number: AM623

Tool/software:

Hi,

because this is a complex topic I wanted to ask if I have the correct understanding of the firewalls:

On our system we use Linux next to some safety applications on the A53 cores. From software perspective memory separation is handled by a hypervisor and the MMU.
However, we use the CPSW networking driver in Linux, which also has access to the DMA engine. So we must ensure that when incoming packets are written to memory by DMA that it can only write to certain memory regions. From my understanding this is what the firewalls are for.

Do you think this is a viable configuration for the scenario (IDs taken from TRM):

- Configure full memory as background region for priv-ID 4 (COMPUTE_CLUSTER0) for normal system access
- Configure region allocated for DMA buffers as foreground region for priv-ID 4 + 192 (DMA Reserved priv-ID)

This should block DMA writes to other parts of the system, right? Or do I miss something here?

Thanks

  • +1
    TI__Guru 70371 points

    Hello,

    Assuming DDR is the memory, you could possibly configure the corresponding FWL ID 1 (#regions = 8) like so:

    • Configure a background region for the whole address space with the following three permission settings:
      • Allow access to everyone using wildcard privid 0xC3.
      • Allow access to everyone using wildcard privid 0xC3 (redundant).
      • Block access to DMA (privid = 0).
    • Configure foreground regions for the buffers allocated for DMA with the following three permission settings:
      • Allow access to everyone using wildcard privid 0xC3.
      • Allow access to everyone using wildcard privid 0xC3 (redundant).
      • Allow access to everyone using wildcard privid 0xC3 (redundant).

    This would block access to DMA for the whole DDR address space except the buffers allocated to it.

    Regards,

    Prashant

  • 0 in reply to Prashant Shivhare
    Prodigy 50 points

    Hello,

    thank you for this, it sounds promising. Yes, DDR is the memory and I found the corresponding firewall in the TRM. But can you please point me where the privid 0 for DMA is documented?

  • 0 in reply to M K
    TI__Guru 70371 points

    Hello,

    It's not documented. The TIFS configures the DMA privid to 0.

    As an experiment, you may configure a firewall blocking access for privid 0 & initiate a transaction from DMA. This should result in a firewall exception for privid 0 confirming the DMA privid.

    Regards,

    Prashant

  • 0 in reply to Prashant Shivhare
    Prodigy 50 points

    Hello,

    okay I tested it like you proposed and it successfully blocked reception of frames. Thanks again.