[PATCH v2 0/6] i.MX6Q TZASC and OP-TEE early helpers

[Marco Felsch <m.felsch@pengutronix.de>]

Hi,

the series combines the previous separate send patches [1] and [2].

The problem
-----------

Currently all upstream boards which do have OP-TEE support:
 - TQMA6ULX [3],
 - Webasto CCBV2 [4],
 - i.MX8M* based boards [5],
configure the TZASC (TZC-380) [6] region0 to secure+non-secure R/W
access.

Region0 is the default region which covers the address space:
 - 0x0...AXI_ADDRESS_MSB
and is secure RW access only per default.

The TZASC is not memory alias aware and OP-TEE configures only the
'real' physical available memory regions at the moment.

This can lead into systems where the OP-TEE core memory _IS_ accessible
from non-secure world if the access is done via memory aliases, because
barebox configured region0 to be RW for non-secure and secure world.

All i.MX8M boards are affected by the memory alias access bug as well as
i.MX6 boards which do have a one common DCD to cover multiple RAM
configurations.

On i.MX6 the main reason for the RW region0 setup is to pass OP-TEE
created device-tree-overlays between OP-TEE and barebox [7,8].

On i.MX8M the main reason for now is the USB-Download mechanism [8].

The solution
------------

To solve this issue barebox shouldn't reconfigure region0 and keep it as
RW secure-only. In that case all memory alias non-secure world access is
prohibited.

To still allow passing data between OP-TEE and barebox or to allow other
masters (USB) to access the memory barebox needs to setup an early
region1 which covers the complete physical available RAM. The memory
must be marked as non-secure to avoid manual cache maintenance:
 step-1) barebox-pbl is in secure mode
 step-2) optee is in secure mode (exchange data is mapped as non-secure, MMU
         enabled)
 step-3) barebox is in non-secure mode

Barebox still has RW access during step-1 to the non-secure world
marked memory, because the security inversion [10] isn't enabled.

This patchset
-------------

The following patches do add the base set of helpers to configure a
non-secure region1 for the TZC380.

In addition, for the i.MX6 a few more helpers are added.

[1] https://lore.kernel.org/barebox/20250626090109.cf6oatzpdu5x76wl@pengutronix.de/T/#u
[2] https://lore.kernel.org/barebox/20250619152857.3750132-1-m.felsch@pengutronix.de/T/#u
[3] https://elixir.bootlin.com/barebox/v2025.06.1/source/arch/arm/boards/tqma6ulx/lowlevel.c#L80
[4] https://elixir.bootlin.com/barebox/v2025.06.1/source/arch/arm/boards/webasto-ccbv2/lowlevel.c#L40
[5] https://elixir.bootlin.com/barebox/v2025.06.1/source/arch/arm/mach-imx/tzasc.c#L44
[6] https://developer.arm.com/documentation/ddi0431/c/introduction/about-the-tzasc
[7] https://elixir.bootlin.com/barebox/v2025.06.1/source/arch/arm/boards/tqma6ulx/board.c#L41
[8] https://elixir.bootlin.com/barebox/v2025.06.1/source/arch/arm/boards/webasto-ccbv2/board.c#L33
[9] https://elixir.bootlin.com/barebox/v2025.06.1/source/arch/arm/mach-imx/tzasc.c#L41
[10] https://developer.arm.com/documentation/ddi0431/c/functional-description/functional-operation/region-security-permissions?lang=en

Marco Felsch (6):
  ARM: i.MX6QDL: add imxcfg helper to configure the TZASC1/2
  ARM: i.MX6Q: add imx6_get_mmdc_sdram_size
  ARM: mach-imx: tzasc: add region configure helpers
  ARM: mach-imx: tzasc: add imx6q_tzc380_early_ns_region1()
  ARM: mach-imx: tzasc: add imx6q_tzc380_is_enabled
  ARM: optee-early: add mx6_start_optee_early helper

 Documentation/user/optee.rst   |  19 ++-
 arch/arm/lib32/optee-early.c   |  30 ++++
 arch/arm/mach-imx/Makefile     |   2 +-
 arch/arm/mach-imx/esdctl.c     |   5 +
 arch/arm/mach-imx/tzasc.c      | 295 +++++++++++++++++++++++++++++++++
 include/mach/imx/esdctl.h      |   1 +
 include/mach/imx/imx6q-tzasc.h |   8 +
 include/mach/imx/tzasc.h       |   2 +
 include/tee/optee.h            |   2 +
 9 files changed, 356 insertions(+), 8 deletions(-)
 create mode 100644 include/mach/imx/imx6q-tzasc.h

-- 
2.39.5