-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CICD Tests #442
Open
manorit2001
wants to merge
10
commits into
u-boot:next
Choose a base branch
from
manorit2001:b4/upstream/rfc/firewalling
base: next
Could not load branches
Branch not found: {{ refName }}
Could not load tags
Nothing to show
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
CICD Tests #442
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4631623
to
3041175
Compare
5ea2827
to
51c6bcf
Compare
manorit2001
added a commit
to manorit2001/u-boot
that referenced
this pull request
Nov 13, 2023
K3 devices have firewalls that are used to prevent illegal accesses to memory regions that are deemed secure. The series prevents the illegal accesses to ATF and OP-TEE regions that are present in different K3 devices. AM62X, AM62AX and AM64X are currently in hold due to some firewall configurations that our System Controller (TIFS) needs to handle. The devices that are not configured with the firewalling nodes will not be affected and can continue to work fine until the firewall nodes are added so will be a non-blocking merge. Test Logs: https://gist.github.com/manorit2001/c929e6ccab03f55b3828896fbd04184b CICD Run: u-boot#442 Cc: u-boot@lists.denx.de To: Simon Glass <sjg@chromium.org> To: Alper Nebi Yasak <alpernebiyasak@gmail.com> To: Neha Malcom Francis <n-francis@ti.com> To: Andrew Davis <afd@ti.com> To: Vignesh Raghavendra <vigneshr@ti.com> Cc: Udit Kumar <u-kumar1@ti.com> Cc: Praneeth Bajjuri <praneeth@ti.com> Cc: Kamlesh Gurudasani <kamlesh@ti.com> Cc: Nishanth Menon <nm@ti.com> Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com> --- Changes in v5: * Simon - Change and improve the error message - Fix the test case, wasn't working properly previously - Link to v4: https://lore.kernel.org/r/20231011-binman-firewalling-v4-0-a08085d300e9@ti.com --- b4-submit-tracking --- # This section is used internally by b4 prep for tracking purposes. { "series": { "revision": 5, "change-id": "20230724-binman-firewalling-65ecdb23ec0a", "base-branch": "upstream-next", "prefixes": [], "history": { "v1": [ "20230905-binman-firewalling-v1-0-3894520bff8a@ti.com" ], "v2": [ "20230926-binman-firewalling-v2-0-b1a084ec634d@ti.com" ], "v3": [ "20231004-binman-firewalling-v3-0-e4a102324e1f@ti.com" ], "v4": [ "20231011-binman-firewalling-v4-0-a08085d300e9@ti.com" ] } } }
manorit2001
added a commit
to manorit2001/u-boot
that referenced
this pull request
Nov 13, 2023
K3 devices have firewalls that are used to prevent illegal accesses to memory regions that are deemed secure. The series prevents the illegal accesses to ATF and OP-TEE regions that are present in different K3 devices. AM62X, AM62AX and AM64X are currently in hold due to some firewall configurations that our System Controller (TIFS) needs to handle. The devices that are not configured with the firewalling nodes will not be affected and can continue to work fine until the firewall nodes are added so will be a non-blocking merge. Test Logs: https://gist.github.com/manorit2001/c929e6ccab03f55b3828896fbd04184b CICD Run: u-boot#442 Cc: u-boot@lists.denx.de To: Simon Glass <sjg@chromium.org> To: Alper Nebi Yasak <alpernebiyasak@gmail.com> To: Neha Malcom Francis <n-francis@ti.com> To: Andrew Davis <afd@ti.com> To: Vignesh Raghavendra <vigneshr@ti.com> Cc: Udit Kumar <u-kumar1@ti.com> Cc: Praneeth Bajjuri <praneeth@ti.com> Cc: Kamlesh Gurudasani <kamlesh@ti.com> Cc: Nishanth Menon <nm@ti.com> Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com> --- Changes in v5: * Simon - Change and improve the error message - Fix the test case, wasn't working properly previously - Link to v4: https://lore.kernel.org/r/20231011-binman-firewalling-v4-0-a08085d300e9@ti.com --- b4-submit-tracking --- # This section is used internally by b4 prep for tracking purposes. { "series": { "revision": 5, "change-id": "20230724-binman-firewalling-65ecdb23ec0a", "base-branch": "upstream-next", "prefixes": [], "history": { "v1": [ "20230905-binman-firewalling-v1-0-3894520bff8a@ti.com" ], "v2": [ "20230926-binman-firewalling-v2-0-b1a084ec634d@ti.com" ], "v3": [ "20231004-binman-firewalling-v3-0-e4a102324e1f@ti.com" ], "v4": [ "20231011-binman-firewalling-v4-0-a08085d300e9@ti.com" ] } } }
51c6bcf
to
22f8ef3
Compare
manorit2001
added a commit
to manorit2001/u-boot
that referenced
this pull request
Nov 13, 2023
K3 devices have firewalls that are used to prevent illegal accesses to memory regions that are deemed secure. The series prevents the illegal accesses to ATF and OP-TEE regions that are present in different K3 devices. AM62X, AM62AX and AM64X are currently in hold due to some firewall configurations that our System Controller (TIFS) needs to handle. The devices that are not configured with the firewalling nodes will not be affected and can continue to work fine until the firewall nodes are added so will be a non-blocking merge. Test Logs: https://gist.github.com/manorit2001/c929e6ccab03f55b3828896fbd04184b CICD Run: u-boot#442 Cc: u-boot@lists.denx.de To: Simon Glass <sjg@chromium.org> To: Alper Nebi Yasak <alpernebiyasak@gmail.com> To: Neha Malcom Francis <n-francis@ti.com> To: Andrew Davis <afd@ti.com> To: Vignesh Raghavendra <vigneshr@ti.com> Cc: Udit Kumar <u-kumar1@ti.com> Cc: Praneeth Bajjuri <praneeth@ti.com> Cc: Kamlesh Gurudasani <kamlesh@ti.com> Cc: Nishanth Menon <nm@ti.com> Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com> --- Changes in v5: * Simon - Change and improve the error message - Fix the test case, wasn't working properly previously - Rebase on top of master - Link to v4: https://lore.kernel.org/r/20231011-binman-firewalling-v4-0-a08085d300e9@ti.com --- b4-submit-tracking --- # This section is used internally by b4 prep for tracking purposes. { "series": { "revision": 5, "change-id": "20230724-binman-firewalling-65ecdb23ec0a", "base-branch": "upstream-next", "prefixes": [], "history": { "v1": [ "20230905-binman-firewalling-v1-0-3894520bff8a@ti.com" ], "v2": [ "20230926-binman-firewalling-v2-0-b1a084ec634d@ti.com" ], "v3": [ "20231004-binman-firewalling-v3-0-e4a102324e1f@ti.com" ], "v4": [ "20231011-binman-firewalling-v4-0-a08085d300e9@ti.com" ] } } }
22f8ef3
to
f853063
Compare
f853063
to
caede74
Compare
manorit2001
added a commit
to manorit2001/u-boot
that referenced
this pull request
Dec 6, 2023
K3 devices have firewalls that are used to prevent illegal accesses to memory regions that are deemed secure. The series prevents the illegal accesses to ATF and OP-TEE regions that are present in different K3 devices. AM62X, AM62AX and AM64X are currently in hold due to some firewall configurations that our System Controller (TIFS) needs to handle. The devices that are not configured with the firewalling nodes will not be affected and can continue to work fine until the firewall nodes are added so will be a non-blocking merge. Test Logs: https://gist.github.com/manorit2001/c929e6ccab03f55b3828896fbd04184b CICD Run: u-boot#442 Cc: u-boot@lists.denx.de To: Simon Glass <sjg@chromium.org> To: Alper Nebi Yasak <alpernebiyasak@gmail.com> To: Neha Malcom Francis <n-francis@ti.com> To: Andrew Davis <afd@ti.com> To: Vignesh Raghavendra <vigneshr@ti.com> Cc: Udit Kumar <u-kumar1@ti.com> Cc: Praneeth Bajjuri <praneeth@ti.com> Cc: Kamlesh Gurudasani <kamlesh@ti.com> Cc: Nishanth Menon <nm@ti.com> Cc: Thomas Richard <thomas.richard@bootlin.com> Cc: Gregory CLEMENT <gregory.clement@bootlin.com> Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com> --- Changes in v7: - EDITME: describe what is new in this series revision. - EDITME: use bulletpoints and terse descriptions. - Link to v6: https://lore.kernel.org/r/20231206-binman-firewalling-v6-0-e7fce13a6dc1@ti.com Changes in v6: - Rebase on -next - Link to v5: https://lore.kernel.org/r/20231113-binman-firewalling-v5-0-b3ba6f839606@ti.com --- b4-submit-tracking --- # This section is used internally by b4 prep for tracking purposes. { "series": { "revision": 7, "change-id": "20230724-binman-firewalling-65ecdb23ec0a", "base-branch": "upstream-next", "prefixes": [], "history": { "v1": [ "20230905-binman-firewalling-v1-0-3894520bff8a@ti.com" ], "v2": [ "20230926-binman-firewalling-v2-0-b1a084ec634d@ti.com" ], "v3": [ "20231004-binman-firewalling-v3-0-e4a102324e1f@ti.com" ], "v4": [ "20231011-binman-firewalling-v4-0-a08085d300e9@ti.com" ], "v5": [ "20231113-binman-firewalling-v5-0-b3ba6f839606@ti.com" ], "v6": [ "20231206-binman-firewalling-v6-0-e7fce13a6dc1@ti.com" ] } } }
K3 devices have firewalls that are used to prevent illegal accesses to memory regions that are deemed secure. The series prevents the illegal accesses to ATF and OP-TEE regions that are present in different K3 devices. AM62X, AM62AX and AM64X are currently in hold due to some firewall configurations that our System Controller (TIFS) needs to handle. The devices that are not configured with the firewalling nodes will not be affected and can continue to work fine until the firewall nodes are added so will be a non-blocking merge. Test Logs: https://gist.github.com/manorit2001/c929e6ccab03f55b3828896fbd04184b CICD Run: u-boot#442 Cc: u-boot@lists.denx.de To: Simon Glass <sjg@chromium.org> To: Alper Nebi Yasak <alpernebiyasak@gmail.com> To: Neha Malcom Francis <n-francis@ti.com> To: Andrew Davis <afd@ti.com> To: Vignesh Raghavendra <vigneshr@ti.com> Cc: Udit Kumar <u-kumar1@ti.com> Cc: Praneeth Bajjuri <praneeth@ti.com> Cc: Kamlesh Gurudasani <kamlesh@ti.com> Cc: Nishanth Menon <nm@ti.com> Cc: Thomas Richard <thomas.richard@bootlin.com> Cc: Gregory CLEMENT <gregory.clement@bootlin.com> Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com> --- Changes in v7: * Andrew - Update documentation - Incorporate templating * Simon - Change the prefix for -binman.dtsi files * Jon - Remove the unintentional dependency on python3.9+ (https://lore.kernel.org/all/CADL8D3ZWoZpMidBTy+iSs-KOB6+LRAFVcDa-n_fVqvd00Z0=nw@mail.gmail.com/) - Add another patch to fix templating framework with firewalling. - Change headings level for secure boot documentation - Populate 3 priv id slots for the background firewalls that require it - Link to v6: https://lore.kernel.org/r/20231206-binman-firewalling-v6-0-e7fce13a6dc1@ti.com --- b4-submit-tracking --- # This section is used internally by b4 prep for tracking purposes. { "series": { "revision": 7, "change-id": "20230724-binman-firewalling-65ecdb23ec0a", "base-branch": "upstream-next", "prefixes": [], "history": { "v1": [ "20230905-binman-firewalling-v1-0-3894520bff8a@ti.com" ], "v2": [ "20230926-binman-firewalling-v2-0-b1a084ec634d@ti.com" ], "v3": [ "20231004-binman-firewalling-v3-0-e4a102324e1f@ti.com" ], "v4": [ "20231011-binman-firewalling-v4-0-a08085d300e9@ti.com" ], "v5": [ "20231113-binman-firewalling-v5-0-b3ba6f839606@ti.com" ], "v6": [ "20231206-binman-firewalling-v6-0-e7fce13a6dc1@ti.com" ] } } }
caede74
to
774d873
Compare
manorit2001
added a commit
to manorit2001/u-boot
that referenced
this pull request
Dec 29, 2023
K3 devices have firewalls that are used to prevent illegal accesses to memory regions that are deemed secure. The series prevents the illegal accesses to ATF and OP-TEE regions that are present in different K3 devices. AM62X, AM62AX and AM64X are currently in hold due to some firewall configurations that our System Controller (TIFS) needs to handle. The devices that are not configured with the firewalling nodes will not be affected and can continue to work fine until the firewall nodes are added so will be a non-blocking merge. Test Logs: https://gist.github.com/manorit2001/c929e6ccab03f55b3828896fbd04184b CICD Run: u-boot#442 Cc: u-boot@lists.denx.de To: Simon Glass <sjg@chromium.org> To: Alper Nebi Yasak <alpernebiyasak@gmail.com> To: Neha Malcom Francis <n-francis@ti.com> To: Andrew Davis <afd@ti.com> To: Vignesh Raghavendra <vigneshr@ti.com> Cc: Udit Kumar <u-kumar1@ti.com> Cc: Praneeth Bajjuri <praneeth@ti.com> Cc: Kamlesh Gurudasani <kamlesh@ti.com> Cc: Nishanth Menon <nm@ti.com> Cc: Thomas Richard <thomas.richard@bootlin.com> Cc: Gregory CLEMENT <gregory.clement@bootlin.com> Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com> --- Changes in v7: - EDITME: TODO: update documentation - Incorporate templating - Link to v6: https://lore.kernel.org/r/20231206-binman-firewalling-v6-0-e7fce13a6dc1@ti.com --- b4-submit-tracking --- # This section is used internally by b4 prep for tracking purposes. { "series": { "revision": 7, "change-id": "20230724-binman-firewalling-65ecdb23ec0a", "base-branch": "upstream-next", "prefixes": [], "history": { "v1": [ "20230905-binman-firewalling-v1-0-3894520bff8a@ti.com" ], "v2": [ "20230926-binman-firewalling-v2-0-b1a084ec634d@ti.com" ], "v3": [ "20231004-binman-firewalling-v3-0-e4a102324e1f@ti.com" ], "v4": [ "20231011-binman-firewalling-v4-0-a08085d300e9@ti.com" ], "v5": [ "20231113-binman-firewalling-v5-0-b3ba6f839606@ti.com" ], "v6": [ "20231206-binman-firewalling-v6-0-e7fce13a6dc1@ti.com" ] } } }
Fix the error message to not use dst and use self as it is copying the properties to self. While using templating if there are no subnodes defined, we end up in this situation where "dst" isn't defined and it tries to print the error message and fails. 'UnboundLocalError: local variable 'dst' referenced before assignment' Fixes: 55e1278 ("dtoc: Allow inserting a list of nodes into another") Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
We can now firewall entities while loading them through our secure entity TIFS, the required information should be present in the certificate that is being parsed by TIFS. The following commit adds the support to enable the certificates to be generated if the firewall configurations are present in the binman dtsi nodes. Reviewed-by: Simon Glass <sjg@chromium.org> Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
Add test for TI firewalling node in ti-secure. Reviewed-by: Simon Glass <sjg@chromium.org> Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
For readability during configuring firewalls, adding k3-security.h file and including it in k3-binman.dtsi to be accessible across K3 SoCs Reviewed-by: Simon Glass <sjg@chromium.org> Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
The following commits adds the configuration of firewalls required to protect ATF and OP-TEE memory region from non-secure reads and writes using master and slave firewalls present in our K3 SOCs. Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
The following commits adds the configuration of firewalls required to protect ATF and OP-TEE memory region from non-secure reads and writes using master and slave firewalls present in our K3 SOCs. Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
The following commits adds the configuration of firewalls required to protect ATF and OP-TEE memory region from non-secure reads and writes using master and slave firewalls present in our K3 SOCs. Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
The previous documentation had been very crude so refactor it to make it cleaner and concise. Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
This commit adds a general flow to explain the usage of firewalls and the chain of trust in K3 devices. Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
774d873
to
3a0f1de
Compare
trini
added a commit
to trini/u-boot
that referenced
this pull request
Jan 4, 2024
Manorit Chawdhry <m-chawdhry@ti.com> says: K3 devices have firewalls that are used to prevent illegal accesses to memory regions that are deemed secure. The series prevents the illegal accesses to ATF and OP-TEE regions that are present in different K3 devices. AM62X, AM62AX and AM64X are currently in hold due to some firewall configurations that our System Controller (TIFS) needs to handle. The devices that are not configured with the firewalling nodes will not be affected and can continue to work fine until the firewall nodes are added so will be a non-blocking merge. Test Logs: https://gist.github.com/manorit2001/4cead2fb3a19eb5d19005b3f54682627 CICD Run: u-boot/u-boot#442
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Please do not submit a Pull Request via github. Our project makes use of
mailing lists for patch submission and review. For more details please
see https://u-boot.readthedocs.io/en/latest/develop/sending_patches.html
The only exception to this is in order to trigger a CI loop on Azure prior
to posting of patches.