* [PATCH 0/3] Initial support for One-Time Programmable Memory (OTP) in BCM2835
@ 2024-05-10 14:10 Rayhan Faizel
2024-05-10 14:10 ` [PATCH 1/3] hw/nvram: Add BCM2835 OTP device Rayhan Faizel
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Rayhan Faizel @ 2024-05-10 14:10 UTC (permalink / raw)
To: qemu-devel; +Cc: philmd, peter.maydell, qemu-arm, Rayhan Faizel
All BCM2835 boards have on-board OTP memory with 66 32-bit rows. Usually,
its contents are accessible via mailbox commands.
Rayhan Faizel (3):
hw/nvram: Add BCM2835 OTP device
hw/arm: Connect OTP device to BCM2835
hw/misc: Implement mailbox properties for customer OTP and device
specific private keys
hw/arm/bcm2835_peripherals.c | 15 ++-
hw/misc/bcm2835_property.c | 71 ++++++++++
hw/nvram/bcm2835_otp.c | 187 +++++++++++++++++++++++++++
hw/nvram/meson.build | 1 +
include/hw/arm/bcm2835_peripherals.h | 3 +-
include/hw/arm/raspberrypi-fw-defs.h | 2 +
include/hw/misc/bcm2835_property.h | 2 +
include/hw/nvram/bcm2835_otp.h | 43 ++++++
8 files changed, 322 insertions(+), 2 deletions(-)
create mode 100644 hw/nvram/bcm2835_otp.c
create mode 100644 include/hw/nvram/bcm2835_otp.h
--
2.34.1
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 1/3] hw/nvram: Add BCM2835 OTP device
2024-05-10 14:10 [PATCH 0/3] Initial support for One-Time Programmable Memory (OTP) in BCM2835 Rayhan Faizel
@ 2024-05-10 14:10 ` Rayhan Faizel
2024-05-13 13:30 ` Philippe Mathieu-Daudé
2024-05-13 13:49 ` Philippe Mathieu-Daudé
2024-05-10 14:10 ` [PATCH 2/3] hw/arm: Connect OTP device to BCM2835 Rayhan Faizel
2024-05-10 14:10 ` [PATCH 3/3] hw/misc: Implement mailbox properties for customer OTP and device specific private keys Rayhan Faizel
2 siblings, 2 replies; 8+ messages in thread
From: Rayhan Faizel @ 2024-05-10 14:10 UTC (permalink / raw)
To: qemu-devel; +Cc: philmd, peter.maydell, qemu-arm, Rayhan Faizel
The OTP device registers are currently stubbed. For now, the device
houses the OTP rows which will be accessed directly by other peripherals.
Signed-off-by: Rayhan Faizel <rayhan.faizel@gmail.com>
---
hw/nvram/bcm2835_otp.c | 187 +++++++++++++++++++++++++++++++++
hw/nvram/meson.build | 1 +
include/hw/nvram/bcm2835_otp.h | 43 ++++++++
3 files changed, 231 insertions(+)
create mode 100644 hw/nvram/bcm2835_otp.c
create mode 100644 include/hw/nvram/bcm2835_otp.h
diff --git a/hw/nvram/bcm2835_otp.c b/hw/nvram/bcm2835_otp.c
new file mode 100644
index 0000000000..a8d01c6f1d
--- /dev/null
+++ b/hw/nvram/bcm2835_otp.c
@@ -0,0 +1,187 @@
+/*
+ * BCM2835 One-Time Programmable (OTP) Memory
+ *
+ * The OTP implementation is mostly a stub except for the OTP rows
+ * which are accessed directly by other peripherals such as the mailbox.
+ *
+ * The OTP registers are unimplemented due to lack of documentation.
+ *
+ * Copyright (c) 2024 Rayhan Faizel <rayhan.faizel@gmail.com>
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/log.h"
+#include "hw/nvram/bcm2835_otp.h"
+#include "migration/vmstate.h"
+
+/* OTP rows are 1-indexed */
+uint32_t bcm2835_otp_read_row(BCM2835OTPState *s, unsigned int row)
+{
+ assert(row <= 66 && row >= 1);
+
+ return s->otp_rows[row - 1];
+}
+
+void bcm2835_otp_write_row(BCM2835OTPState *s, unsigned int row,
+ uint32_t value)
+{
+ assert(row <= 66 && row >= 1);
+
+ /* Real OTP rows work as e-fuses */
+ s->otp_rows[row - 1] |= value;
+}
+
+static uint64_t bcm2835_otp_read(void *opaque, hwaddr addr, unsigned size)
+{
+ switch (addr) {
+ case BCM2835_OTP_BOOTMODE_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_BOOTMODE_REG\n");
+ break;
+ case BCM2835_OTP_CONFIG_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_CONFIG_REG\n");
+ break;
+ case BCM2835_OTP_CTRL_LO_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_CTRL_LO_REG\n");
+ break;
+ case BCM2835_OTP_CTRL_HI_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_CTRL_HI_REG\n");
+ break;
+ case BCM2835_OTP_STATUS_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_STATUS_REG\n");
+ break;
+ case BCM2835_OTP_BITSEL_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_BITSEL_REG\n");
+ break;
+ case BCM2835_OTP_DATA_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_DATA_REG\n");
+ break;
+ case BCM2835_OTP_ADDR_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_ADDR_REG\n");
+ break;
+ case BCM2835_OTP_WRITE_DATA_READ_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_WRITE_DATA_READ_REG\n");
+ break;
+ case BCM2835_OTP_INIT_STATUS_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_INIT_STATUS_REG\n");
+ break;
+ default:
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: Bad offset 0x%" HWADDR_PRIx "\n", __func__, addr);
+ }
+
+ return 0;
+}
+
+static void bcm2835_otp_write(void *opaque, hwaddr addr,
+ uint64_t value, unsigned int size)
+{
+ switch (addr) {
+ case BCM2835_OTP_BOOTMODE_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_BOOTMODE_REG\n");
+ break;
+ case BCM2835_OTP_CONFIG_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_CONFIG_REG\n");
+ break;
+ case BCM2835_OTP_CTRL_LO_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_CTRL_LO_REG\n");
+ break;
+ case BCM2835_OTP_CTRL_HI_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_CTRL_HI_REG\n");
+ break;
+ case BCM2835_OTP_STATUS_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_STATUS_REG\n");
+ break;
+ case BCM2835_OTP_BITSEL_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_BITSEL_REG\n");
+ break;
+ case BCM2835_OTP_DATA_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_DATA_REG\n");
+ break;
+ case BCM2835_OTP_ADDR_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_ADDR_REG\n");
+ break;
+ case BCM2835_OTP_WRITE_DATA_READ_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_WRITE_DATA_READ_REG\n");
+ break;
+ case BCM2835_OTP_INIT_STATUS_REG:
+ qemu_log_mask(LOG_UNIMP,
+ "bcm2835_otp: BCM2835_OTP_INIT_STATUS_REG\n");
+ break;
+ default:
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: Bad offset 0x%" HWADDR_PRIx "\n", __func__, addr);
+ }
+}
+
+static const MemoryRegionOps bcm2835_otp_ops = {
+ .read = bcm2835_otp_read,
+ .write = bcm2835_otp_write,
+ .endianness = DEVICE_NATIVE_ENDIAN,
+ .valid = {
+ .min_access_size = 4,
+ .max_access_size = 4,
+ },
+};
+
+static void bcm2835_otp_realize(DeviceState *dev, Error **errp)
+{
+ BCM2835OTPState *s = BCM2835_OTP(dev);
+ memory_region_init_io(&s->iomem, OBJECT(dev), &bcm2835_otp_ops, s,
+ TYPE_BCM2835_OTP, 0x28);
+ sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->iomem);
+
+ memset(s->otp_rows, 0x00, sizeof(s->otp_rows));
+}
+
+static const VMStateDescription vmstate_bcm2835_otp = {
+ .name = TYPE_BCM2835_OTP,
+ .version_id = 1,
+ .minimum_version_id = 1,
+ .fields = (const VMStateField[]) {
+ VMSTATE_UINT32_ARRAY(otp_rows, BCM2835OTPState, 66),
+ VMSTATE_END_OF_LIST()
+ }
+};
+
+static void bcm2835_otp_class_init(ObjectClass *klass, void *data)
+{
+ DeviceClass *dc = DEVICE_CLASS(klass);
+
+ dc->realize = bcm2835_otp_realize;
+ dc->vmsd = &vmstate_bcm2835_otp;
+}
+
+static const TypeInfo bcm2835_otp_info = {
+ .name = TYPE_BCM2835_OTP,
+ .parent = TYPE_SYS_BUS_DEVICE,
+ .instance_size = sizeof(BCM2835OTPState),
+ .class_init = bcm2835_otp_class_init,
+};
+
+static void bcm2835_otp_register_types(void)
+{
+ type_register_static(&bcm2835_otp_info);
+}
+
+type_init(bcm2835_otp_register_types)
diff --git a/hw/nvram/meson.build b/hw/nvram/meson.build
index 4996c72456..10f3639db6 100644
--- a/hw/nvram/meson.build
+++ b/hw/nvram/meson.build
@@ -1,5 +1,6 @@
system_ss.add(files('fw_cfg-interface.c'))
system_ss.add(files('fw_cfg.c'))
+system_ss.add(when: 'CONFIG_RASPI', if_true: files('bcm2835_otp.c'))
system_ss.add(when: 'CONFIG_CHRP_NVRAM', if_true: files('chrp_nvram.c'))
system_ss.add(when: 'CONFIG_DS1225Y', if_true: files('ds1225y.c'))
system_ss.add(when: 'CONFIG_NMC93XX_EEPROM', if_true: files('eeprom93xx.c'))
diff --git a/include/hw/nvram/bcm2835_otp.h b/include/hw/nvram/bcm2835_otp.h
new file mode 100644
index 0000000000..ef02d3055c
--- /dev/null
+++ b/include/hw/nvram/bcm2835_otp.h
@@ -0,0 +1,43 @@
+/*
+ * BCM2835 One-Time Programmable (OTP) Memory
+ *
+ * Copyright (c) 2024 Rayhan Faizel <rayhan.faizel@gmail.com>
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#ifndef BCM2835_OTP_H
+#define BCM2835_OTP_H
+
+#include "hw/sysbus.h"
+#include "qom/object.h"
+
+#define TYPE_BCM2835_OTP "bcm2835-otp"
+OBJECT_DECLARE_SIMPLE_TYPE(BCM2835OTPState, BCM2835_OTP)
+
+/* https://elinux.org/BCM2835_registers#OTP */
+#define BCM2835_OTP_BOOTMODE_REG 0x00
+#define BCM2835_OTP_CONFIG_REG 0x04
+#define BCM2835_OTP_CTRL_LO_REG 0x08
+#define BCM2835_OTP_CTRL_HI_REG 0x0c
+#define BCM2835_OTP_STATUS_REG 0x10
+#define BCM2835_OTP_BITSEL_REG 0x14
+#define BCM2835_OTP_DATA_REG 0x18
+#define BCM2835_OTP_ADDR_REG 0x1c
+#define BCM2835_OTP_WRITE_DATA_READ_REG 0x20
+#define BCM2835_OTP_INIT_STATUS_REG 0x24
+
+struct BCM2835OTPState {
+ /* <private> */
+ SysBusDevice parent_obj;
+
+ /* <public> */
+ MemoryRegion iomem;
+ uint32_t otp_rows[66];
+};
+
+
+uint32_t bcm2835_otp_read_row(BCM2835OTPState *s, unsigned int row);
+void bcm2835_otp_write_row(BCM2835OTPState *s, unsigned row, uint32_t value);
+
+#endif
--
2.34.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 2/3] hw/arm: Connect OTP device to BCM2835
2024-05-10 14:10 [PATCH 0/3] Initial support for One-Time Programmable Memory (OTP) in BCM2835 Rayhan Faizel
2024-05-10 14:10 ` [PATCH 1/3] hw/nvram: Add BCM2835 OTP device Rayhan Faizel
@ 2024-05-10 14:10 ` Rayhan Faizel
2024-05-13 13:41 ` Philippe Mathieu-Daudé
2024-05-10 14:10 ` [PATCH 3/3] hw/misc: Implement mailbox properties for customer OTP and device specific private keys Rayhan Faizel
2 siblings, 1 reply; 8+ messages in thread
From: Rayhan Faizel @ 2024-05-10 14:10 UTC (permalink / raw)
To: qemu-devel; +Cc: philmd, peter.maydell, qemu-arm, Rayhan Faizel
Signed-off-by: Rayhan Faizel <rayhan.faizel@gmail.com>
---
hw/arm/bcm2835_peripherals.c | 13 ++++++++++++-
include/hw/arm/bcm2835_peripherals.h | 3 ++-
2 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/hw/arm/bcm2835_peripherals.c b/hw/arm/bcm2835_peripherals.c
index 1695d8b453..7d735bb56c 100644
--- a/hw/arm/bcm2835_peripherals.c
+++ b/hw/arm/bcm2835_peripherals.c
@@ -116,6 +116,10 @@ static void raspi_peripherals_base_init(Object *obj)
object_property_add_const_link(OBJECT(&s->fb), "dma-mr",
OBJECT(&s->gpu_bus_mr));
+ /* OTP */
+ object_initialize_child(obj, "bcm2835-otp", &s->otp,
+ TYPE_BCM2835_OTP);
+
/* Property channel */
object_initialize_child(obj, "property", &s->property,
TYPE_BCM2835_PROPERTY);
@@ -374,6 +378,14 @@ void bcm_soc_peripherals_common_realize(DeviceState *dev, Error **errp)
sysbus_connect_irq(SYS_BUS_DEVICE(&s->fb), 0,
qdev_get_gpio_in(DEVICE(&s->mboxes), MBOX_CHAN_FB));
+ /* OTP */
+ if (!sysbus_realize(SYS_BUS_DEVICE(&s->otp), errp)) {
+ return;
+ }
+
+ memory_region_add_subregion(&s->peri_mr, OTP_OFFSET,
+ sysbus_mmio_get_region(SYS_BUS_DEVICE(&s->otp), 0));
+
/* Property channel */
if (!sysbus_realize(SYS_BUS_DEVICE(&s->property), errp)) {
return;
@@ -500,7 +512,6 @@ void bcm_soc_peripherals_common_realize(DeviceState *dev, Error **errp)
create_unimp(s, &s->i2s, "bcm2835-i2s", I2S_OFFSET, 0x100);
create_unimp(s, &s->smi, "bcm2835-smi", SMI_OFFSET, 0x100);
create_unimp(s, &s->bscsl, "bcm2835-spis", BSC_SL_OFFSET, 0x100);
- create_unimp(s, &s->otp, "bcm2835-otp", OTP_OFFSET, 0x80);
create_unimp(s, &s->dbus, "bcm2835-dbus", DBUS_OFFSET, 0x8000);
create_unimp(s, &s->ave0, "bcm2835-ave0", AVE0_OFFSET, 0x8000);
create_unimp(s, &s->v3d, "bcm2835-v3d", V3D_OFFSET, 0x1000);
diff --git a/include/hw/arm/bcm2835_peripherals.h b/include/hw/arm/bcm2835_peripherals.h
index 636203baa5..1eeaeec9e0 100644
--- a/include/hw/arm/bcm2835_peripherals.h
+++ b/include/hw/arm/bcm2835_peripherals.h
@@ -33,6 +33,7 @@
#include "hw/usb/hcd-dwc2.h"
#include "hw/ssi/bcm2835_spi.h"
#include "hw/i2c/bcm2835_i2c.h"
+#include "hw/nvram/bcm2835_otp.h"
#include "hw/misc/unimp.h"
#include "qom/object.h"
@@ -71,7 +72,7 @@ struct BCMSocPeripheralBaseState {
BCM2835SPIState spi[1];
BCM2835I2CState i2c[3];
OrIRQState orgated_i2c_irq;
- UnimplementedDeviceState otp;
+ BCM2835OTPState otp;
UnimplementedDeviceState dbus;
UnimplementedDeviceState ave0;
UnimplementedDeviceState v3d;
--
2.34.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 3/3] hw/misc: Implement mailbox properties for customer OTP and device specific private keys
2024-05-10 14:10 [PATCH 0/3] Initial support for One-Time Programmable Memory (OTP) in BCM2835 Rayhan Faizel
2024-05-10 14:10 ` [PATCH 1/3] hw/nvram: Add BCM2835 OTP device Rayhan Faizel
2024-05-10 14:10 ` [PATCH 2/3] hw/arm: Connect OTP device to BCM2835 Rayhan Faizel
@ 2024-05-10 14:10 ` Rayhan Faizel
2024-05-13 13:51 ` Philippe Mathieu-Daudé
2 siblings, 1 reply; 8+ messages in thread
From: Rayhan Faizel @ 2024-05-10 14:10 UTC (permalink / raw)
To: qemu-devel; +Cc: philmd, peter.maydell, qemu-arm, Rayhan Faizel
Four mailbox properties are implemented as follows:
1. Customer OTP: GET_CUSTOMER_OTP and SET_CUSTOMER_OTP
2. Device-specific private key: GET_PRIVATE_KEY and
SET_PRIVATE_KEY.
The customer OTP is located in the rows 36-43. The device-specific private key
is located in the rows 56-63.
The customer OTP can be locked with the magic numbers 0xffffffff 0xaffe0000
when running the SET_CUSTOMER_OTP mailbox command.
P.S I am not sure if the magic lock combo applies to the private key as well.
Signed-off-by: Rayhan Faizel <rayhan.faizel@gmail.com>
---
hw/arm/bcm2835_peripherals.c | 2 +
hw/misc/bcm2835_property.c | 71 ++++++++++++++++++++++++++++
include/hw/arm/raspberrypi-fw-defs.h | 2 +
include/hw/misc/bcm2835_property.h | 2 +
4 files changed, 77 insertions(+)
diff --git a/hw/arm/bcm2835_peripherals.c b/hw/arm/bcm2835_peripherals.c
index 7d735bb56c..ac153a96b9 100644
--- a/hw/arm/bcm2835_peripherals.c
+++ b/hw/arm/bcm2835_peripherals.c
@@ -132,6 +132,8 @@ static void raspi_peripherals_base_init(Object *obj)
OBJECT(&s->fb));
object_property_add_const_link(OBJECT(&s->property), "dma-mr",
OBJECT(&s->gpu_bus_mr));
+ object_property_add_const_link(OBJECT(&s->property), "otp",
+ OBJECT(&s->otp));
/* Extended Mass Media Controller */
object_initialize_child(obj, "sdhci", &s->sdhci, TYPE_SYSBUS_SDHCI);
diff --git a/hw/misc/bcm2835_property.c b/hw/misc/bcm2835_property.c
index bdd9a6bbce..bbd9c40af2 100644
--- a/hw/misc/bcm2835_property.c
+++ b/hw/misc/bcm2835_property.c
@@ -32,6 +32,7 @@ static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value)
uint32_t tmp;
int n;
uint32_t offset, length, color;
+ uint32_t start_num, number, otp_row;
/*
* Copy the current state of the framebuffer config; we will update
@@ -322,6 +323,73 @@ static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value)
0);
resplen = VCHI_BUSADDR_SIZE;
break;
+
+ /* Customer OTP */
+
+ case RPI_FWREQ_GET_CUSTOMER_OTP:
+ start_num = ldl_le_phys(&s->dma_as, value + 12);
+ number = ldl_le_phys(&s->dma_as, value + 16);
+
+ resplen = 8 + 4 * number;
+
+ for (n = start_num; n < start_num + number && n < 8; n++) {
+ stl_le_phys(&s->dma_as,
+ value + 20 + ((n - start_num) << 2),
+ bcm2835_otp_read_row(s->otp, 36 + n));
+ }
+ break;
+ case RPI_FWREQ_SET_CUSTOMER_OTP:
+ start_num = ldl_le_phys(&s->dma_as, value + 12);
+ number = ldl_le_phys(&s->dma_as, value + 16);
+
+ resplen = 4;
+
+ /* Magic numbers to permanently lock customer OTP */
+ if (start_num == 0xffffffff &&
+ number == 0xaffe0000) {
+ /* Row 30 Bit 30 indicates disabled OTP programming */
+ bcm2835_otp_write_row(s->otp, 30, 1 << 30);
+ break;
+ }
+
+ /* If customer OTP is locked, don't allow further writes */
+ if (bcm2835_otp_read_row(s->otp, 30) & (1 << 30)) {
+ break;
+ }
+
+ for (n = start_num; n < start_num + number && n < 8; n++) {
+ otp_row = ldl_le_phys(&s->dma_as,
+ value + 20 + ((n - start_num) << 2));
+ bcm2835_otp_write_row(s->otp, 36 + n, otp_row);
+ }
+ break;
+
+ /* Device-specific private key */
+
+ case RPI_FWREQ_GET_PRIVATE_KEY:
+ start_num = ldl_le_phys(&s->dma_as, value + 12);
+ number = ldl_le_phys(&s->dma_as, value + 16);
+
+ resplen = 8 + 4 * number;
+
+ for (n = start_num; n < start_num + number && n < 8; n++) {
+ stl_le_phys(&s->dma_as,
+ value + 20 + ((n - start_num) << 2),
+ bcm2835_otp_read_row(s->otp, 56 + n));
+ }
+ break;
+ case RPI_FWREQ_SET_PRIVATE_KEY:
+ start_num = ldl_le_phys(&s->dma_as, value + 12);
+ number = ldl_le_phys(&s->dma_as, value + 16);
+
+ resplen = 4;
+
+ for (n = start_num; n < start_num + number && n < 8; n++) {
+ otp_row = ldl_le_phys(&s->dma_as,
+ value + 20 + ((n - start_num) << 2));
+ bcm2835_otp_write_row(s->otp, 56 + n, otp_row);
+ }
+ break;
default:
qemu_log_mask(LOG_UNIMP,
"bcm2835_property: unhandled tag 0x%08x\n", tag);
@@ -449,6 +517,9 @@ static void bcm2835_property_realize(DeviceState *dev, Error **errp)
s->dma_mr = MEMORY_REGION(obj);
address_space_init(&s->dma_as, s->dma_mr, TYPE_BCM2835_PROPERTY "-memory");
+ obj = object_property_get_link(OBJECT(dev), "otp", &error_abort);
+ s->otp = BCM2835_OTP(obj);
+
/* TODO: connect to MAC address of USB NIC device, once we emulate it */
qemu_macaddr_default_if_unset(&s->macaddr);
diff --git a/include/hw/arm/raspberrypi-fw-defs.h b/include/hw/arm/raspberrypi-fw-defs.h
index 8b404e0533..60b8e5b451 100644
--- a/include/hw/arm/raspberrypi-fw-defs.h
+++ b/include/hw/arm/raspberrypi-fw-defs.h
@@ -56,6 +56,7 @@ enum rpi_firmware_property_tag {
RPI_FWREQ_GET_THROTTLED = 0x00030046,
RPI_FWREQ_GET_CLOCK_MEASURED = 0x00030047,
RPI_FWREQ_NOTIFY_REBOOT = 0x00030048,
+ RPI_FWREQ_GET_PRIVATE_KEY = 0x00030081,
RPI_FWREQ_SET_CLOCK_STATE = 0x00038001,
RPI_FWREQ_SET_CLOCK_RATE = 0x00038002,
RPI_FWREQ_SET_VOLTAGE = 0x00038003,
@@ -73,6 +74,7 @@ enum rpi_firmware_property_tag {
RPI_FWREQ_SET_PERIPH_REG = 0x00038045,
RPI_FWREQ_GET_POE_HAT_VAL = 0x00030049,
RPI_FWREQ_SET_POE_HAT_VAL = 0x00038049,
+ RPI_FWREQ_SET_PRIVATE_KEY = 0x00038081,
RPI_FWREQ_SET_POE_HAT_VAL_OLD = 0x00030050,
RPI_FWREQ_NOTIFY_XHCI_RESET = 0x00030058,
RPI_FWREQ_GET_REBOOT_FLAGS = 0x00030064,
diff --git a/include/hw/misc/bcm2835_property.h b/include/hw/misc/bcm2835_property.h
index ba8896610c..2f93fd0c75 100644
--- a/include/hw/misc/bcm2835_property.h
+++ b/include/hw/misc/bcm2835_property.h
@@ -11,6 +11,7 @@
#include "hw/sysbus.h"
#include "net/net.h"
#include "hw/display/bcm2835_fb.h"
+#include "hw/nvram/bcm2835_otp.h"
#include "qom/object.h"
#define TYPE_BCM2835_PROPERTY "bcm2835-property"
@@ -26,6 +27,7 @@ struct BCM2835PropertyState {
MemoryRegion iomem;
qemu_irq mbox_irq;
BCM2835FBState *fbdev;
+ BCM2835OTPState *otp;
MACAddr macaddr;
uint32_t board_rev;
--
2.34.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 1/3] hw/nvram: Add BCM2835 OTP device
2024-05-10 14:10 ` [PATCH 1/3] hw/nvram: Add BCM2835 OTP device Rayhan Faizel
@ 2024-05-13 13:30 ` Philippe Mathieu-Daudé
2024-05-13 13:49 ` Philippe Mathieu-Daudé
1 sibling, 0 replies; 8+ messages in thread
From: Philippe Mathieu-Daudé @ 2024-05-13 13:30 UTC (permalink / raw)
To: Rayhan Faizel, qemu-devel; +Cc: peter.maydell, qemu-arm
Hi Rayhan,
On 10/5/24 16:10, Rayhan Faizel wrote:
> The OTP device registers are currently stubbed. For now, the device
> houses the OTP rows which will be accessed directly by other peripherals.
>
> Signed-off-by: Rayhan Faizel <rayhan.faizel@gmail.com>
> ---
> hw/nvram/bcm2835_otp.c | 187 +++++++++++++++++++++++++++++++++
> hw/nvram/meson.build | 1 +
> include/hw/nvram/bcm2835_otp.h | 43 ++++++++
> 3 files changed, 231 insertions(+)
> create mode 100644 hw/nvram/bcm2835_otp.c
> create mode 100644 include/hw/nvram/bcm2835_otp.h
> +static void bcm2835_otp_write(void *opaque, hwaddr addr,
> + uint64_t value, unsigned int size)
> +{
> + switch (addr) {
> + case BCM2835_OTP_BOOTMODE_REG:
> + qemu_log_mask(LOG_UNIMP,
> + "bcm2835_otp: BCM2835_OTP_BOOTMODE_REG\n");
> + break;
> + case BCM2835_OTP_CONFIG_REG:
> + qemu_log_mask(LOG_UNIMP,
> + "bcm2835_otp: BCM2835_OTP_CONFIG_REG\n");
> + break;
> + case BCM2835_OTP_CTRL_LO_REG:
> + qemu_log_mask(LOG_UNIMP,
> + "bcm2835_otp: BCM2835_OTP_CTRL_LO_REG\n");
> + break;
> + case BCM2835_OTP_CTRL_HI_REG:
> + qemu_log_mask(LOG_UNIMP,
> + "bcm2835_otp: BCM2835_OTP_CTRL_HI_REG\n");
> + break;
> + case BCM2835_OTP_STATUS_REG:
> + qemu_log_mask(LOG_UNIMP,
> + "bcm2835_otp: BCM2835_OTP_STATUS_REG\n");
> + break;
> + case BCM2835_OTP_BITSEL_REG:
> + qemu_log_mask(LOG_UNIMP,
> + "bcm2835_otp: BCM2835_OTP_BITSEL_REG\n");
> + break;
> + case BCM2835_OTP_DATA_REG:
> + qemu_log_mask(LOG_UNIMP,
> + "bcm2835_otp: BCM2835_OTP_DATA_REG\n");
> + break;
> + case BCM2835_OTP_ADDR_REG:
> + qemu_log_mask(LOG_UNIMP,
> + "bcm2835_otp: BCM2835_OTP_ADDR_REG\n");
> + break;
> + case BCM2835_OTP_WRITE_DATA_READ_REG:
> + qemu_log_mask(LOG_UNIMP,
> + "bcm2835_otp: BCM2835_OTP_WRITE_DATA_READ_REG\n");
> + break;
> + case BCM2835_OTP_INIT_STATUS_REG:
> + qemu_log_mask(LOG_UNIMP,
> + "bcm2835_otp: BCM2835_OTP_INIT_STATUS_REG\n");
> + break;
> + default:
> + qemu_log_mask(LOG_GUEST_ERROR,
> + "%s: Bad offset 0x%" HWADDR_PRIx "\n", __func__, addr);
> + }
> +}
> +
> +static const MemoryRegionOps bcm2835_otp_ops = {
> + .read = bcm2835_otp_read,
> + .write = bcm2835_otp_write,
> + .endianness = DEVICE_NATIVE_ENDIAN,
> + .valid = {
s/valid/impl/ here, this is your implementation. It isn't illegal to
access these registers with a non 32-bit size.
> + .min_access_size = 4,
> + .max_access_size = 4,
> + },
> +};
> +/* https://elinux.org/BCM2835_registers#OTP */
> +#define BCM2835_OTP_BOOTMODE_REG 0x00
> +#define BCM2835_OTP_CONFIG_REG 0x04
> +#define BCM2835_OTP_CTRL_LO_REG 0x08
> +#define BCM2835_OTP_CTRL_HI_REG 0x0c
> +#define BCM2835_OTP_STATUS_REG 0x10
> +#define BCM2835_OTP_BITSEL_REG 0x14
> +#define BCM2835_OTP_DATA_REG 0x18
> +#define BCM2835_OTP_ADDR_REG 0x1c
> +#define BCM2835_OTP_WRITE_DATA_READ_REG 0x20
> +#define BCM2835_OTP_INIT_STATUS_REG 0x24
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2/3] hw/arm: Connect OTP device to BCM2835
2024-05-10 14:10 ` [PATCH 2/3] hw/arm: Connect OTP device to BCM2835 Rayhan Faizel
@ 2024-05-13 13:41 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 8+ messages in thread
From: Philippe Mathieu-Daudé @ 2024-05-13 13:41 UTC (permalink / raw)
To: Rayhan Faizel, qemu-devel; +Cc: peter.maydell, qemu-arm
Hi Rayhan,
On 10/5/24 16:10, Rayhan Faizel wrote:
> Signed-off-by: Rayhan Faizel <rayhan.faizel@gmail.com>
> ---
> hw/arm/bcm2835_peripherals.c | 13 ++++++++++++-
> include/hw/arm/bcm2835_peripherals.h | 3 ++-
> 2 files changed, 14 insertions(+), 2 deletions(-)
> @@ -500,7 +512,6 @@ void bcm_soc_peripherals_common_realize(DeviceState *dev, Error **errp)
> create_unimp(s, &s->i2s, "bcm2835-i2s", I2S_OFFSET, 0x100);
> create_unimp(s, &s->smi, "bcm2835-smi", SMI_OFFSET, 0x100);
> create_unimp(s, &s->bscsl, "bcm2835-spis", BSC_SL_OFFSET, 0x100);
> - create_unimp(s, &s->otp, "bcm2835-otp", OTP_OFFSET, 0x80);
Maybe worth noting in the description, before we were covering a range
of 0x80 and now 0x28, so a range of 0x58 I/O ends in RAM. Maybe better
keep a region of 0x80 in the previous patch?
Flatview diff:
(qemu) info mtree -f
FlatView #0
AS "memory", root: system
Root memory region: system
0000000000000000-000000003f002fff (prio 0, ram): ram
...
- 000000003f20f000-000000003f20f07f (prio -1000, i/o): bcm2835-otp
- 000000003f20f080-000000003f211fff (prio 0, ram): ram @000000003f20f080
+ 000000003f20f000-000000003f20f027 (prio 0, i/o): bcm2835-otp
+ 000000003f20f028-000000003f211fff (prio 0, ram): ram @000000003f20f028
FlatView #3
Root memory region: bcm2835-gpu
0000000000000000-000000003fffffff (prio 0, ram): ram
0000000040000000-000000007e002fff (prio 0, ram): ram
...
- 000000007e20f000-000000007e20f07f (prio -1000, i/o): bcm2835-otp
- 000000007e20f080-000000007e211fff (prio 0, ram): ram @000000003e20f080
+ 000000007e20f000-000000007e20f027 (prio 0, i/o): bcm2835-otp
+ 000000007e20f028-000000007e211fff (prio 0, ram): ram @000000003e20f028
> create_unimp(s, &s->dbus, "bcm2835-dbus", DBUS_OFFSET, 0x8000);
> create_unimp(s, &s->ave0, "bcm2835-ave0", AVE0_OFFSET, 0x8000);
> create_unimp(s, &s->v3d, "bcm2835-v3d", V3D_OFFSET, 0x1000);
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 1/3] hw/nvram: Add BCM2835 OTP device
2024-05-10 14:10 ` [PATCH 1/3] hw/nvram: Add BCM2835 OTP device Rayhan Faizel
2024-05-13 13:30 ` Philippe Mathieu-Daudé
@ 2024-05-13 13:49 ` Philippe Mathieu-Daudé
1 sibling, 0 replies; 8+ messages in thread
From: Philippe Mathieu-Daudé @ 2024-05-13 13:49 UTC (permalink / raw)
To: Rayhan Faizel, qemu-devel; +Cc: peter.maydell, qemu-arm
On 10/5/24 16:10, Rayhan Faizel wrote:
> The OTP device registers are currently stubbed. For now, the device
> houses the OTP rows which will be accessed directly by other peripherals.
>
> Signed-off-by: Rayhan Faizel <rayhan.faizel@gmail.com>
> ---
> hw/nvram/bcm2835_otp.c | 187 +++++++++++++++++++++++++++++++++
> hw/nvram/meson.build | 1 +
> include/hw/nvram/bcm2835_otp.h | 43 ++++++++
> 3 files changed, 231 insertions(+)
> create mode 100644 hw/nvram/bcm2835_otp.c
> create mode 100644 include/hw/nvram/bcm2835_otp.h
> +/* OTP rows are 1-indexed */
> +uint32_t bcm2835_otp_read_row(BCM2835OTPState *s, unsigned int row)
> +{
> + assert(row <= 66 && row >= 1);
> +
> + return s->otp_rows[row - 1];
> +}
> +
> +void bcm2835_otp_write_row(BCM2835OTPState *s, unsigned int row,
> + uint32_t value)
> +{
> + assert(row <= 66 && row >= 1);
> +
> + /* Real OTP rows work as e-fuses */
> + s->otp_rows[row - 1] |= value;
Maybe name get/set instead of read/write?
> +}
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 3/3] hw/misc: Implement mailbox properties for customer OTP and device specific private keys
2024-05-10 14:10 ` [PATCH 3/3] hw/misc: Implement mailbox properties for customer OTP and device specific private keys Rayhan Faizel
@ 2024-05-13 13:51 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 8+ messages in thread
From: Philippe Mathieu-Daudé @ 2024-05-13 13:51 UTC (permalink / raw)
To: Rayhan Faizel, qemu-devel; +Cc: peter.maydell, qemu-arm
On 10/5/24 16:10, Rayhan Faizel wrote:
> Four mailbox properties are implemented as follows:
> 1. Customer OTP: GET_CUSTOMER_OTP and SET_CUSTOMER_OTP
> 2. Device-specific private key: GET_PRIVATE_KEY and
> SET_PRIVATE_KEY.
>
> The customer OTP is located in the rows 36-43. The device-specific private key
> is located in the rows 56-63.
Better to define these instead of using magic values in the code,
i.e.:
#define OTP_PRIVATE_KEY_OFFSET 56
#define OTP_PRIVATE_KEY_LENGTH 8
> The customer OTP can be locked with the magic numbers 0xffffffff 0xaffe0000
> when running the SET_CUSTOMER_OTP mailbox command.
>
> P.S I am not sure if the magic lock combo applies to the private key as well.
>
> Signed-off-by: Rayhan Faizel <rayhan.faizel@gmail.com>
> ---
> hw/arm/bcm2835_peripherals.c | 2 +
> hw/misc/bcm2835_property.c | 71 ++++++++++++++++++++++++++++
> include/hw/arm/raspberrypi-fw-defs.h | 2 +
> include/hw/misc/bcm2835_property.h | 2 +
> 4 files changed, 77 insertions(+)
> + /* Device-specific private key */
> +
> + case RPI_FWREQ_GET_PRIVATE_KEY:
> + start_num = ldl_le_phys(&s->dma_as, value + 12);
> + number = ldl_le_phys(&s->dma_as, value + 16);
> +
> + resplen = 8 + 4 * number;
> +
> + for (n = start_num; n < start_num + number && n < 8; n++) {
> + stl_le_phys(&s->dma_as,
> + value + 20 + ((n - start_num) << 2),
> + bcm2835_otp_read_row(s->otp, 56 + n));
> + }
> + break;
> + case RPI_FWREQ_SET_PRIVATE_KEY:
> + start_num = ldl_le_phys(&s->dma_as, value + 12);
> + number = ldl_le_phys(&s->dma_as, value + 16);
> +
> + resplen = 4;
> +
> + for (n = start_num; n < start_num + number && n < 8; n++) {
> + otp_row = ldl_le_phys(&s->dma_as,
> + value + 20 + ((n - start_num) << 2));
> + bcm2835_otp_write_row(s->otp, 56 + n, otp_row);
> + }
> + break;
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2024-05-13 13:52 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-05-10 14:10 [PATCH 0/3] Initial support for One-Time Programmable Memory (OTP) in BCM2835 Rayhan Faizel
2024-05-10 14:10 ` [PATCH 1/3] hw/nvram: Add BCM2835 OTP device Rayhan Faizel
2024-05-13 13:30 ` Philippe Mathieu-Daudé
2024-05-13 13:49 ` Philippe Mathieu-Daudé
2024-05-10 14:10 ` [PATCH 2/3] hw/arm: Connect OTP device to BCM2835 Rayhan Faizel
2024-05-13 13:41 ` Philippe Mathieu-Daudé
2024-05-10 14:10 ` [PATCH 3/3] hw/misc: Implement mailbox properties for customer OTP and device specific private keys Rayhan Faizel
2024-05-13 13:51 ` Philippe Mathieu-Daudé
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).