[PATCH v2 0/5] Firewall ATF and OP-TEE memory regions in Sitara

[PATCH v2 0/5] Firewall ATF and OP-TEE memory regions in Sitara

[Suhaas Joshi]

This series starts by replacing the hard-coded addresses in firewall templates that are defined in
k3-binman.dtsi, by Kconfigs. Using Kconfigs would make it easier for someone to move ATF and OP-TEE
to another location, since they wouldn't have to fiddle with the firewall configs in the dtsi files.

The rest of the commits in this series add firewall configs to each device's dtsi file.

To test this, I used `k3conf read|write <atf and optee addresses> <val>`. These operations were
disallowed when the patches of this series were applied, expectedly.

Changes v1 -> v2:
    * Removed some un-required empty lines in accordance with Neha's review.
    * Link to v1: https://lore.kernel.org/u-boot/20260112093643.885903-1-s-joshi@ti.com/

Suhaas Joshi (5):
  arm: dts: k3-binman: Use configs for ATF/OPTEE addresses
  arm: dts: k3-am625-binman: Configure firewall for ATF/OPTEE
  arm: dts: k3-am62p-binman: Configure firewall for ATF/OPTEE
  arm: dts: k3-am62a-binman: Configure firewall for ATF/OPTEE
  arm: dts: k3-am64x-binman: Configure firewall for ATF/OPTEE

 arch/arm/dts/k3-am625-sk-binman.dtsi | 29 +++++++++++++++++++++++++
 arch/arm/dts/k3-am62a-sk-binman.dtsi | 30 ++++++++++++++++++++++++++
 arch/arm/dts/k3-am62p-sk-binman.dtsi | 32 ++++++++++++++++++++++++++++
 arch/arm/dts/k3-am64x-binman.dtsi    | 31 +++++++++++++++++++++++++++
 arch/arm/dts/k3-binman.dtsi          |  8 +++----
 5 files changed, 126 insertions(+), 4 deletions(-)

-- 
2.34.1

[PATCH v2 1/5] arm: dts: k3-binman: Use configs for ATF/OPTEE addresses

[Suhaas Joshi]

Instead of hard-coding ATF and OPTEE addresses in firewall configuration
templates, use K3_*_LOAD_ADDR. Doing so ensures that if someone moves
ATF/OPTEE regions, the change gets picked up by binman without
explicitly having to modify dts files.

Signed-off-by: Suhaas Joshi <s-joshi@ti.com>
---
 arch/arm/dts/k3-binman.dtsi | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/arch/arm/dts/k3-binman.dtsi b/arch/arm/dts/k3-binman.dtsi
index 761b1730464..0fd93f9536a 100644
--- a/arch/arm/dts/k3-binman.dtsi
+++ b/arch/arm/dts/k3-binman.dtsi
@@ -476,8 +476,8 @@
 		permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
 						FWPERM_SECURE_PRIV_RWCD |
 						FWPERM_SECURE_USER_RWCD)>;
-		start_address = <0x0 0x70000000>;
-		end_address = <0x0 0x7001ffff>;
+		start_address = <0x0 CONFIG_K3_ATF_LOAD_ADDR>;
+		end_address = <0x0 (CONFIG_K3_ATF_LOAD_ADDR + 0x1ffff)>;
 	};
 	firewall_armv8_optee_fg: template-8 {
 		control = <(FWCTRL_EN | FWCTRL_LOCK |
@@ -485,8 +485,8 @@
 		permissions = <((FWPRIVID_ARMV8 << FWPRIVID_SHIFT) |
 						FWPERM_SECURE_PRIV_RWCD |
 						FWPERM_SECURE_USER_RWCD)>;
-		start_address = <0x0 0x9e800000>;
-		end_address = <0x0 0x9fffffff>;
+		start_address = <0x0 CONFIG_K3_OPTEE_LOAD_ADDR>;
+		end_address = <0x0 (CONFIG_K3_OPTEE_LOAD_ADDR + 0x17fffff)>;
 	};
 
 	ti_falcon_template: template-9 {
-- 
2.34.1

[PATCH v2 2/5] arm: dts: k3-am625-binman: Configure firewall for ATF/OPTEE

[Suhaas Joshi]

Add firewall configurations to protect ATF and OP-TEE memory regions
from non-secure reads and writes in AM62x.

Signed-off-by: Suhaas Joshi <s-joshi@ti.com>
---
 arch/arm/dts/k3-am625-sk-binman.dtsi | 29 ++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/arch/arm/dts/k3-am625-sk-binman.dtsi b/arch/arm/dts/k3-am625-sk-binman.dtsi
index 42edb35fa7b..8d6015e44a9 100644
--- a/arch/arm/dts/k3-am625-sk-binman.dtsi
+++ b/arch/arm/dts/k3-am625-sk-binman.dtsi
@@ -275,6 +275,35 @@
 
 		fit {
 			images {
+				atf {
+					ti-secure {
+						auth-in-place = <0xa02>;
+
+						firewall-1-0 {
+							insert-template = <&firewall_bg_3>;
+							id = <1>;
+							region = <0>;
+						};
+
+						firewall-1-1 {
+							insert-template = <&firewall_armv8_atf_fg>;
+							id = <1>;
+							region = <1>;
+						};
+					};
+				};
+
+				tee {
+					ti-secure {
+						auth-in-place = <0xa02>;
+
+						firewall-1-2 {
+							insert-template = <&firewall_armv8_optee_fg>;
+							id = <1>;
+							region = <2>;
+						};
+					};
+				};
 
 				tifsstub-hs {
 					description = "TIFSSTUB";
-- 
2.34.1

[PATCH v2 3/5] arm: dts: k3-am62p-binman: Configure firewall for ATF/OPTEE

[Suhaas Joshi]

Add firewall configurations to protect ATF and OP-TEE memory regions
from non-secure reads and writes in AM62P.

Signed-off-by: Suhaas Joshi <s-joshi@ti.com>
---
 arch/arm/dts/k3-am62p-sk-binman.dtsi | 32 ++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/arch/arm/dts/k3-am62p-sk-binman.dtsi b/arch/arm/dts/k3-am62p-sk-binman.dtsi
index e1443d6226b..603487341d2 100644
--- a/arch/arm/dts/k3-am62p-sk-binman.dtsi
+++ b/arch/arm/dts/k3-am62p-sk-binman.dtsi
@@ -217,6 +217,38 @@
 
 		fit {
 			images {
+				atf {
+					ti-secure {
+						auth-in-place = <0xa02>;
+
+						firewall-1-0 {
+							insert-template = <&firewall_bg_3>;
+							id = <1>;
+							region = <0>;
+						};
+
+						firewall-1-1 {
+							insert-template = <&firewall_armv8_atf_fg>;
+							id = <1>;
+							region = <1>;
+						};
+
+					};
+				};
+
+				tee {
+					ti-secure {
+						auth-in-place = <0xa02>;
+
+						firewall-1-2 {
+							insert-template = <&firewall_armv8_optee_fg>;
+							id = <1>;
+							region = <2>;
+						};
+
+					};
+				};
+
 				tifsstub-hs {
 					description = "TIFSSTUB";
 					type = "firmware";
-- 
2.34.1

[PATCH v2 4/5] arm: dts: k3-am62a-binman: Configure firewall for ATF/OPTEE

[Suhaas Joshi]

Add firewall configurations to protect ATF and OP-TEE memory regions
from non-secure reads and writes in AM62A.

Signed-off-by: Suhaas Joshi <s-joshi@ti.com>
---
 arch/arm/dts/k3-am62a-sk-binman.dtsi | 30 ++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/arch/arm/dts/k3-am62a-sk-binman.dtsi b/arch/arm/dts/k3-am62a-sk-binman.dtsi
index cb9a56b8c37..49c90f5855c 100644
--- a/arch/arm/dts/k3-am62a-sk-binman.dtsi
+++ b/arch/arm/dts/k3-am62a-sk-binman.dtsi
@@ -200,6 +200,36 @@
 
 		fit {
 			images {
+				atf {
+					ti-secure {
+						auth-in-place = <0xa02>;
+
+						firewall-1-0 {
+							insert-template = <&firewall_bg_3>;
+							id = <1>;
+							region = <0>;
+						};
+
+						firewall-1-1 {
+							insert-template = <&firewall_armv8_atf_fg>;
+							id = <1>;
+							region = <1>;
+						};
+					};
+				};
+
+				tee {
+					ti-secure {
+						auth-in-place = <0xa02>;
+
+						firewall-1-2 {
+							insert-template = <&firewall_armv8_optee_fg>;
+							id = <1>;
+							region = <2>;
+						};
+					};
+				};
+
 				tifsstub-hs {
 					description = "TIFSSTUB";
 					type = "firmware";
-- 
2.34.1

[PATCH v2 5/5] arm: dts: k3-am64x-binman: Configure firewall for ATF/OPTEE

[Suhaas Joshi]

Add firewall configurations to protect ATF and OP-TEE memory regions
from non-secure reads and writes in AM64x.

Signed-off-by: Suhaas Joshi <s-joshi@ti.com>
---
 arch/arm/dts/k3-am64x-binman.dtsi | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/arch/arm/dts/k3-am64x-binman.dtsi b/arch/arm/dts/k3-am64x-binman.dtsi
index 32e47a3f688..f3c7f2c939d 100644
--- a/arch/arm/dts/k3-am64x-binman.dtsi
+++ b/arch/arm/dts/k3-am64x-binman.dtsi
@@ -139,6 +139,37 @@
 			#address-cells = <1>;
 
 			images {
+				atf {
+					ti-secure {
+						auth-in-place = <0xa02>;
+
+						firewall-24-5 {
+							insert-template = <&firewall_armv8_atf_fg>;
+							id = <24>;
+							region = <5>;
+						};
+					};
+				};
+
+				tee {
+					ti-secure {
+						auth-in-place = <0xa02>;
+
+						firewall-1-0 {
+							insert-template = <&firewall_bg_3>;
+							id = <1>;
+							region = <0>;
+						};
+
+
+						firewall-1-1 {
+							insert-template = <&firewall_armv8_optee_fg>;
+							id = <1>;
+							region = <1>;
+						};
+					};
+				};
+
 				dm {
 					blob-ext {
 						filename = "/dev/null";
-- 
2.34.1

Re: [PATCH v2 0/5] Firewall ATF and OP-TEE memory regions in Sitara

[Francesco Dolcini]

Hello,
thanks for your patch

On Wed, Jan 21, 2026 at 11:17:07AM +0530, Suhaas Joshi wrote:
> This series starts by replacing the hard-coded addresses in firewall
> templates that are defined in k3-binman.dtsi, by Kconfigs. Using
> Kconfigs would make it easier for someone to move ATF and OP-TEE to
> another location, since they wouldn't have to fiddle with the firewall
> configs in the dtsi files.
> 
> The rest of the commits in this series add firewall configs to each
> device's dtsi file.

If I understand correctly the change, you should change also the other
k3 boards, not just the TI one.

Francesco

Re: [PATCH v2 0/5] Firewall ATF and OP-TEE memory regions in Sitara

[Bryan Brattlof]

On January 21, 2026 thus sayeth Francesco Dolcini:
> Hello,
> thanks for your patch
> 
> On Wed, Jan 21, 2026 at 11:17:07AM +0530, Suhaas Joshi wrote:
> > This series starts by replacing the hard-coded addresses in firewall
> > templates that are defined in k3-binman.dtsi, by Kconfigs. Using
> > Kconfigs would make it easier for someone to move ATF and OP-TEE to
> > another location, since they wouldn't have to fiddle with the firewall
> > configs in the dtsi files.
> > 
> > The rest of the commits in this series add firewall configs to each
> > device's dtsi file.
> 
> If I understand correctly the change, you should change also the other
> k3 boards, not just the TI one.

Yeah we should try to add this to all Sitara platforms

~Bryan