add Firewall IP support and program boot processor firewall.

Corstone-700 has two Firewall IP's one with boot processor
and other in Host System, both will be programmed in boot
processor as it is root of trust.
This patch introduces Firewall module and also the programming
of SE Firewall translation of Host access regions.
Following four Host regions are currently accessed from SE
  1. Boot Instruction Register
  2. Shared RAM
  3. Execute in Place(XIP) Flash
  4. Host peripheral regions

Change-Id: Ice81cd119bddf3db9beca1cf6a12915b0e851479
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>

3 files changed, 154 insertions, 0 deletions

diff --git a/product/corstone-700/module/firewall/include/mod_firewall.h b/product/corstone-700/module/firewall/include/mod_firewall.h
new file mode 100644
index 0000000..a666612
--- /dev/null
+++ b/product/corstone-700/module/firewall/include/mod_firewall.h
@@ -0,0 +1,20 @@
+/*
+ *
+ * Copyright (c) 2019, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+
+#ifndef MOD_SE_FIREWALL_H
+#define MOD_SE_FIREWALL_H
+
+#include <stddef.h>
+#include <stdint.h>
+#include <fwk_id.h>
+#include <firewall.h>
+
+struct firewall_config {
+      const uintptr_t se_firewall_base;
+};
+#endif /* MOD_SE_FIREWALL_H */
diff --git a/product/corstone-700/module/firewall/src/Makefile b/product/corstone-700/module/firewall/src/Makefile
new file mode 100644
index 0000000..7badf24
--- /dev/null
+++ b/product/corstone-700/module/firewall/src/Makefile
@@ -0,0 +1,10 @@
+#
+# Copyright (c) 2019, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+BS_LIB_NAME := FIREWALL
+BS_LIB_SOURCES = mod_firewall.c
+
+include $(BS_DIR)/lib.mk
diff --git a/product/corstone-700/module/firewall/src/mod_firewall.c b/product/corstone-700/module/firewall/src/mod_firewall.c
new file mode 100755
index 0000000..12ed384
--- /dev/null
+++ b/product/corstone-700/module/firewall/src/mod_firewall.c
@@ -0,0 +1,124 @@
+/*
+ *
+ * Copyright (c) 2019, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+
+#include <string.h>
+#include <assert.h>
+#include <fwk_errno.h>
+#include <fwk_id.h>
+#include <fwk_module.h>
+#include <fwk_interrupt.h>
+#include <fwk_module_idx.h>
+#include <fwk_mm.h>
+#include <mod_log.h>
+#include <se_system_mmap.h>
+#include <mod_firewall.h>
+
+/*
+ * boot processor Firewall programming.
+ * The Host Access Region is a 2GB region starting at 0x6000_0000.
+ * It allows the boot processor access to the Host System address
+ * space, all access pass through Secure enclave firewall having
+ * translation extension programmed.
+ * Four host regions are currently accessed by boot processor namely
+ * Boot Instruction Register, Shared RAM, XIP Flash and Host
+ * Peripheral regions.
+ */
+static int se_firewall_setup()
+{
+    volatile uint32_t *pe_ctrl = (uint32_t *)(SE_FC1_BASE+PE_CTRL);
+    volatile uint32_t *rwe_ctrl = (uint32_t *)(SE_FC1_BASE+RWE_CTRL);
+    volatile uint32_t *rgn_size = (uint32_t *)(SE_FC1_BASE+RGN_SIZE);
+    volatile uint32_t *rgn_cfg0 = (uint32_t *)(SE_FC1_BASE+RGN_CFG0);
+    volatile uint32_t *rgn_tcfg0 = (uint32_t *)(SE_FC1_BASE+RGN_TCFG0);
+    volatile uint32_t *rgn_tcfg2 = (uint32_t *)(SE_FC1_BASE+RGN_TCFG2);
+    volatile uint32_t *rgn_mpl0 = (uint32_t *)(SE_FC1_BASE+RGN_MPL0);
+    volatile uint32_t *rgn_ctrl1 = (uint32_t *)(SE_FC1_BASE+RGN_CTRL1);
+    volatile uint32_t *rgn_ctrl0 = (uint32_t *)(SE_FC1_BASE+RGN_CTRL0);
+
+    /*
+     * Region Programming Sequence
+     *  -Select The correct region using RWE_CTRL
+     *  -Program region Base address using RGN_CFG{0,1}
+     *  -Program Region size  using RGN_TCFG{0,1}
+     *  -Enable Translation properties using RGN_TCFG2
+     *  -Program the required Permission entries RGN_MPL
+     *  -Enable the required master permission entries using RGN_CTRL1
+     *  -Enable the region using RGN_CTRL1
+     */
+
+    /* Enable PE_CTRL */
+    *pe_ctrl = PE_ENABLE | *pe_ctrl;
+
+    /* Boot Instruction Register region: 4KB */
+    *rwe_ctrl = HOST_BIR_REGION;
+    *rgn_ctrl0 = DISABLE;
+    *rgn_size = RGN_SIZE_4KB;
+    *rgn_cfg0 = SE_HOST_ACCESS;
+    *rgn_tcfg0 = HOST_BIR_BASE;
+    *rgn_tcfg2 = ADDR_TRANS_ENABLE | *rgn_tcfg2;
+    *rgn_mpl0 = ANY_MST | SPX | SPW | SPR | SUX | SUW | SUR \
+                | NSPX | NSPW | NSPR | NSUX | NSUW | NSUR;
+    *rgn_ctrl1 = MPE0_EN;
+    *rgn_ctrl0 = ENABLE;
+
+    /* Shared RAM region: 32MB */
+    *rwe_ctrl = SHARED_RAM_REGION;
+    *rgn_ctrl0 = DISABLE;
+    *rgn_size = RGN_SIZE_32MB;
+    *rgn_cfg0 = SE_SHARED_RAM_ACCESS;
+    *rgn_tcfg0 = HOST_SHARED_RAM_BASE;
+    *rgn_tcfg2 = ADDR_TRANS_ENABLE | *rgn_tcfg2;
+    *rgn_mpl0 = ANY_MST | SPX | SPW | SPR | SUX | SUW | SUR \
+                | NSPX | NSPW | NSPR | NSUX | NSUW | NSUR;
+    *rgn_ctrl1 = MPE0_EN;
+    *rgn_ctrl0 = ENABLE;
+
+    /* Execute in place(XIP) Flash region: 128MB */
+    *rwe_ctrl = XIP_FLASH_REGION;
+    *rgn_ctrl0 = DISABLE;
+    *rgn_size = RGN_SIZE_128MB;
+    *rgn_cfg0 = SE_FLASH_BASE;
+    *rgn_tcfg0 = HOST_FLASH_BASE;
+    *rgn_tcfg2 = ADDR_TRANS_ENABLE | *rgn_tcfg2;
+    *rgn_mpl0 = ANY_MST | SPX | SPW | SPR | SUX | SUW | SUR \
+                | NSPX | NSPW | NSPR | NSUX | NSUW | NSUR;
+    *rgn_ctrl1 = MPE0_EN;
+    *rgn_ctrl0 = ENABLE;
+
+    /* Host peripherals region: 128MB */
+    *rwe_ctrl = HOST_PERIPHERAL_REGION;
+    *rgn_ctrl0 = DISABLE;
+    *rgn_size = RGN_SIZE_128MB;
+    *rgn_cfg0 = SE_HOST_PERIPHERAL_BASE;
+    *rgn_tcfg0 = HOST_PERIPHERAL_BASE;
+    *rgn_tcfg2 = ADDR_TRANS_ENABLE | *rgn_tcfg2;
+    *rgn_mpl0 = ANY_MST | SPX | SPW | SPR | SUX | SUW | SUR \
+                | NSPX | NSPW | NSPR | NSUX | NSUW | NSUR;
+    *rgn_ctrl1 = MPE0_EN;
+    *rgn_ctrl0 = ENABLE;
+
+    *rwe_ctrl = DEFAULT_REGION;
+    *rgn_ctrl0 = ENABLE;
+
+    return FWK_SUCCESS;
+}
+
+static int firewall_init(
+    fwk_id_t module_id,
+    unsigned int element_count,
+    const void *data)
+{
+    se_firewall_setup();
+    return FWK_SUCCESS;
+}
+
+const struct fwk_module module_firewall = {
+    .name = "firewall",
+    .type = FWK_MODULE_TYPE_SERVICE,
+    .init = firewall_init,
+};