Great news!
So it turns out that these are indeed undocumented registers for the memory controller for the generalized carveouts!! Also there are actually 29 of them which matches the number listed in the TRM. I dumped their default values on my machine:
NOTICE: BL31: Reading Generalized Carveout Registers
NOTICE: 0: 0x277f00000
NOTICE: 1: 0x277e00000
NOTICE: 2: 0x277d00000
NOTICE: 3: 0x277c00000
NOTICE: 4: 0x277b00000
NOTICE: 5: 0x277800000
NOTICE: 6: 0x277400000
NOTICE: 7: 0x277a00000
NOTICE: 8: 0x277300000
NOTICE: 9: 0x276800000
NOTICE: 10: 0x30000000
NOTICE: 11: 0xf0000000
NOTICE: 12: 0x30040000
NOTICE: 13: 0x30048000
NOTICE: 14: 0x30049000
NOTICE: 15: 0x3004a000
NOTICE: 16: 0x3004b000
NOTICE: 17: 0x3004c000
NOTICE: 18: 0x3004d000
NOTICE: 19: 0x3004e000
NOTICE: 20: 0x3004f000
NOTICE: 21: 0
NOTICE: 22: 0xf0100000
NOTICE: 23: 0
NOTICE: 24: 0
NOTICE: 25: 0
NOTICE: 26: 0
NOTICE: 27: 0x84400000
NOTICE: 28: 0x30000000
Which matches my CBoot dump of the carveouts from the scratch:
[0030.584] I> 0) Base:0x00000000 Size:0x00000000
[0030.588] I> 1) Base:0x277f00000 Size:0x00100000
[0030.593] I> 2) Base:0x277e00000 Size:0x00100000
[0030.597] I> 3) Base:0x277d00000 Size:0x00100000
[0030.602] I> 4) Base:0x277c00000 Size:0x00100000
[0030.606] I> 5) Base:0x277b00000 Size:0x00100000
[0030.611] I> 6) Base:0x277800000 Size:0x00200000
[0030.615] I> 7) Base:0x277400000 Size:0x00400000
[0030.620] I> 8) Base:0x277a00000 Size:0x00100000
[0030.624] I> 9) Base:0x277300000 Size:0x00100000
[0030.629] I> 10) Base:0x276800000 Size:0x00800000
[0030.633] I> 11) Base:0x30000000 Size:0x00040000
[0030.638] I> 12) Base:0xf0000000 Size:0x00100000
[0030.642] I> 13) Base:0x30040000 Size:0x00001000
[0030.647] I> 14) Base:0x30048000 Size:0x00001000
[0030.651] I> 15) Base:0x30049000 Size:0x00001000
[0030.656] I> 16) Base:0x3004a000 Size:0x00001000
[0030.660] I> 17) Base:0x3004b000 Size:0x00001000
[0030.664] I> 18) Base:0x3004c000 Size:0x00001000
[0030.669] I> 19) Base:0x3004d000 Size:0x00001000
[0030.673] I> 20) Base:0x3004e000 Size:0x00001000
[0030.678] I> 21) Base:0x3004f000 Size:0x00001000
[0030.682] I> 22) Base:0x00000000 Size:0x00000000
[0030.687] I> 23) Base:0xf0100000 Size:0x00010000
[0030.691] I> 24) Base:0x00000000 Size:0x00000000
[0030.695] I> 25) Base:0x00000000 Size:0x00000000
[0030.700] I> 26) Base:0x00000000 Size:0x00000000
[0030.704] I> 27) Base:0x00000000 Size:0x00000000
[0030.709] I> 28) Base:0x84400000 Size:0x00400000
[0030.713] I> 29) Base:0x30000000 Size:0x00010000
[0030.718] I> 30) Base:0x278000000 Size:0x08000000
[0030.722] I> 31) Base:0x00000000 Size:0x00000000
[0030.727] I> 32) Base:0x276000000 Size:0x00600000
[0030.731] I> 33) Base:0x80000000 Size:0x70000000
[0030.736] I> 34) Base:0xf0110000 Size:0x1856f0000
[0030.740] I> 35) Base:0x00000000 Size:0x00000000
[0030.744] I> 36) Base:0x00000000 Size:0x00000000
[0030.749] I> 37) Base:0x2772e0000 Size:0x00020000
[0030.753] I> 38) Base:0x84000000 Size:0x00400000
[0030.758] I> 39) Base:0x96000000 Size:0x02000000
[0030.762] I> 40) Base:0x85000000 Size:0x01200000
[0030.767] I> 41) Base:0x275800000 Size:0x00500000
[0030.771] I> 42) Base:0x00000000 Size:0x00000000
[0030.776] I> 43) Base:0x00000000 Size:0x00000000
The indexes are off by one for some reason, but that’s not a big deal. I have no idea how you program all of the last 14 carveout registers, One of them is the TZDRAM, but not sure how to configure the others. This shouldn’t be an issue in theory. There seem to be 5 unused generalized carveouts that will hopefully work.
To anyone curious I am attempting to write to these registers in the ARM-TF BL31 using tegra_mc_write_32
with the offsets defined in the cboot source’s hwinc-t18x/armc.h
.
The base address is split into two registers:
MC_SECURITY_CARVEOUTn_BOM_0
and MC_SECURITY_CARVEOUTn_BOM_HI_0
The size register is for bits 0-26 are X * 128KB, and for bits 27-31 are Y * 4096. You can infer this from reading the sizes and comparing to the Cboot list.
MC_SECURITY_CARVEOUTn_SIZE_128KB_0
Update: writing to the generalized security carveout (GSC) registers from EL3 (!?!) doesn’t seem update the values. I can think of a few reasons:
- these registers might have a locking feature preventing updates
- the CCPLEX just doesn’t have access to the GSCs outside of the TZDRAM one
- There is something going on with the ARI request section of the TRM. E.g. there is a request called UPDATE_CCPLEX_GSC, which seems highly relevant.
I will continue to investigate.
Update 2: After reading from MC_SECURITY_CARVEOUTn_CFG0
it seems that ALL of the GSCs have a lock bit set by the time the BL31 runs. I am infering that the second bit is the lock bit from these definitions found in the BL31 source (probably an artifact from something deprecated):
149 /* General Security Carveout register macros */
...
151 #define MC_GSC_LOCK_CFG_SETTINGS_BIT (U(1) << 1)
152 #define MC_GSC_ENABLE_TZ_LOCK_BIT (ULL(1) << 0)
153 #define MC_GSC_SIZE_RANGE_4KB_SHIFT U(27)
....
158 #define MC_GSC_ENABLE_CPU_SECURE_BIT (U(1) << 31)
If this is true, this is a huge shame. Nvidia maintaining control of these core security features is definitely a limitation to the TX2.
So the last hope is that its feasible to setup the BCT at compile/flash time with a custom GSC. Will continue to investigate. I reaaaaly don’t want to have to reverse engineer the MB1 to do this.