Security Configuration#

MB1 and MB2 program most of the SCRs and firewalls in T264. The list of SCRs and firewalls, their order, and their addresses are predetermined. The values are taken from the SCR configuration file.

Each entry in this configuration file is in the following form:

/ {
  scr {
      reg@<index> {
          <parameter> = <value>;
       };
   };
};

  • <index> is the index of the SCR or firewall in the predefined list.

  • <parameter> can be as follows:

    • exclusion-info: Exclusion info is an 8-bit field defined as the following bits:

      • Bit 0: Skip programming during SC7 exit (SC7_SKIP).

        • 0: Program in both coldboot and SC7 exit.

        • 1: Program in coldboot, but skip in SC7 exit.

      • Bit 1: Production mode requirement (PRODUCTION_ONLY).

        • 0: Program in both production and non-production modes.

        • 1: Program only in production mode.

      • Bit 2: Programming stage control (SET_IN_MB2).

        • 0: Program before or after MB2.

        • 1: Program within MB2.

      • Bit 3: CPU access control (CPU_BOOT_ONLY).

        • 0: Normal firewall programming.

        • 1: Program with CPU access initially; lock later in boot process.

      • Bits 6:4: Functional Safety IP region (FS_IP_REGION).

        • 000: Non-FS (general firewalls).

        • 001: FSI (Functional Safety Island).

        • 010: PVA (Programmable Vision Accelerator).

        • 011: APE (Audio Processing Engine).

        • 100: Display (DCE - Display and Composition Engine).

        • 101–111: Reserved.

      • Bit 7: Reserved.

  • <value> is a 32-bit value for the SCR register.

Note

The values of the SCRs are programmed in the increasing order of indexes and not in the order in which they appear in the configuration file. The scr/firewalls, which are not specified in the configuration file, are locked without restricting the access to the protected registers.

The scr configuration files are in the Linux_for_Tegra/bootloader/generic/BCT directory.

Here is an example of the format of SCR the config file:

/dts-v1/;

#include "tegra264-firewall-config-base.dtsi"

/ {
    tfc {
    };

    tfc1 {
        reg@14357 { /* FSI_FABRIC, FSI_CONTROL_FIREWALL_FSI_CAN0_BLF, READ_CTL_0 */
            exclusion-info = <20>;
            value = <0x80000002>;
        };

        reg@14359 { /* FSI_FABRIC, FSI_CONTROL_FIREWALL_FSI_CAN0_BLF, WRITE_CTL_0 */
            exclusion-info = <20>;
            value = <0x80000002>;
        };

        reg@14361 { /* FSI_FABRIC, FSI_CONTROL_FIREWALL_FSI_CAN0_BLF, CTL_SETTING */
            exclusion-info = <20>;
            value = <0x80030002>;
        };

        reg@14362 { /* FSI_FABRIC, FSI_CONTROL_FIREWALL_FSI_CAN1_BLF, READ_CTL_0 */
            exclusion-info = <20>;
            value = <0x80000002>;
        };
        .
        .
        .