OP-TEE on the RK3506B: what enables FW_DDR (0xff5f0000) region enforcement from the secure monitor?
Owen O'Hehir
electronicconsult1 at gmail.com
Tue May 19 09:31:36 PDT 2026
Hello all,
I've been working on replacing the closed `rk3506_tee` blob on an
RK3506B (Luckfox Lyra
Ultra) with an upstream from-source OP-TEE build. I've made decent
progress but one part that I'm stuck on is DDR firewall (FW_DDR, base
`0xff5f0000`) locking the secure DRAM region against the non-secure
CPU master. So far I can:
- program the region-map + CON + per-master (MST) registers and can
read them back,
- reproduce the exact register/value/ordering sequence that the vendor
secure firmware uses.
I've verified
- With the same idbloader/SPL (mainline-style U-Boot `arch_cpu_init`,
which only does the MST grants), the vendor TEE enforces but my OP-TEE
does not, NS still reads/writes the region.
- The SGRF slave-security set is identical between the two.
So there appears to be a precondition outside the FW_DDR register
block that is set by the vendor secure firmware's broader init that
makes region checks actually apply to the A7 NS master.
I see the initial work to introduce the RK3506 was by Jonas Karlman
but without implementing secure world. If anyone has any pointers to
the FW_DDR register summary or how to set this would be gratefully
appreciated!
Regards,
Owen
More information about the Linux-rockchip
mailing list