Category: Technical Solutions

Challenging technical solutions collaborated on with AI

Posted on

What is a full chain SBOM?

A full chain Software Bill of Materials (SBOM) is a comprehensive inventory that details all components, libraries, and dependencies used in a software product, including their versions and origins. It provides transparency into the software supply chain, allowing organizations to understand what is included in their software and to manage security and compliance risks effectively.

Key Features of a Full Chain SBOM:

  1. Comprehensive Inventory: It includes all software components, both proprietary and open-source, as well as their dependencies.
  2. Versioning Information: Each component listed in the SBOM includes version numbers, which are crucial for identifying vulnerabilities and ensuring compatibility.
  3. Source Information: The SBOM specifies where each component comes from, whether it’s an internal library, an open-source project, or a third-party vendor.
  4. Licensing Details: It often includes information about the licenses associated with each component, helping organizations comply with legal requirements.
  5. Vulnerability Management: By providing a detailed view of all components, a full chain SBOM enables organizations to quickly identify and address vulnerabilities in their software.
  6. Regulatory Compliance: Many industries are moving towards requiring SBOMs for compliance with regulations and standards, making them essential for risk management.

Importance of a Full Chain SBOM:

  • Security: It helps organizations identify and mitigate security risks by providing visibility into all components and their vulnerabilities.
  • Supply Chain Transparency: It enhances trust in the software supply chain by ensuring that all components are accounted for and vetted.
  • Incident Response: In the event of a security breach, a full chain SBOM allows organizations to quickly assess the impact and take appropriate action.

In summary, a full chain SBOM is a vital tool for managing software supply chain risks, ensuring compliance, and enhancing overall software security.

What makes it “full chain”?

The term “full chain” in the context of a Software Bill of Materials (SBOM) refers to the comprehensive nature of the inventory it provides, encompassing all elements involved in the software supply chain. Here are the key aspects that contribute to the “full chain” designation:

  1. Complete Component Coverage: A full chain SBOM includes not only the primary software application but also all its dependencies, libraries, and modules. This means every piece of software that contributes to the final product is documented.
  2. Depth of Dependencies: It captures not just direct dependencies (the libraries or components that the software directly uses) but also transitive dependencies (the dependencies of those dependencies). This ensures that every layer of the software stack is accounted for.
  3. Source and Origin Information: A full chain SBOM provides details about where each component originates, including whether it is open-source, proprietary, or third-party. This transparency is crucial for understanding the supply chain.
  4. Versioning and Integrity: It includes version numbers for each component, which is essential for tracking vulnerabilities and ensuring that the software is built with the correct and secure versions of each dependency.
  5. Licensing and Compliance: The SBOM documents the licenses associated with each component, which is important for legal compliance and understanding the implications of using certain software.
  6. Security and Vulnerability Data: A full chain SBOM often integrates information about known vulnerabilities associated with each component, enabling organizations to proactively manage security risks.
  7. Lifecycle Information: It may also include details about the lifecycle of each component, such as support status and end-of-life information, which is important for maintenance and security planning.

By encompassing all these elements, a “full chain” SBOM provides a holistic view of the software supply chain, enabling organizations to manage risks, ensure compliance, and maintain security effectively.

What about each layer of the component chain? Would the firmware from the base system in a docker build environment that produces an SBOM for the image also need an SBOM of its own?

Yes, each layer of the component chain, including firmware and other foundational elements, should ideally have its own Software Bill of Materials (SBOM). This is particularly important in complex environments like Docker, where multiple layers and components interact. Here’s how this works:

Layered Components in a Software Supply Chain

  1. Base System Firmware: The firmware of the base system (e.g., the operating system or hardware firmware) is a critical component. It often contains essential drivers and system libraries that applications depend on. An SBOM for the firmware would provide visibility into its components, versions, and any known vulnerabilities.
  2. Container Images: In a Docker build environment, each image can consist of multiple layers, each potentially built from different base images or components. Each of these layers should have its own SBOM to document the software and dependencies included in that layer.
  3. Application Dependencies: The application itself, along with its libraries and dependencies, should also have an SBOM. This includes any third-party libraries, frameworks, and tools that the application uses.

Importance of Layered SBOMs

  • Comprehensive Risk Management: By having an SBOM for each layer, organizations can better manage risks associated with vulnerabilities at every level of the software stack. If a vulnerability is discovered in the firmware, for example, having an SBOM allows for quick identification of affected systems.
  • Traceability: Layered SBOMs provide traceability throughout the software supply chain. This means that if an issue arises, organizations can trace it back through each layer to identify the source of the problem.
  • Compliance and Auditing: Many regulatory frameworks require detailed documentation of software components. Layered SBOMs help organizations meet these requirements by providing a clear view of all components, including those at the firmware level.
  • Supply Chain Transparency: Understanding the entire supply chain, including firmware, helps organizations assess the security posture of their software and make informed decisions about component usage.

Conclusion

In summary, each layer of the component chain, including firmware from the base system in a Docker build environment, should have its own SBOM. This approach ensures comprehensive visibility, risk management, and compliance throughout the software supply chain, ultimately enhancing security and reliability.

More focused on #1 Base System Firmware; harware level firmware SBOM as well as an SBOM for the running OS environment will complete what is know as a “full chain SBOM”

Absolutely! When discussing a “full chain SBOM,” it’s essential to include both the hardware-level firmware and the operating system (OS) environment. Here’s how each contributes to a comprehensive understanding of the software supply chain:

1. Hardware-Level Firmware SBOM

  • Definition: This SBOM includes all the firmware that runs on the hardware components of a system, such as the BIOS/UEFI, device firmware (e.g., for network cards, storage controllers, etc.), and any other embedded software that interacts directly with the hardware.
  • Importance:
    • Security: Hardware-level firmware can have vulnerabilities that may be exploited, making it crucial to track and manage these components.
    • Compatibility: Understanding the firmware versions helps ensure compatibility with the OS and applications running on the system.
    • Updates and Patching: An SBOM for firmware allows organizations to manage updates and patches effectively, ensuring that all components are secure and up to date.

2. Operating System Environment SBOM

  • Definition: This SBOM encompasses the operating system itself, including its core components, libraries, and any installed packages or applications.
  • Importance:
    • Dependency Management: The OS environment often includes numerous libraries and dependencies that applications rely on. An SBOM helps track these components and their versions.
    • Vulnerability Awareness: By documenting the OS and its components, organizations can quickly identify vulnerabilities and take action to mitigate risks.
    • Compliance: Many regulatory frameworks require detailed documentation of the software stack, including the OS, to ensure compliance with security standards.

Completing the Full Chain SBOM

By including both the hardware-level firmware SBOM and the OS environment SBOM, organizations achieve a “full chain SBOM” that provides:

  • Holistic Visibility: A complete view of all components involved in the software supply chain, from hardware to applications.
  • Enhanced Security Posture: The ability to identify and address vulnerabilities at every level, reducing the risk of exploitation.
  • Improved Incident Response: In the event of a security incident, having a full chain SBOM allows for rapid assessment and response, as organizations can trace issues back through the entire stack.

Conclusion

In summary, a full chain SBOM is achieved by including both the hardware-level firmware and the operating system environment. This comprehensive approach ensures that all components are accounted for, enhancing security, compliance, and overall risk management in the software supply chain

Posted on

FIDO2 U-Boot

Category:

I need to integrate a u2f authentication mechanism into the shell access of u-boot

Integrating U2F (Universal 2nd Factor) authentication into the shell access of U-Boot is a multi-step process involving several components. Here’s a high-level overview of the steps you need to take:

  1. Understand U-Boot: Ensure you have a good understanding of U-Boot and its configuration and compilation process.
  2. U2F Authentication Library: Choose or implement a U2F authentication library in C. You might use an existing library like libu2f-server as a reference.
  3. Integrate U2F into U-Boot:
    • Modify the U-Boot source code to include the U2F authentication step during shell access.
    • Add the necessary calls to the U2F library in U-Boot’s shell access code.
  4. Configure U-Boot Build:
    • Ensure the U-Boot build system includes the U2F library and its dependencies.
    • Modify the U-Boot configuration to enable the new U2F authentication mechanism.
  5. Testing: Thoroughly test the modified U-Boot to ensure that the U2F authentication works correctly without introducing any security vulnerabilities or instabilities.

Here is a more detailed breakdown with some example code snippets:

Step 1: Choose a U2F Library

You need a library that can handle U2F authentication requests and responses. For simplicity, let’s assume you have a library with the following interface:

#include <u2f.h>int u2f_authenticate(const char *challenge, const char *app_id, char *response, size_t response_len);

Step 2: Modify U-Boot Source Code

Locate the U-Boot shell access code. This might be in a file like cmd_boot.c or similar, depending on your U-Boot version. You’ll need to add code to call the U2F authentication function before granting shell access.

#include <u2f.h>#include <config.h>  // U-Boot configuration headerstatic int do_shell(cmd_tbl_t *cmdtp, int flag, int argc, char *const argv[])
{
    char challenge[32];
    char response[64];
    constchar *app_id = "your-app-id";
    
    // Generate a challenge (this is just an example, use a proper challenge generation)strcpy(challenge, "your-challenge");

    // Perform U2F authenticationif (u2f_authenticate(challenge, app_id, response, sizeof(response)) != 0) {
        printf("U2F authentication failed\n");
        return CMD_RET_FAILURE;
    }

    // U2F authentication succeeded, proceed with shell accessreturn run_command("bootm", flag);
}

/* Add the command to U-Boot's command table */
U_BOOT_CMD(
    shell, CONFIG_SYS_MAXARGS, 1, do_shell,
    "shell", "Enter the shell with U2F authentication"
);

Step 3: Configure Build System

Modify the U-Boot Makefile to include the U2F library and its dependencies. Ensure the library is built and linked correctly.

Makefile

# Add U2F library to the build
LIBU2F = libu2f.a

$(LIBU2F): 
    $(MAKE) -C $(LIBU2F_DIR)$(obj)u-boot: $(LIBU2F)$(LD)$(LDFLAGS) -o $@$(LIBS)$(LIBU2F)

Step 4: Enable Configuration

Ensure that the U-Boot configuration file (e.g., include/configs/your_board.h) enables the new U2F authentication mechanism:

#define CONFIG_CMD_SHELL 1#define CONFIG_LIBU2F 1

Step 5: Build and Test

  1. Build U-Boot:bashmake distclean make your_board_defconfig make
  2. Flash U-Boot onto your device and test the U2F authentication by accessing the shell.
  3. Debugging and Iteration: If any issues arise, debug and iterate on the implementation.

Important Considerations:

  • Security: Ensure that the U2F challenge-response mechanism is secure and that the challenge is generated correctly.
  • Dependency Management: Make sure all dependencies for the U2F library are met.
  • Testing: Thoroughly test the implementation to ensure it does not introduce vulnerabilities or instability.
Posted on

Secure Partition Manager (SPM)

Category:

This document outlines the architecture and implementation details of the Secure Partition Manager (SPM) within the context of Trusted Firmware-A (TF-A) and Secure Partitions (SPs) in Arm-based systems. Here’s a summary of the key points.

Overview


Secure Partition Manager (SPM) operates at Exception Level 3 (EL3) and manages Secure Partitions at Secure Exception Level 0 (S-EL0).


Secure Partitions provide isolated execution environments for trusted applications, enabling secure services like DRM, secure payments, and authentication.


Architecture


The SPM is responsible for resource allocation, architectural setup, and service management for Secure Partitions.
A Secure Partition is a software sandbox that relies on the SPM for access to system resources and is designed to run services to completion without preemption.


Building and Configuration


The SPM is currently supported on the Arm Fixed Virtual Platform (FVP).
To enable SPM support, specific build flags must be set, and the Secure Partition image must be included in the Firmware Image Package (FIP).


Resource Management


The SPM provides a porting interface for platforms to specify resources required by Secure Partitions.
Memory management for Secure Partitions is handled through defined memory map regions and boot information.
Service Access


Services in Secure Partitions are accessed via the SMC (Secure Monitor Call) calling convention, specifically using the MM_COMMUNICATE interface.


Data exchange between the Non-secure world and Secure Partitions occurs through a shared memory region, with data structures defined in the Management Mode Interface Specification.


Runtime Model


The SPM defines interfaces for Secure Partitions to initialize and export services.
Communication between the SPM and Secure Partitions is facilitated through Supervisor Call (SVC) instructions, which allow Secure Partitions to request privileged operations.


Event Management


The Secure Partition includes an Event Management interface for service registration and completion indication, allowing the SPM to delegate service requests effectively.


Conclusion


The Secure Partition Manager and Secure Partitions provide a structured approach to implementing secure services in Arm-based systems, ensuring isolation and management of security functions while facilitating communication between secure and non-secure environments. Future revisions of the implementation are expected to enhance flexibility and feature sets.

Im trying to implementing this but need to define PLAT_SP_IMAGE_MMAP_REGIONS, and PLAT_SP_IMAGE_MAX_XLAT_TABLES with the rockchip mem map for the rk3399

To define PLAT_SP_IMAGE_MMAP_REGIONS and PLAT_SP_IMAGE_MAX_XLAT_TABLES for the Rockchip RK3399 platform, you will need to refer to the memory map specific to the RK3399 SoC.

Below is a general guideline on how to define these constants based on typical memory regions found in the RK3399 architecture. You may need to adjust the values based on your specific requirements and the memory layout of your system.

Step 1: Define Memory Regions

The RK3399 typically has several memory regions that you may want to include in your memory map. Here’s an example of how you might define these regions:

Copy Code

// Define the memory regions for the Secure Partition

define PLAT_SP_IMAGE_MMAP_REGIONS \
{                               \
    {                           \
        .base = 0x80000000,   /* Base address of the Secure Partition */ \
        .size = 0x1000000,    /* Size of the Secure Partition memory */ \
        .attr = MT_MEMORY | MT_RW | MT_SECURE, \
    },                          \
    {                           \
        .base = 0x0,          /* Base address for other secure memory regions */ \
        .size = 0x40000000,   /* Size of the other secure memory */ \
        .attr = MT_MEMORY | MT_RW | MT_SECURE, \
    },                          \
    /* Add more regions as needed */ \
}

Step 2: Define Maximum Translation Tables


The PLAT_SP_IMAGE_MAX_XLAT_TABLES constant defines the maximum number of translation tables that can be used by the Secure Partition. This value depends on the memory layout and the number of regions you have defined. A common value for many platforms is 4 or 8, but you should adjust it based on your needs.

Copy Code

define PLAT_SP_IMAGE_MAX_XLAT_TABLES 4 // Adjust based on your memory map requirements

Step 3: Integrate with the Platform Code


Make sure to integrate these definitions into the appropriate platform-specific files in your TF-A implementation. Typically, you would place these definitions in a header file specific to the RK3399 platform, such as plat/rockchip/rk3399/rk3399_def.h.

Example Integration
Here’s how you might integrate these definitions into your platform code:

Copy Code

// In rk3399_def.h or a similar header file

ifndef RK3399_DEF_H
define RK3399_DEF_H

define PLAT_SP_IMAGE_MMAP_REGIONS \
{                               \
    {                           \
        .base = 0x80000000,   \
        .size = 0x1000000,    \
        .attr = MT_MEMORY | MT_RW | MT_SECURE, \
    },                          \
    {                           \
        .base = 0x0,          \
        .size = 0x40000000,   \
        .attr = MT_MEMORY | MT_RW | MT_SECURE, \
    },                          \
}
define PLAT_SP_IMAGE_MAX_XLAT_TABLES 4
endif // RK3399_DEF_H

Final Notes


Memory Addresses: Ensure that the base addresses and sizes you define do not overlap with other critical memory regions in your system.


Attributes: The attributes (MT_MEMORY, MT_RW, MT_SECURE) should be defined according to your security and access requirements.


Testing: After implementing these definitions, thoroughly test the Secure Partition functionality to ensure that memory access and service requests are handled correctly.


Make sure to consult the RK3399 technical reference manual and any relevant documentation for specific details about the memory map and configuration options.

Help me fill in the dots here I also need to include these structs and functions; but again adjusted for the rk3399 instead of the fvp platform:

static spm_mm_mp_info_t sp_mp_info[] = {
[0] = {0x80000000, 0},
[1] = {0x80000001, 0},
[2] = {0x80000002, 0},
[3] = {0x80000003, 0},
[4] = {0x80000100, 0},
[5] = {0x80000101, 0},
[6] = {0x80000102, 0},
[7] = {0x80000103, 0},
};
const spm_mm_boot_info_t plat_arm_secure_partition_boot_info = {
.h.type = PARAM_SP_IMAGE_BOOT_INFO,
.h.version = VERSION_1,
.h.size = sizeof(spm_mm_boot_info_t),
.h.attr = 0,
.sp_mem_base = ARM_SP_IMAGE_BASE,
.sp_mem_limit = ARM_SP_IMAGE_LIMIT,
.sp_image_base = ARM_SP_IMAGE_BASE,
.sp_stack_base = PLAT_SP_IMAGE_STACK_BASE,
.sp_heap_base = ARM_SP_IMAGE_HEAP_BASE,
.sp_ns_comm_buf_base = PLAT_SP_IMAGE_NS_BUF_BASE,
.sp_shared_buf_base = PLAT_SPM_BUF_BASE,
.sp_image_size = ARM_SP_IMAGE_SIZE,
.sp_pcpu_stack_size = PLAT_SP_IMAGE_STACK_PCPU_SIZE,
.sp_heap_size = ARM_SP_IMAGE_HEAP_SIZE,
.sp_ns_comm_buf_size = PLAT_SP_IMAGE_NS_BUF_SIZE,
.sp_shared_buf_size = PLAT_SPM_BUF_SIZE,
.num_sp_mem_regions = ARM_SP_IMAGE_NUM_MEM_REGIONS,
.num_cpus = PLATFORM_CORE_COUNT,
.mp_info = &sp_mp_info[0],
};

const struct mmap_region *plat_get_secure_partition_mmap(void *cookie)
{
return plat_arm_secure_partition_mmap;
}

const struct spm_mm_boot_info *plat_get_secure_partition_boot_info(
void *cookie)
{
return &plat_arm_secure_partition_boot_info;
}

To adapt the provided structures and functions for the RK3399 platform, you will need to define the memory regions and other parameters specific to the RK3399 architecture. Below is an example of how you might fill in the details for the spm_mm_mp_info_t array, the plat_arm_secure_partition_boot_info structure, and the associated functions.

Step 1: Define Memory Regions


You will need to define the memory regions that are relevant for the RK3399. Here’s an example of how you might set up the spm_mm_mp_info_t array:

Copy Code

static spm_mm_mp_info_t sp_mp_info[] = {
[0] = {0x80000000, 0}, // Example memory region 1
[1] = {0x80001000, 0}, // Example memory region 2
[2] = {0x80002000, 0}, // Example memory region 3
[3] = {0x80003000, 0}, // Example memory region 4
[4] = {0x80010000, 0}, // Example memory region 5
[5] = {0x80011000, 0}, // Example memory region 6
[6] = {0x80012000, 0}, // Example memory region 7
[7] = {0x80013000, 0}, // Example memory region 8
};

Step 2: Define Boot Info Structure


Next, you will define the plat_arm_secure_partition_boot_info structure. You will need to replace the placeholders with actual values based on your RK3399 memory layout:

Copy Code

const spm_mm_boot_info_t plat_arm_secure_partition_boot_info = {
.h.type = PARAM_SP_IMAGE_BOOT_INFO,
.h.version = VERSION_1,
.h.size = sizeof(spm_mm_boot_info_t),
.h.attr = 0,
.sp_mem_base = 0x80000000, // Base address for Secure Partition memory
.sp_mem_limit = 0x80010000, // Limit address for Secure Partition memory
.sp_image_base = 0x80000000, // Base address for the Secure Partition image
.sp_stack_base = 0x8000F000, // Base address for the Secure Partition stack
.sp_heap_base = 0x8000E000, // Base address for the Secure Partition heap
.sp_ns_comm_buf_base = 0x8000D000, // Base address for Non-secure communication buffer
.sp_shared_buf_base = 0x8000C000, // Base address for shared buffer
.sp_image_size = 0x00010000, // Size of the Secure Partition image
.sp_pcpu_stack_size = 0x00002000, // Per-CPU stack size
.sp_heap_size = 0x00002000, // Size of the Secure Partition heap
.sp_ns_comm_buf_size = 0x00001000, // Size of Non-secure communication buffer
.sp_shared_buf_size = 0x00001000, // Size of shared buffer
.num_sp_mem_regions = ARRAY_SIZE(sp_mp_info), // Number of memory regions defined
.num_cpus = PLATFORM_CORE_COUNT, // Number of CPU cores
.mp_info = &sp_mp_info[0], // Pointer to memory region info
};


Step 3: Implement the Functions


Finally, implement the functions to return the memory map and boot info:

Copy Code

const struct mmap_region *plat_get_secure_partition_mmap(void *cookie)
{
return plat_arm_secure_partition_mmap; // Ensure this variable is defined elsewhere
}
const struct spm_mm_boot_info *plat_get_secure_partition_boot_info(void *cookie)
{
return &plat_arm_secure_partition_boot_info;
}


Final Notes


Memory Addresses: Ensure that the base addresses and sizes you define do not overlap with other critical memory regions in your system. Adjust the addresses based on the actual memory map of the RK3399.
Attributes: The attributes for the memory regions should be defined according to your security and access requirements.


Testing: After implementing these definitions, thoroughly test the Secure Partition functionality to ensure that memory access and service requests are handled correctly.
Make sure to consult the RK3399 technical reference manual and any relevant documentation for specific details about the memory map and configuration options.

I think this portion is also necessary, help me work this in as well converting from the fvp params to expected for the rk3399 platform:

const mmap_region_t plat_arm_secure_partition_mmap[] = {
V2M_MAP_IOFPGA_EL0, /* for the UART / V2M_MAP_SECURE_SYSTEMREG_EL0, / for initializing flash */
if PSA_FWU_SUPPORT
V2M_MAP_FLASH0_RW_EL0, /* for firmware update service in standalone mm */
endif
V2M_MAP_FLASH1_RW_EL0, /* for secure variable service in standalone mm */
MAP_REGION_FLAT(DEVICE0_BASE,
        DEVICE0_SIZE,
        MT_DEVICE | MT_RO | MT_SECURE | MT_USER),
ARM_SP_IMAGE_MMAP,
ARM_SP_IMAGE_NS_BUF_MMAP,
ARM_SP_IMAGE_RW_MMAP,
ARM_SPM_BUF_EL0_MMAP,
{0}
};

To adapt the plat_arm_secure_partition_mmap array for the RK3399 platform, you will need to replace the existing mappings with the appropriate memory regions and attributes specific to the RK3399 architecture. Below is an example of how you might define this array, including the necessary mappings for the RK3399.

Step 1: Define Memory Regions
You will need to define the memory regions based on the RK3399’s memory map. Here’s an example of how you might set up the plat_arm_secure_partition_mmap array:

Copy Code

// Define the memory regions for the RK3399 platform
const mmap_region_t plat_arm_secure_partition_mmap[] = {
V2M_MAP_IOFPGA_EL0, /* for the UART / V2M_MAP_SECURE_SYSTEMREG_EL0, / for initializing flash */

if PSA_FWU_SUPPORT

V2M_MAP_FLASH0_RW_EL0, /* for firmware update service in standalone mm */

endif

V2M_MAP_FLASH1_RW_EL0, /* for secure variable service in standalone mm */

// Map device memory for RK3399
MAP_REGION_FLAT(DEVICE0_BASE,
                DEVICE0_SIZE,
                MT_DEVICE | MT_RW | MT_SECURE | MT_USER), // Adjust permissions as needed

// Add the Secure Partition image memory mapping
MAP_REGION_FLAT(0x80000000,  // Base address for the Secure Partition
                0x00010000,  // Size of the Secure Partition image
                MT_MEMORY | MT_RW | MT_SECURE), // Adjust attributes as needed

// Add Non-secure buffer mapping
MAP_REGION_FLAT(0x8000D000,  // Base address for Non-secure communication buffer
                0x00001000,  // Size of Non-secure communication buffer
                MT_MEMORY | MT_RW | MT_NON_SECURE), // Non-secure access

// Add Read-Write mapping for Secure Partition
MAP_REGION_FLAT(0x8000E000,  // Base address for Secure Partition heap
                0x00002000,  // Size of the Secure Partition heap
                MT_MEMORY | MT_RW | MT_SECURE), // Secure access

// Add SPM buffer mapping
MAP_REGION_FLAT(0x8000C000,  // Base address for SPM buffer
                0x00001000,  // Size of SPM buffer
                MT_MEMORY | MT_RW | MT_SECURE), // Secure access

{0} // End of the mapping

};


Step 2: Ensure Correct Definitions


Make sure that the following constants are defined appropriately in your platform-specific header files:

DEVICE0_BASE and DEVICE0_SIZE: These should correspond to the base address and size of the device memory region you want to map.


Adjust the base addresses and sizes according to your specific memory layout and requirements for the RK3399.
Final Notes


Memory Addresses: Ensure that the base addresses and sizes you define do not overlap with other critical memory regions in your system.


Attributes: The attributes for the memory regions should be defined according to your security and access requirements. For example, MT_DEVICE for device memory, MT_MEMORY for normal memory, and appropriate read/write permissions.


Testing: After implementing these definitions, thoroughly test the Secure Partition functionality to ensure that memory access and service requests are handled correctly.


By following these steps, you should be able to successfully adapt the memory mapping for the RK3399 platform. Make sure to consult the RK3399 technical reference manual and any relevant documentation for specific details about the memory map and configuration options.

REMOVED

define PLAT_SP_IMAGE_MMAP_REGIONS \
{                    \
    {                \
        .base = 0x80000000,        \
        .size = 0x1000000,        \
        .attr = MT_MEMORY | MT_RW | MT_SECURE,    \
    },                \
    {                \
        .base = 0x0,        \
        .size = 0x40000000,        \
        .attr = MT_MEMORY | MT_RW | MT_SECURE,    \
    },                \
}