imx8qm/qxp: Protect the lower 96K ocram used for SPL

Because the partition reboot won't reload the first level bootloader (SPL),
the SPL won't be authenticated. Users can corrupt the SPL image to break
the boot trust chain in secure boot if we don't protect that OCRAM area.

This patch configures the memory area from 0x0 to 0x118000 only accessed by
secure partition (ATF and OPTEE). Non-secure partitions (u-boot and kernel)
can't access it.

Signed-off-by: Ye Li <ye.li@nxp.com>
(cherry picked from commit 1eff7d3ef6f121782e56bb1807744ede48b8580b)
diff --git a/plat/imx/imx8qm/imx8qm_bl31_setup.c b/plat/imx/imx8qm/imx8qm_bl31_setup.c
index e28519f..78539b3 100644
--- a/plat/imx/imx8qm/imx8qm_bl31_setup.c
+++ b/plat/imx/imx8qm/imx8qm_bl31_setup.c
@@ -156,7 +156,7 @@
 void mx8_partition_resources(void)
 {
 	sc_rm_pt_t secure_part, os_part;
-	sc_rm_mr_t mr, mr_record = 64;
+	sc_rm_mr_t mr, mr_record = 64, mr_ocram = 64;
 	sc_faddr_t start, end, reg_end;
 	bool owned, owned2;
 	sc_err_t err;
@@ -206,6 +206,9 @@
 					mr_tee = mr;
 				}
 #endif
+				else if (0 >= start && (OCRAM_BASE + OCRAM_ALIAS_SIZE - 1) <= end) {
+					mr_ocram = mr;
+				}
 				else {
 					err = sc_rm_assign_memreg(ipc_handle, os_part, mr);
 					if (err)
@@ -311,6 +314,25 @@
 		}
 	}
 
+	if (mr_ocram != 64) {
+		err = sc_rm_get_memreg_info(ipc_handle, mr_ocram, &start, &end);
+		reg_end = end;
+		if (err) {
+			ERROR("Memreg get info failed, %u\n", mr_ocram);
+		} else {
+			if ((OCRAM_BASE + OCRAM_ALIAS_SIZE - 1) < end) {
+				err = sc_rm_memreg_alloc(ipc_handle, &mr, OCRAM_BASE + OCRAM_ALIAS_SIZE, reg_end);
+				if (err) {
+					ERROR("sc_rm_memreg_alloc failed, 0x%llx -- 0x%llx\n", (sc_faddr_t)OCRAM_BASE + OCRAM_ALIAS_SIZE, reg_end);
+				} else {
+					err = sc_rm_assign_memreg(ipc_handle, os_part, mr);
+					if (err)
+						ERROR("Memreg assign failed, 0x%llx -- 0x%llx\n", (sc_faddr_t)OCRAM_BASE + OCRAM_ALIAS_SIZE, reg_end);
+				}
+			}
+		}
+	}
+
 	owned = sc_rm_is_resource_owned(ipc_handle, SC_R_M4_0_PID0);
 	if (owned) {
 		err = sc_rm_set_resource_movable(ipc_handle, SC_R_M4_0_PID0,
diff --git a/plat/imx/imx8qm/include/platform_def.h b/plat/imx/imx8qm/include/platform_def.h
index bff9b00..c7beb6b 100644
--- a/plat/imx/imx8qm/include/platform_def.h
+++ b/plat/imx/imx8qm/include/platform_def.h
@@ -47,6 +47,9 @@
 #define BL32_LIMIT			0x100000000
 #endif
 
+#define OCRAM_BASE		0x100000
+#define OCRAM_ALIAS_SIZE 0x18000 /* The lower 96KB is in OCRAM alias from 0x0 */
+
 #define PLAT_GICD_BASE			0x51a00000
 #define PLAT_GICD_SIZE			0x10000
 #define PLAT_GICR_BASE			0x51b00000
diff --git a/plat/imx/imx8qx/imx8qx_bl31_setup.c b/plat/imx/imx8qx/imx8qx_bl31_setup.c
index 1d5ad6e..b7cb7a5 100644
--- a/plat/imx/imx8qx/imx8qx_bl31_setup.c
+++ b/plat/imx/imx8qx/imx8qx_bl31_setup.c
@@ -151,7 +151,7 @@
 void imx8_partition_resources(void)
 {
 	sc_rm_pt_t secure_part, os_part;
-	sc_rm_mr_t mr, mr_record = 64;
+	sc_rm_mr_t mr, mr_record = 64, mr_ocram = 64;
 	sc_faddr_t start, end, reg_end;
 	sc_err_t err;
 	bool owned;
@@ -206,6 +206,9 @@
 					mr_tee = mr;
 				}
 #endif
+				else if (0 >= start && (OCRAM_BASE + OCRAM_ALIAS_SIZE - 1) <= end) {
+					mr_ocram = mr;
+				}
 				else {
 					err = sc_rm_assign_memreg(ipc_handle, os_part, mr);
 					if (err)
@@ -310,6 +313,25 @@
 		}
 	}
 
+	if (mr_ocram != 64) {
+		err = sc_rm_get_memreg_info(ipc_handle, mr_ocram, &start, &end);
+		reg_end = end;
+		if (err) {
+			ERROR("Memreg get info failed, %u\n", mr_ocram);
+		} else {
+			if ((OCRAM_BASE + OCRAM_ALIAS_SIZE - 1) < end) {
+				err = sc_rm_memreg_alloc(ipc_handle, &mr, OCRAM_BASE + OCRAM_ALIAS_SIZE, reg_end);
+				if (err) {
+					ERROR("sc_rm_memreg_alloc failed, 0x%llx -- 0x%llx\n", (sc_faddr_t)OCRAM_BASE + OCRAM_ALIAS_SIZE, reg_end);
+				} else {
+					err = sc_rm_assign_memreg(ipc_handle, os_part, mr);
+					if (err)
+						ERROR("Memreg assign failed, 0x%llx -- 0x%llx\n", (sc_faddr_t)OCRAM_BASE + OCRAM_ALIAS_SIZE, reg_end);
+				}
+			}
+		}
+	}
+
 	owned = sc_rm_is_resource_owned(ipc_handle, SC_R_M4_0_PID0);
 	if (owned) {
 		err = sc_rm_set_resource_movable(ipc_handle, SC_R_M4_0_PID0,
diff --git a/plat/imx/imx8qx/include/platform_def.h b/plat/imx/imx8qx/include/platform_def.h
index f09f61c..e74e181 100644
--- a/plat/imx/imx8qx/include/platform_def.h
+++ b/plat/imx/imx8qx/include/platform_def.h
@@ -44,6 +44,9 @@
 #define PLAT_TEE_IMAGE_OFFSET		0x84000000
 #endif
 
+#define OCRAM_BASE		0x100000
+#define OCRAM_ALIAS_SIZE 0x18000 /* The lower 96KB is in OCRAM alias from 0x0 */
+
 #define PLAT_VIRT_ADDR_SPACE_SIZE	(1ull << 32)
 #define PLAT_PHY_ADDR_SPACE_SIZE	(1ull << 32)