Commit 22191ac35344 ("drivers/crypto/fsl: assign job-rings to non-TrustZone") breaks HABv4 encrypted boot support in the following i.MX devices:
- i.MX6UL - i.MX7S - i.MX7D - i.MX7ULP
For preparing a HABv4 encrypted boot image it's necessary to encapsulate the generated DEK in a blob. In devices listed above the blob generation function takes into consideration the Job Ring TrustZone ownership configuration (JROWN_NS) and can be only decapsulated by the same configuration.
The ROM code expects DEK blobs encapsulated by the Secure World environments which commonly have JROWN_NS = 0.
As U-Boot is running in Secure World we must have JROWN_NS = 0 so the blobs generated by dek_blob tool can be decapsulated by the ROM code.
Linux Kernel is booting by default in TrustZone Secure World in most of targets. Make job-rings assignment to non-Secure dependent of CONFIG_OPTEE and CONFIG_ARMV7_BOOT_SEC_DEFAULT to avoid a Kernel crash when booting Linux in non-Secure World.
OP-TEE users can still use dek_blob command as job ring assignment is also dependent of CONFIG_CMD_DEKBLOB configuration.
Signed-off-by: Breno Lima breno.lima@nxp.com --- drivers/crypto/fsl/jr.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/drivers/crypto/fsl/jr.c b/drivers/crypto/fsl/jr.c index cc8d3b02a5..23d5a64da0 100644 --- a/drivers/crypto/fsl/jr.c +++ b/drivers/crypto/fsl/jr.c @@ -635,11 +635,15 @@ int sec_init_idx(uint8_t sec_idx) #endif #endif
- /* Set ownership of job rings to non-TrustZone mode by default */ - for (i = 0; i < ARRAY_SIZE(sec->jrliodnr); i++) { - jrown_ns = sec_in32(&sec->jrliodnr[i].ms); - jrown_ns |= JROWN_NS | JRMID_NS; - sec_out32(&sec->jrliodnr[i].ms, jrown_ns); + if ((IS_ENABLED(CONFIG_OPTEE) || + !IS_ENABLED(CONFIG_ARMV7_BOOT_SEC_DEFAULT)) && + !IS_ENABLED(CONFIG_CMD_DEKBLOB)) { + /* Set ownership of job rings to non-TrustZone mode. */ + for (i = 0; i < ARRAY_SIZE(sec->jrliodnr); i++) { + jrown_ns = sec_in32(&sec->jrliodnr[i].ms); + jrown_ns |= JROWN_NS | JRMID_NS; + sec_out32(&sec->jrliodnr[i].ms, jrown_ns); + } }
ret = jr_init(sec_idx);