[U-Boot] [PATCH v4 2/2] imx: mx7: run sec_init for CAAM RNG
This patch adds a sec_init call into arch_misc_init(). Doing so in conjunction with the patch "drivers/crypto/fsl: assign job-rings to non-TrustZone" enables use of the CAAM in Linux when OPTEE/TrustZone is active.
u-boot will initialise the RNG and assign ownership of the job-ring registers to a non-TrustZone context. With recent changes by Lukas Auer to fully initialize the RNG in sec_init() this means that u-boot will hand-off the CAAM in a state that Linux then can use the CAAM without touching the reserved DECO registers.
This change is safe both for the OPTEE/TrustZone boot path and the regular non-OPTEE/TrustZone boot path.
Signed-off-by: Bryan O'Donoghue bryan.odonoghue@linaro.org Cc: Fabio Estevam fabio.estevam@nxp.com Cc: Peng Fan peng.fan@nxp.com Cc: Marco Franchi marco.franchi@nxp.com Cc: Vanessa Maegima vanessa.maegima@nxp.com Cc: Stefano Babic sbabic@denx.de Cc: Lukas Auer lukas.auer@aisec.fraunhofer.de --- arch/arm/mach-imx/mx7/soc.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/arch/arm/mach-imx/mx7/soc.c b/arch/arm/mach-imx/mx7/soc.c index d160e80..d444046 100644 --- a/arch/arm/mach-imx/mx7/soc.c +++ b/arch/arm/mach-imx/mx7/soc.c @@ -17,6 +17,7 @@ #include <asm/arch/crm_regs.h> #include <dm.h> #include <imx_thermal.h> +#include <fsl_sec.h>
#if defined(CONFIG_IMX_THERMAL) static const struct imx_thermal_plat imx7_thermal_plat = { @@ -262,6 +263,10 @@ int arch_misc_init(void) env_set("soc", "imx7s"); #endif
+#ifdef CONFIG_FSL_CAAM + sec_init(); +#endif + return 0; } #endif
On Fri, 2018-01-26 at 16:27 +0000, Bryan O'Donoghue wrote:
This patch adds a sec_init call into arch_misc_init(). Doing so in conjunction with the patch "drivers/crypto/fsl: assign job-rings to non-TrustZone" enables use of the CAAM in Linux when OPTEE/TrustZone is active.
u-boot will initialise the RNG and assign ownership of the job-ring registers to a non-TrustZone context. With recent changes by Lukas Auer to fully initialize the RNG in sec_init() this means that u-boot will hand-off the CAAM in a state that Linux then can use the CAAM without touching the reserved DECO registers.
This change is safe both for the OPTEE/TrustZone boot path and the regular non-OPTEE/TrustZone boot path.
Signed-off-by: Bryan O'Donoghue bryan.odonoghue@linaro.org Cc: Fabio Estevam fabio.estevam@nxp.com Cc: Peng Fan peng.fan@nxp.com Cc: Marco Franchi marco.franchi@nxp.com Cc: Vanessa Maegima vanessa.maegima@nxp.com Cc: Stefano Babic sbabic@denx.de Cc: Lukas Auer lukas.auer@aisec.fraunhofer.de
arch/arm/mach-imx/mx7/soc.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/arch/arm/mach-imx/mx7/soc.c b/arch/arm/mach- imx/mx7/soc.c index d160e80..d444046 100644 --- a/arch/arm/mach-imx/mx7/soc.c +++ b/arch/arm/mach-imx/mx7/soc.c @@ -17,6 +17,7 @@ #include <asm/arch/crm_regs.h> #include <dm.h> #include <imx_thermal.h> +#include <fsl_sec.h>
#if defined(CONFIG_IMX_THERMAL) static const struct imx_thermal_plat imx7_thermal_plat = { @@ -262,6 +263,10 @@ int arch_misc_init(void) env_set("soc", "imx7s"); #endif
+#ifdef CONFIG_FSL_CAAM
- sec_init();
+#endif
- return 0;
} #endif
Sorry, didn't see your patch in time before I sent my last email.
I tested your patch set again and everything works on my imx7d board (successful probe call and using the CAAM with openssl).
Tested-by: Lukas Auer lukas.auer@aisec.fraunhofer.de
On 26/01/2018 17:40, Auer, Lukas wrote:
On Fri, 2018-01-26 at 16:27 +0000, Bryan O'Donoghue wrote:
This patch adds a sec_init call into arch_misc_init(). Doing so in conjunction with the patch "drivers/crypto/fsl: assign job-rings to non-TrustZone" enables use of the CAAM in Linux when OPTEE/TrustZone is active.
u-boot will initialise the RNG and assign ownership of the job-ring registers to a non-TrustZone context. With recent changes by Lukas Auer to fully initialize the RNG in sec_init() this means that u-boot will hand-off the CAAM in a state that Linux then can use the CAAM without touching the reserved DECO registers.
This change is safe both for the OPTEE/TrustZone boot path and the regular non-OPTEE/TrustZone boot path.
Signed-off-by: Bryan O'Donoghue bryan.odonoghue@linaro.org Cc: Fabio Estevam fabio.estevam@nxp.com Cc: Peng Fan peng.fan@nxp.com Cc: Marco Franchi marco.franchi@nxp.com Cc: Vanessa Maegima vanessa.maegima@nxp.com Cc: Stefano Babic sbabic@denx.de Cc: Lukas Auer lukas.auer@aisec.fraunhofer.de
arch/arm/mach-imx/mx7/soc.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/arch/arm/mach-imx/mx7/soc.c b/arch/arm/mach- imx/mx7/soc.c index d160e80..d444046 100644 --- a/arch/arm/mach-imx/mx7/soc.c +++ b/arch/arm/mach-imx/mx7/soc.c @@ -17,6 +17,7 @@ #include <asm/arch/crm_regs.h> #include <dm.h> #include <imx_thermal.h> +#include <fsl_sec.h>
#if defined(CONFIG_IMX_THERMAL) static const struct imx_thermal_plat imx7_thermal_plat = { @@ -262,6 +263,10 @@ int arch_misc_init(void) env_set("soc", "imx7s"); #endif
+#ifdef CONFIG_FSL_CAAM
- sec_init();
+#endif
- return 0;
} #endif
Sorry, didn't see your patch in time before I sent my last email.
I tested your patch set again and everything works on my imx7d board (successful probe call and using the CAAM with openssl).
Tested-by: Lukas Auer lukas.auer@aisec.fraunhofer.de
Applied to u-boot-imx, thanks !
Best regards, Stefano Babic
On Fri, Jan 26, 2018 at 2:27 PM, Bryan O'Donoghue bryan.odonoghue@linaro.org wrote:
This patch adds a sec_init call into arch_misc_init(). Doing so in conjunction with the patch "drivers/crypto/fsl: assign job-rings to non-TrustZone" enables use of the CAAM in Linux when OPTEE/TrustZone is active.
u-boot will initialise the RNG and assign ownership of the job-ring registers to a non-TrustZone context. With recent changes by Lukas Auer to fully initialize the RNG in sec_init() this means that u-boot will hand-off the CAAM in a state that Linux then can use the CAAM without touching the reserved DECO registers.
This change is safe both for the OPTEE/TrustZone boot path and the regular non-OPTEE/TrustZone boot path.
Signed-off-by: Bryan O'Donoghue bryan.odonoghue@linaro.org Cc: Fabio Estevam fabio.estevam@nxp.com Cc: Peng Fan peng.fan@nxp.com Cc: Marco Franchi marco.franchi@nxp.com Cc: Vanessa Maegima vanessa.maegima@nxp.com Cc: Stefano Babic sbabic@denx.de Cc: Lukas Auer lukas.auer@aisec.fraunhofer.de
Reviewed-by: Fabio Estevam fabio.estevam@nxp.com
On 26/01/2018 17:27, Bryan O'Donoghue wrote:
This patch adds a sec_init call into arch_misc_init(). Doing so in conjunction with the patch "drivers/crypto/fsl: assign job-rings to non-TrustZone" enables use of the CAAM in Linux when OPTEE/TrustZone is active.
u-boot will initialise the RNG and assign ownership of the job-ring registers to a non-TrustZone context. With recent changes by Lukas Auer to fully initialize the RNG in sec_init() this means that u-boot will hand-off the CAAM in a state that Linux then can use the CAAM without touching the reserved DECO registers.
This change is safe both for the OPTEE/TrustZone boot path and the regular non-OPTEE/TrustZone boot path.
Signed-off-by: Bryan O'Donoghue bryan.odonoghue@linaro.org Cc: Fabio Estevam fabio.estevam@nxp.com Cc: Peng Fan peng.fan@nxp.com Cc: Marco Franchi marco.franchi@nxp.com Cc: Vanessa Maegima vanessa.maegima@nxp.com Cc: Stefano Babic sbabic@denx.de Cc: Lukas Auer lukas.auer@aisec.fraunhofer.de
arch/arm/mach-imx/mx7/soc.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/arch/arm/mach-imx/mx7/soc.c b/arch/arm/mach-imx/mx7/soc.c index d160e80..d444046 100644 --- a/arch/arm/mach-imx/mx7/soc.c +++ b/arch/arm/mach-imx/mx7/soc.c @@ -17,6 +17,7 @@ #include <asm/arch/crm_regs.h> #include <dm.h> #include <imx_thermal.h> +#include <fsl_sec.h>
#if defined(CONFIG_IMX_THERMAL) static const struct imx_thermal_plat imx7_thermal_plat = { @@ -262,6 +263,10 @@ int arch_misc_init(void) env_set("soc", "imx7s"); #endif
+#ifdef CONFIG_FSL_CAAM
- sec_init();
+#endif
- return 0;
} #endif
Applied to u-boot-imx, thanks !
Best regards, Stefano Babic
On 04/02/18 10:31, Stefano Babic wrote:
On 26/01/2018 17:27, Bryan O'Donoghue wrote:
This patch adds a sec_init call into arch_misc_init(). Doing so in conjunction with the patch "drivers/crypto/fsl: assign job-rings to non-TrustZone" enables use of the CAAM in Linux when OPTEE/TrustZone is active.
u-boot will initialise the RNG and assign ownership of the job-ring registers to a non-TrustZone context. With recent changes by Lukas Auer to fully initialize the RNG in sec_init() this means that u-boot will hand-off the CAAM in a state that Linux then can use the CAAM without touching the reserved DECO registers.
This change is safe both for the OPTEE/TrustZone boot path and the regular non-OPTEE/TrustZone boot path.
Signed-off-by: Bryan O'Donoghue bryan.odonoghue@linaro.org Cc: Fabio Estevam fabio.estevam@nxp.com Cc: Peng Fan peng.fan@nxp.com Cc: Marco Franchi marco.franchi@nxp.com Cc: Vanessa Maegima vanessa.maegima@nxp.com Cc: Stefano Babic sbabic@denx.de Cc: Lukas Auer lukas.auer@aisec.fraunhofer.de
arch/arm/mach-imx/mx7/soc.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/arch/arm/mach-imx/mx7/soc.c b/arch/arm/mach-imx/mx7/soc.c index d160e80..d444046 100644 --- a/arch/arm/mach-imx/mx7/soc.c +++ b/arch/arm/mach-imx/mx7/soc.c @@ -17,6 +17,7 @@ #include <asm/arch/crm_regs.h> #include <dm.h> #include <imx_thermal.h> +#include <fsl_sec.h>
#if defined(CONFIG_IMX_THERMAL) static const struct imx_thermal_plat imx7_thermal_plat = { @@ -262,6 +263,10 @@ int arch_misc_init(void) env_set("soc", "imx7s"); #endif
+#ifdef CONFIG_FSL_CAAM
- sec_init();
+#endif
- return 0; } #endif
Applied to u-boot-imx, thanks !
Thanks,
Could you apply these two also ?
[PATCH v4 1/2] drivers/crypto/fsl: assign job-rings to non-TrustZone [PATCH] crypto/fsl: instantiate all rng state handles
I had a plan to send out these three patches together as a series - since they are all required to fix the CAAM/TrustZone issue and so they should be treated as a set.
--- bod
Hi Bryan,
On Mon, Feb 5, 2018 at 10:01 AM, Bryan O'Donoghue bryan.odonoghue@linaro.org wrote:
Thanks,
Could you apply these two also ?
[PATCH v4 1/2] drivers/crypto/fsl: assign job-rings to non-TrustZone
Stefano has already applied it: http://git.denx.de/?p=u-boot/u-boot-imx.git;a=commit;h=22191ac353445ad8fafc5...
[PATCH] crypto/fsl: instantiate all rng state handles
This one should go via York Sun's tree. Please resend this patch with him on Cc.
Thanks
On 05/02/2018 13:07, Fabio Estevam wrote:
Hi Bryan,
On Mon, Feb 5, 2018 at 10:01 AM, Bryan O'Donoghue bryan.odonoghue@linaro.org wrote:
Thanks,
Could you apply these two also ?
[PATCH v4 1/2] drivers/crypto/fsl: assign job-rings to non-TrustZone
Stefano has already applied it: http://git.denx.de/?p=u-boot/u-boot-imx.git;a=commit;h=22191ac353445ad8fafc5...
Yes, thanks, I applied this yesterday. It is still in u-boot-imx, but it will go soon into Tom's tree.
[PATCH] crypto/fsl: instantiate all rng state handles
This one should go via York Sun's tree. Please resend this patch with him on Cc.
Right - added York in CC. Patch is already assigned to him, you should not need to repost it.
Regards, Stefano
On Mon, Feb 5, 2018 at 10:56 AM, Stefano Babic sbabic@denx.de wrote:
Yes, thanks, I applied this yesterday. It is still in u-boot-imx, but it will go soon into Tom's tree.
Actually Tom has already applied it :-) http://git.denx.de/?p=u-boot.git;a=commit;h=22191ac353445ad8fafc5a78aefcd94e...
participants (4)
-
Auer, Lukas -
Bryan O'Donoghue -
Fabio Estevam -
Stefano Babic