| Message ID | 20190423101948.24898-2-bryan.odonoghue@linaro.org |
|---|---|
| State | Changes Requested |
| Delegated to: | Stefano Babic |
| Headers | show |
| Series | imx: Implement job-ring context switching | expand |
Hi Bryan, Em ter, 23 de abr de 2019 às 07:20, Bryan O'Donoghue <bryan.odonoghue@linaro.org> escreveu: > > We need to handle the case where DEK blobs are passed to the BootROM. In > this case, unlike in HAB authentication the BootROM checks job-ring > ownership set to secure world. > > One possible solution is to set the job-ring ownership to the expected > state for DEK blobs and then restore to whatever the run-time wants. > > For the case where Linux runs in normal-world we would want to set the > job-ring ownership to normal-world. > > The first step in the ownership context switch dance is making an API to do > it. > > This patch introduces: > > void __weak sec_set_jr_context_secure(void); > void __weak sec_set_jr_context_normal(void); > > This can be over-ridden for a given architecture, as will be necessary for > the MPC85xxx > > Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> > --- > drivers/crypto/fsl/jr.c | 38 ++++++++++++++++++++++++++++++++++++++ > include/fsl_sec.h | 3 +++ > 2 files changed, 41 insertions(+) > > diff --git a/drivers/crypto/fsl/jr.c b/drivers/crypto/fsl/jr.c > index cc8d3b02a5..7b13aa4a61 100644 > --- a/drivers/crypto/fsl/jr.c > +++ b/drivers/crypto/fsl/jr.c > @@ -574,6 +574,44 @@ static int rng_init(uint8_t sec_idx) > return ret; > } > #endif > + > +static void __sec_set_jr_context_secure(uint8_t sec_idx) > +{ > + ccsr_sec_t *sec = (void *)SEC_ADDR(sec_idx); > + uint32_t jrown_ns; > + int i; > + > + for (i = 0; i < ARRAY_SIZE(sec->jrliodnr); i++) { > + jrown_ns = sec_in32(&sec->jrliodnr[i].ms); > + jrown_ns &= ~(JROWN_NS | JRMID_NS); We have the following definition at drivers/crypto/fsl/jr.h: #define JRMID_NS 0x00000001 Seems that we are setting JROWN_MID field which is not TrustZone related, from i.MX7D Security Reference Manual: Job Ring Owner's MID. This field defines the MID of the bus master that is permitted to read or write the registers that are specific to a particular Job Ring. These registers include the job ring configuration registers, the interrupt registers, the CAAM Secure Memory Access Permissions and Secure Memory Access Group registers and the ring buffer registers. Could you please double check? Thanks, Breno Lima
On 25/04/2019 23:13, Breno Matheus Lima wrote: > Hi Bryan, > > Em ter, 23 de abr de 2019 às 07:20, Bryan O'Donoghue > <bryan.odonoghue@linaro.org> escreveu: >> >> We need to handle the case where DEK blobs are passed to the BootROM. In >> this case, unlike in HAB authentication the BootROM checks job-ring >> ownership set to secure world. >> >> One possible solution is to set the job-ring ownership to the expected >> state for DEK blobs and then restore to whatever the run-time wants. >> >> For the case where Linux runs in normal-world we would want to set the >> job-ring ownership to normal-world. >> >> The first step in the ownership context switch dance is making an API to do >> it. >> >> This patch introduces: >> >> void __weak sec_set_jr_context_secure(void); >> void __weak sec_set_jr_context_normal(void); >> >> This can be over-ridden for a given architecture, as will be necessary for >> the MPC85xxx >> >> Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> >> --- >> drivers/crypto/fsl/jr.c | 38 ++++++++++++++++++++++++++++++++++++++ >> include/fsl_sec.h | 3 +++ >> 2 files changed, 41 insertions(+) >> >> diff --git a/drivers/crypto/fsl/jr.c b/drivers/crypto/fsl/jr.c >> index cc8d3b02a5..7b13aa4a61 100644 >> --- a/drivers/crypto/fsl/jr.c >> +++ b/drivers/crypto/fsl/jr.c >> @@ -574,6 +574,44 @@ static int rng_init(uint8_t sec_idx) >> return ret; >> } >> #endif >> + >> +static void __sec_set_jr_context_secure(uint8_t sec_idx) >> +{ >> + ccsr_sec_t *sec = (void *)SEC_ADDR(sec_idx); >> + uint32_t jrown_ns; >> + int i; >> + >> + for (i = 0; i < ARRAY_SIZE(sec->jrliodnr); i++) { >> + jrown_ns = sec_in32(&sec->jrliodnr[i].ms); >> + jrown_ns &= ~(JROWN_NS | JRMID_NS); > > We have the following definition at drivers/crypto/fsl/jr.h: > > #define JRMID_NS 0x00000001 > > Seems that we are setting JROWN_MID field which is not TrustZone > related, from i.MX7D Security Reference Manual: > > Job Ring Owner's MID. This field defines the MID of the bus master > that is permitted to read or write the registers that are specific to > a particular Job Ring. These registers include the job ring > configuration registers, the interrupt registers, the CAAM Secure > Memory Access Permissions and Secure Memory Access Group registers and > the ring buffer registers. Hrmm, just seeing your response now Breno. What we have is: include/fsl_sec.h:#define JR_MID 2 /* Matches ROM configuration */ There's a decent argument to read what the BootROM has set for JR_MID and write it back ... Let me include that in v2. --- bod
diff --git a/drivers/crypto/fsl/jr.c b/drivers/crypto/fsl/jr.c index cc8d3b02a5..7b13aa4a61 100644 --- a/drivers/crypto/fsl/jr.c +++ b/drivers/crypto/fsl/jr.c @@ -574,6 +574,44 @@ static int rng_init(uint8_t sec_idx) return ret; } #endif + +static void __sec_set_jr_context_secure(uint8_t sec_idx) +{ + ccsr_sec_t *sec = (void *)SEC_ADDR(sec_idx); + uint32_t jrown_ns; + int i; + + for (i = 0; i < ARRAY_SIZE(sec->jrliodnr); i++) { + jrown_ns = sec_in32(&sec->jrliodnr[i].ms); + jrown_ns &= ~(JROWN_NS | JRMID_NS); + sec_out32(&sec->jrliodnr[i].ms, jrown_ns); + } + +} + +static void __sec_set_jr_context_normal(uint8_t sec_idx) +{ + ccsr_sec_t *sec = (void *)SEC_ADDR(sec_idx); + uint32_t jrown_ns; + int i; + + for (i = 0; i < ARRAY_SIZE(sec->jrliodnr); i++) { + jrown_ns = sec_in32(&sec->jrliodnr[i].ms); + jrown_ns |= JROWN_NS | JRMID_NS; + sec_out32(&sec->jrliodnr[i].ms, jrown_ns); + } +} + +void __weak sec_set_jr_context_secure(void) +{ + __sec_set_jr_context_secure(0); +} + +void __weak sec_set_jr_context_normal(void) +{ + __sec_set_jr_context_normal(0); +} + int sec_init_idx(uint8_t sec_idx) { ccsr_sec_t *sec = (void *)SEC_ADDR(sec_idx); diff --git a/include/fsl_sec.h b/include/fsl_sec.h index be08a2b88b..399cfd091b 100644 --- a/include/fsl_sec.h +++ b/include/fsl_sec.h @@ -319,4 +319,7 @@ int sec_init_idx(uint8_t); int sec_init(void); #endif +void sec_set_jr_context_secure(void); +void sec_set_jr_context_normal(void); + #endif /* __FSL_SEC_H */
We need to handle the case where DEK blobs are passed to the BootROM. In this case, unlike in HAB authentication the BootROM checks job-ring ownership set to secure world. One possible solution is to set the job-ring ownership to the expected state for DEK blobs and then restore to whatever the run-time wants. For the case where Linux runs in normal-world we would want to set the job-ring ownership to normal-world. The first step in the ownership context switch dance is making an API to do it. This patch introduces: void __weak sec_set_jr_context_secure(void); void __weak sec_set_jr_context_normal(void); This can be over-ridden for a given architecture, as will be necessary for the MPC85xxx Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> --- drivers/crypto/fsl/jr.c | 38 ++++++++++++++++++++++++++++++++++++++ include/fsl_sec.h | 3 +++ 2 files changed, 41 insertions(+)