[U-Boot,1/4] crypto/fsl: Introduce API to save/restore job-ring context
diff mbox series

Message ID 20190423101948.24898-2-bryan.odonoghue@linaro.org
State Changes Requested
Delegated to: Stefano Babic
Headers show
Series
  • imx: Implement job-ring context switching
Related show

Commit Message

Bryan O'Donoghue April 23, 2019, 10:19 a.m. UTC
We need to handle the case where DEK blobs are passed to the BootROM. In
this case, unlike in HAB authentication the BootROM checks job-ring
ownership set to secure world.

One possible solution is to set the job-ring ownership to the expected
state for DEK blobs and then restore to whatever the run-time wants.

For the case where Linux runs in normal-world we would want to set the
job-ring ownership to normal-world.

The first step in the ownership context switch dance is making an API to do
it.

This patch introduces:

void __weak sec_set_jr_context_secure(void);
void __weak sec_set_jr_context_normal(void);

This can be over-ridden for a given architecture, as will be necessary for
the MPC85xxx

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
---
 drivers/crypto/fsl/jr.c | 38 ++++++++++++++++++++++++++++++++++++++
 include/fsl_sec.h       |  3 +++
 2 files changed, 41 insertions(+)

Comments

Breno Matheus Lima April 25, 2019, 10:13 p.m. UTC | #1
Hi Bryan,

Em ter, 23 de abr de 2019 às 07:20, Bryan O'Donoghue
<bryan.odonoghue@linaro.org> escreveu:
>
> We need to handle the case where DEK blobs are passed to the BootROM. In
> this case, unlike in HAB authentication the BootROM checks job-ring
> ownership set to secure world.
>
> One possible solution is to set the job-ring ownership to the expected
> state for DEK blobs and then restore to whatever the run-time wants.
>
> For the case where Linux runs in normal-world we would want to set the
> job-ring ownership to normal-world.
>
> The first step in the ownership context switch dance is making an API to do
> it.
>
> This patch introduces:
>
> void __weak sec_set_jr_context_secure(void);
> void __weak sec_set_jr_context_normal(void);
>
> This can be over-ridden for a given architecture, as will be necessary for
> the MPC85xxx
>
> Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
> ---
>  drivers/crypto/fsl/jr.c | 38 ++++++++++++++++++++++++++++++++++++++
>  include/fsl_sec.h       |  3 +++
>  2 files changed, 41 insertions(+)
>
> diff --git a/drivers/crypto/fsl/jr.c b/drivers/crypto/fsl/jr.c
> index cc8d3b02a5..7b13aa4a61 100644
> --- a/drivers/crypto/fsl/jr.c
> +++ b/drivers/crypto/fsl/jr.c
> @@ -574,6 +574,44 @@ static int rng_init(uint8_t sec_idx)
>         return ret;
>  }
>  #endif
> +
> +static void __sec_set_jr_context_secure(uint8_t sec_idx)
> +{
> +       ccsr_sec_t *sec = (void *)SEC_ADDR(sec_idx);
> +       uint32_t jrown_ns;
> +       int i;
> +
> +       for (i = 0; i < ARRAY_SIZE(sec->jrliodnr); i++) {
> +               jrown_ns = sec_in32(&sec->jrliodnr[i].ms);
> +               jrown_ns &= ~(JROWN_NS | JRMID_NS);

We have the following definition at drivers/crypto/fsl/jr.h:

#define JRMID_NS 0x00000001

Seems that we are setting JROWN_MID field which is not TrustZone
related, from i.MX7D Security Reference Manual:

Job Ring Owner's MID. This field defines the MID of the bus master
that is permitted to read or write the registers that are specific to
a particular Job Ring. These registers include the job ring
configuration registers, the interrupt registers, the CAAM Secure
Memory Access Permissions and Secure Memory Access Group registers and
the ring buffer registers.

Could you please double check?

Thanks,
Breno Lima
Bryan O'Donoghue April 30, 2019, 1:29 p.m. UTC | #2
On 25/04/2019 23:13, Breno Matheus Lima wrote:
> Hi Bryan,
> 
> Em ter, 23 de abr de 2019 às 07:20, Bryan O'Donoghue
> <bryan.odonoghue@linaro.org> escreveu:
>>
>> We need to handle the case where DEK blobs are passed to the BootROM. In
>> this case, unlike in HAB authentication the BootROM checks job-ring
>> ownership set to secure world.
>>
>> One possible solution is to set the job-ring ownership to the expected
>> state for DEK blobs and then restore to whatever the run-time wants.
>>
>> For the case where Linux runs in normal-world we would want to set the
>> job-ring ownership to normal-world.
>>
>> The first step in the ownership context switch dance is making an API to do
>> it.
>>
>> This patch introduces:
>>
>> void __weak sec_set_jr_context_secure(void);
>> void __weak sec_set_jr_context_normal(void);
>>
>> This can be over-ridden for a given architecture, as will be necessary for
>> the MPC85xxx
>>
>> Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
>> ---
>>   drivers/crypto/fsl/jr.c | 38 ++++++++++++++++++++++++++++++++++++++
>>   include/fsl_sec.h       |  3 +++
>>   2 files changed, 41 insertions(+)
>>
>> diff --git a/drivers/crypto/fsl/jr.c b/drivers/crypto/fsl/jr.c
>> index cc8d3b02a5..7b13aa4a61 100644
>> --- a/drivers/crypto/fsl/jr.c
>> +++ b/drivers/crypto/fsl/jr.c
>> @@ -574,6 +574,44 @@ static int rng_init(uint8_t sec_idx)
>>          return ret;
>>   }
>>   #endif
>> +
>> +static void __sec_set_jr_context_secure(uint8_t sec_idx)
>> +{
>> +       ccsr_sec_t *sec = (void *)SEC_ADDR(sec_idx);
>> +       uint32_t jrown_ns;
>> +       int i;
>> +
>> +       for (i = 0; i < ARRAY_SIZE(sec->jrliodnr); i++) {
>> +               jrown_ns = sec_in32(&sec->jrliodnr[i].ms);
>> +               jrown_ns &= ~(JROWN_NS | JRMID_NS);
> 
> We have the following definition at drivers/crypto/fsl/jr.h:
> 
> #define JRMID_NS 0x00000001
> 
> Seems that we are setting JROWN_MID field which is not TrustZone
> related, from i.MX7D Security Reference Manual:
> 
> Job Ring Owner's MID. This field defines the MID of the bus master
> that is permitted to read or write the registers that are specific to
> a particular Job Ring. These registers include the job ring
> configuration registers, the interrupt registers, the CAAM Secure
> Memory Access Permissions and Secure Memory Access Group registers and
> the ring buffer registers.

Hrmm, just seeing your response now Breno.

What we have is:
include/fsl_sec.h:#define JR_MID    2    /* Matches ROM configuration */

There's a decent argument to read what the BootROM has set for JR_MID 
and write it back ...

Let me include that in v2.

---
bod

Patch
diff mbox series

diff --git a/drivers/crypto/fsl/jr.c b/drivers/crypto/fsl/jr.c
index cc8d3b02a5..7b13aa4a61 100644
--- a/drivers/crypto/fsl/jr.c
+++ b/drivers/crypto/fsl/jr.c
@@ -574,6 +574,44 @@  static int rng_init(uint8_t sec_idx)
 	return ret;
 }
 #endif
+
+static void __sec_set_jr_context_secure(uint8_t sec_idx)
+{
+	ccsr_sec_t *sec = (void *)SEC_ADDR(sec_idx);
+	uint32_t jrown_ns;
+	int i;
+
+	for (i = 0; i < ARRAY_SIZE(sec->jrliodnr); i++) {
+		jrown_ns = sec_in32(&sec->jrliodnr[i].ms);
+		jrown_ns &= ~(JROWN_NS | JRMID_NS);
+		sec_out32(&sec->jrliodnr[i].ms, jrown_ns);
+	}
+
+}
+
+static void __sec_set_jr_context_normal(uint8_t sec_idx)
+{
+	ccsr_sec_t *sec = (void *)SEC_ADDR(sec_idx);
+	uint32_t jrown_ns;
+	int i;
+
+	for (i = 0; i < ARRAY_SIZE(sec->jrliodnr); i++) {
+		jrown_ns = sec_in32(&sec->jrliodnr[i].ms);
+		jrown_ns |= JROWN_NS | JRMID_NS;
+		sec_out32(&sec->jrliodnr[i].ms, jrown_ns);
+	}
+}
+
+void __weak sec_set_jr_context_secure(void)
+{
+	__sec_set_jr_context_secure(0);
+}
+
+void __weak sec_set_jr_context_normal(void)
+{
+	__sec_set_jr_context_normal(0);
+}
+
 int sec_init_idx(uint8_t sec_idx)
 {
 	ccsr_sec_t *sec = (void *)SEC_ADDR(sec_idx);
diff --git a/include/fsl_sec.h b/include/fsl_sec.h
index be08a2b88b..399cfd091b 100644
--- a/include/fsl_sec.h
+++ b/include/fsl_sec.h
@@ -319,4 +319,7 @@  int sec_init_idx(uint8_t);
 int sec_init(void);
 #endif
 
+void sec_set_jr_context_secure(void);
+void sec_set_jr_context_normal(void);
+
 #endif /* __FSL_SEC_H */