| Message ID | 1516984078-21030-1-git-send-email-bryan.odonoghue@linaro.org |
|---|---|
| State | Accepted |
| Commit | d1ceb0c4881332cb0586920f0a40f8e4a48d99a9 |
| Delegated to: | Stefano Babic |
| Headers | show |
| Series | Fix CAAM for TrustZone enable for warp7 | expand |
On Fri, 2018-01-26 at 16:27 +0000, Bryan O'Donoghue wrote: > This patch adds a sec_init call into arch_misc_init(). Doing so in > conjunction with the patch "drivers/crypto/fsl: assign job-rings to > non-TrustZone" enables use of the CAAM in Linux when OPTEE/TrustZone > is > active. > > u-boot will initialise the RNG and assign ownership of the job-ring > registers to a non-TrustZone context. With recent changes by Lukas > Auer to > fully initialize the RNG in sec_init() this means that u-boot will > hand-off > the CAAM in a state that Linux then can use the CAAM without touching > the > reserved DECO registers. > > This change is safe both for the OPTEE/TrustZone boot path and the > regular > non-OPTEE/TrustZone boot path. > > Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> > Cc: Fabio Estevam <fabio.estevam@nxp.com> > Cc: Peng Fan <peng.fan@nxp.com> > Cc: Marco Franchi <marco.franchi@nxp.com> > Cc: Vanessa Maegima <vanessa.maegima@nxp.com> > Cc: Stefano Babic <sbabic@denx.de> > Cc: Lukas Auer <lukas.auer@aisec.fraunhofer.de> > --- > arch/arm/mach-imx/mx7/soc.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/arch/arm/mach-imx/mx7/soc.c b/arch/arm/mach- > imx/mx7/soc.c > index d160e80..d444046 100644 > --- a/arch/arm/mach-imx/mx7/soc.c > +++ b/arch/arm/mach-imx/mx7/soc.c > @@ -17,6 +17,7 @@ > #include <asm/arch/crm_regs.h> > #include <dm.h> > #include <imx_thermal.h> > +#include <fsl_sec.h> > > #if defined(CONFIG_IMX_THERMAL) > static const struct imx_thermal_plat imx7_thermal_plat = { > @@ -262,6 +263,10 @@ int arch_misc_init(void) > env_set("soc", "imx7s"); > #endif > > +#ifdef CONFIG_FSL_CAAM > + sec_init(); > +#endif > + > return 0; > } > #endif Sorry, didn't see your patch in time before I sent my last email. I tested your patch set again and everything works on my imx7d board (successful probe call and using the CAAM with openssl). Tested-by: Lukas Auer <lukas.auer@aisec.fraunhofer.de>
On Fri, Jan 26, 2018 at 2:27 PM, Bryan O'Donoghue <bryan.odonoghue@linaro.org> wrote: > This patch adds a sec_init call into arch_misc_init(). Doing so in > conjunction with the patch "drivers/crypto/fsl: assign job-rings to > non-TrustZone" enables use of the CAAM in Linux when OPTEE/TrustZone is > active. > > u-boot will initialise the RNG and assign ownership of the job-ring > registers to a non-TrustZone context. With recent changes by Lukas Auer to > fully initialize the RNG in sec_init() this means that u-boot will hand-off > the CAAM in a state that Linux then can use the CAAM without touching the > reserved DECO registers. > > This change is safe both for the OPTEE/TrustZone boot path and the regular > non-OPTEE/TrustZone boot path. > > Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> > Cc: Fabio Estevam <fabio.estevam@nxp.com> > Cc: Peng Fan <peng.fan@nxp.com> > Cc: Marco Franchi <marco.franchi@nxp.com> > Cc: Vanessa Maegima <vanessa.maegima@nxp.com> > Cc: Stefano Babic <sbabic@denx.de> > Cc: Lukas Auer <lukas.auer@aisec.fraunhofer.de> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
On 26/01/2018 17:27, Bryan O'Donoghue wrote: > This patch adds a sec_init call into arch_misc_init(). Doing so in > conjunction with the patch "drivers/crypto/fsl: assign job-rings to > non-TrustZone" enables use of the CAAM in Linux when OPTEE/TrustZone is > active. > > u-boot will initialise the RNG and assign ownership of the job-ring > registers to a non-TrustZone context. With recent changes by Lukas Auer to > fully initialize the RNG in sec_init() this means that u-boot will hand-off > the CAAM in a state that Linux then can use the CAAM without touching the > reserved DECO registers. > > This change is safe both for the OPTEE/TrustZone boot path and the regular > non-OPTEE/TrustZone boot path. > > Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> > Cc: Fabio Estevam <fabio.estevam@nxp.com> > Cc: Peng Fan <peng.fan@nxp.com> > Cc: Marco Franchi <marco.franchi@nxp.com> > Cc: Vanessa Maegima <vanessa.maegima@nxp.com> > Cc: Stefano Babic <sbabic@denx.de> > Cc: Lukas Auer <lukas.auer@aisec.fraunhofer.de> > --- > arch/arm/mach-imx/mx7/soc.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/arch/arm/mach-imx/mx7/soc.c b/arch/arm/mach-imx/mx7/soc.c > index d160e80..d444046 100644 > --- a/arch/arm/mach-imx/mx7/soc.c > +++ b/arch/arm/mach-imx/mx7/soc.c > @@ -17,6 +17,7 @@ > #include <asm/arch/crm_regs.h> > #include <dm.h> > #include <imx_thermal.h> > +#include <fsl_sec.h> > > #if defined(CONFIG_IMX_THERMAL) > static const struct imx_thermal_plat imx7_thermal_plat = { > @@ -262,6 +263,10 @@ int arch_misc_init(void) > env_set("soc", "imx7s"); > #endif > > +#ifdef CONFIG_FSL_CAAM > + sec_init(); > +#endif > + > return 0; > } > #endif > Applied to u-boot-imx, thanks ! Best regards, Stefano Babic
On 26/01/2018 17:40, Auer, Lukas wrote: > On Fri, 2018-01-26 at 16:27 +0000, Bryan O'Donoghue wrote: >> This patch adds a sec_init call into arch_misc_init(). Doing so in >> conjunction with the patch "drivers/crypto/fsl: assign job-rings to >> non-TrustZone" enables use of the CAAM in Linux when OPTEE/TrustZone >> is >> active. >> >> u-boot will initialise the RNG and assign ownership of the job-ring >> registers to a non-TrustZone context. With recent changes by Lukas >> Auer to >> fully initialize the RNG in sec_init() this means that u-boot will >> hand-off >> the CAAM in a state that Linux then can use the CAAM without touching >> the >> reserved DECO registers. >> >> This change is safe both for the OPTEE/TrustZone boot path and the >> regular >> non-OPTEE/TrustZone boot path. >> >> Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> >> Cc: Fabio Estevam <fabio.estevam@nxp.com> >> Cc: Peng Fan <peng.fan@nxp.com> >> Cc: Marco Franchi <marco.franchi@nxp.com> >> Cc: Vanessa Maegima <vanessa.maegima@nxp.com> >> Cc: Stefano Babic <sbabic@denx.de> >> Cc: Lukas Auer <lukas.auer@aisec.fraunhofer.de> >> --- >> arch/arm/mach-imx/mx7/soc.c | 5 +++++ >> 1 file changed, 5 insertions(+) >> >> diff --git a/arch/arm/mach-imx/mx7/soc.c b/arch/arm/mach- >> imx/mx7/soc.c >> index d160e80..d444046 100644 >> --- a/arch/arm/mach-imx/mx7/soc.c >> +++ b/arch/arm/mach-imx/mx7/soc.c >> @@ -17,6 +17,7 @@ >> #include <asm/arch/crm_regs.h> >> #include <dm.h> >> #include <imx_thermal.h> >> +#include <fsl_sec.h> >> >> #if defined(CONFIG_IMX_THERMAL) >> static const struct imx_thermal_plat imx7_thermal_plat = { >> @@ -262,6 +263,10 @@ int arch_misc_init(void) >> env_set("soc", "imx7s"); >> #endif >> >> +#ifdef CONFIG_FSL_CAAM >> + sec_init(); >> +#endif >> + >> return 0; >> } >> #endif > > Sorry, didn't see your patch in time before I sent my last email. > > I tested your patch set again and everything works on my imx7d board > (successful probe call and using the CAAM with openssl). > > Tested-by: Lukas Auer <lukas.auer@aisec.fraunhofer.de> > Applied to u-boot-imx, thanks ! Best regards, Stefano Babic
On 04/02/18 10:31, Stefano Babic wrote: > On 26/01/2018 17:27, Bryan O'Donoghue wrote: >> This patch adds a sec_init call into arch_misc_init(). Doing so in >> conjunction with the patch "drivers/crypto/fsl: assign job-rings to >> non-TrustZone" enables use of the CAAM in Linux when OPTEE/TrustZone is >> active. >> >> u-boot will initialise the RNG and assign ownership of the job-ring >> registers to a non-TrustZone context. With recent changes by Lukas Auer to >> fully initialize the RNG in sec_init() this means that u-boot will hand-off >> the CAAM in a state that Linux then can use the CAAM without touching the >> reserved DECO registers. >> >> This change is safe both for the OPTEE/TrustZone boot path and the regular >> non-OPTEE/TrustZone boot path. >> >> Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> >> Cc: Fabio Estevam <fabio.estevam@nxp.com> >> Cc: Peng Fan <peng.fan@nxp.com> >> Cc: Marco Franchi <marco.franchi@nxp.com> >> Cc: Vanessa Maegima <vanessa.maegima@nxp.com> >> Cc: Stefano Babic <sbabic@denx.de> >> Cc: Lukas Auer <lukas.auer@aisec.fraunhofer.de> >> --- >> arch/arm/mach-imx/mx7/soc.c | 5 +++++ >> 1 file changed, 5 insertions(+) >> >> diff --git a/arch/arm/mach-imx/mx7/soc.c b/arch/arm/mach-imx/mx7/soc.c >> index d160e80..d444046 100644 >> --- a/arch/arm/mach-imx/mx7/soc.c >> +++ b/arch/arm/mach-imx/mx7/soc.c >> @@ -17,6 +17,7 @@ >> #include <asm/arch/crm_regs.h> >> #include <dm.h> >> #include <imx_thermal.h> >> +#include <fsl_sec.h> >> >> #if defined(CONFIG_IMX_THERMAL) >> static const struct imx_thermal_plat imx7_thermal_plat = { >> @@ -262,6 +263,10 @@ int arch_misc_init(void) >> env_set("soc", "imx7s"); >> #endif >> >> +#ifdef CONFIG_FSL_CAAM >> + sec_init(); >> +#endif >> + >> return 0; >> } >> #endif >> > Applied to u-boot-imx, thanks ! Thanks, Could you apply these two also ? [PATCH v4 1/2] drivers/crypto/fsl: assign job-rings to non-TrustZone [PATCH] crypto/fsl: instantiate all rng state handles I had a plan to send out these three patches together as a series - since they are all required to fix the CAAM/TrustZone issue and so they should be treated as a set. --- bod
Hi Bryan, On Mon, Feb 5, 2018 at 10:01 AM, Bryan O'Donoghue <bryan.odonoghue@linaro.org> wrote: > Thanks, > > Could you apply these two also ? > > [PATCH v4 1/2] drivers/crypto/fsl: assign job-rings to non-TrustZone Stefano has already applied it: http://git.denx.de/?p=u-boot/u-boot-imx.git;a=commit;h=22191ac353445ad8fafc5a78aefcd94e78963041 > [PATCH] crypto/fsl: instantiate all rng state handles This one should go via York Sun's tree. Please resend this patch with him on Cc. Thanks
On 05/02/2018 13:07, Fabio Estevam wrote: > Hi Bryan, > > On Mon, Feb 5, 2018 at 10:01 AM, Bryan O'Donoghue > <bryan.odonoghue@linaro.org> wrote: > >> Thanks, >> >> Could you apply these two also ? >> >> [PATCH v4 1/2] drivers/crypto/fsl: assign job-rings to non-TrustZone > > Stefano has already applied it: > http://git.denx.de/?p=u-boot/u-boot-imx.git;a=commit;h=22191ac353445ad8fafc5a78aefcd94e78963041 > Yes, thanks, I applied this yesterday. It is still in u-boot-imx, but it will go soon into Tom's tree. >> [PATCH] crypto/fsl: instantiate all rng state handles > > This one should go via York Sun's tree. Please resend this patch with him on Cc. > Right - added York in CC. Patch is already assigned to him, you should not need to repost it. Regards, Stefano
On Mon, Feb 5, 2018 at 10:56 AM, Stefano Babic <sbabic@denx.de> wrote: > > Yes, thanks, I applied this yesterday. It is still in u-boot-imx, but it > will go soon into Tom's tree. Actually Tom has already applied it :-) http://git.denx.de/?p=u-boot.git;a=commit;h=22191ac353445ad8fafc5a78aefcd94e78963041
diff --git a/arch/arm/mach-imx/mx7/soc.c b/arch/arm/mach-imx/mx7/soc.c index d160e80..d444046 100644 --- a/arch/arm/mach-imx/mx7/soc.c +++ b/arch/arm/mach-imx/mx7/soc.c @@ -17,6 +17,7 @@ #include <asm/arch/crm_regs.h> #include <dm.h> #include <imx_thermal.h> +#include <fsl_sec.h> #if defined(CONFIG_IMX_THERMAL) static const struct imx_thermal_plat imx7_thermal_plat = { @@ -262,6 +263,10 @@ int arch_misc_init(void) env_set("soc", "imx7s"); #endif +#ifdef CONFIG_FSL_CAAM + sec_init(); +#endif + return 0; } #endif
This patch adds a sec_init call into arch_misc_init(). Doing so in conjunction with the patch "drivers/crypto/fsl: assign job-rings to non-TrustZone" enables use of the CAAM in Linux when OPTEE/TrustZone is active. u-boot will initialise the RNG and assign ownership of the job-ring registers to a non-TrustZone context. With recent changes by Lukas Auer to fully initialize the RNG in sec_init() this means that u-boot will hand-off the CAAM in a state that Linux then can use the CAAM without touching the reserved DECO registers. This change is safe both for the OPTEE/TrustZone boot path and the regular non-OPTEE/TrustZone boot path. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Cc: Fabio Estevam <fabio.estevam@nxp.com> Cc: Peng Fan <peng.fan@nxp.com> Cc: Marco Franchi <marco.franchi@nxp.com> Cc: Vanessa Maegima <vanessa.maegima@nxp.com> Cc: Stefano Babic <sbabic@denx.de> Cc: Lukas Auer <lukas.auer@aisec.fraunhofer.de> --- arch/arm/mach-imx/mx7/soc.c | 5 +++++ 1 file changed, 5 insertions(+)