From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH v2 0/2] Fix CAAM for TrustZone enable for warp7
Date: Fri, 26 Jan 2018 02:09:36 +0000 [thread overview]
Message-ID: <1516932578-19992-1-git-send-email-bryan.odonoghue@linaro.org> (raw)
V2:
- Add an explicit assignment of JRMID when setting job-ring ownership
Required on my reference part where the JRMID field is not set on the
third job-ring
V1:
This series is the u-boot fix to a problem we encountered when enabling
OPTEE/TrustZone on the WaRP7. The symptom is once TrustZone is activated
the first page of CAAM registers becomes read-only, read-zero from the
perspective of Linux and other non TrustZone contexts.
Offlining the problem with Peng Fan[1] we eventually came to realise the
problem could be worked around by
1. Making Linux skip RNG initialisation - a set of patches should be
hitting LKML to do just that.
2. Initialising the RNG either from u-boot or OPTEE. In this case u-boot is
the right place to-do that because there's upstream code in u-boot that
just works. Patch #2 does that for the WaRP7.
3. Ensuring the job-ring registers are assigned to the non TrustZone mode.
On the i.MX7 after the BootROM runs the job-ring registers are assigned
to TrustZone. Patch #1 does that for all CAAM hardware.
On point #3 this ordinarily isn't a problem because unless TrustZone is
activated the restrictions on the job-ring registers don't kick in, its
only after enabling TrustZone that Linux will loose access to the job-ring
registers.
Finally should OPTEE or another TEE want to do things with the job-ring
registers it will have sufficient privilege to assign whichever job-ring
registers it wants to OPTEE/TEE but will naturally then have to arbitrate
with Linux to inform the Kernel CAAM driver which job-ring registers it can
and cannot access.
That arbitration process is for a future putative OPTEE/TEE CAAM driver to
solve and is out of scope of this patchset.
[1] Thanks for all of your help BTW - Peng, there's no way this would be
working without you giving direction on how.
Bryan O'Donoghue (2):
drivers/crypto/fsl: assign job-rings to non-TrustZone
warp7 : run sec_init for CAAM RNG
board/warp7/warp7.c | 6 +++++-
drivers/crypto/fsl/jr.c | 9 +++++++++
drivers/crypto/fsl/jr.h | 2 ++
3 files changed, 16 insertions(+), 1 deletion(-)
--
2.7.4
next reply other threads:[~2018-01-26 2:09 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-26 2:09 Bryan O'Donoghue [this message]
2018-01-26 2:09 ` [U-Boot] [PATCH v2 1/2] drivers/crypto/fsl: assign job-rings to non-TrustZone Bryan O'Donoghue
2018-01-26 8:57 ` Auer, Lukas
2018-01-26 2:09 ` [U-Boot] [PATCH v2 2/2] warp7 : run sec_init for CAAM RNG Bryan O'Donoghue
2018-01-26 9:09 ` Auer, Lukas
2018-01-26 11:32 ` Bryan O'Donoghue
2018-01-26 12:30 ` Auer, Lukas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1516932578-19992-1-git-send-email-bryan.odonoghue@linaro.org \
--to=bryan.odonoghue@linaro.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.