[PATCH v5 00/16] Add CAAM driver model support

[PATCH v5 00/16] Add CAAM driver model support

[Gaurav Jain]

This patchset adds the support for following:
1) CAAM Driver model for all i.MX, layerscape, PPC platforms.
2) Added crypto node in device tree files.
3) CAAM support for blob key encryption key(bkek), random number generation.
4) fix build issue for mx6sabre: Remove SPL DTB related configs and SPL_OF_CONTROL.
5) fixed hwrng performance issue in kernel.

i.MX platforms:
i.MX6, i.MX7, i.MX7ULP, i.MX8MM/MN/MP/MQ, i.MX8QM/QXP

Layerscape platforms:
LS1021, LS1012, LS1028, LS1043, LS1046, LS1088, LS2088, LX2160, LX2162

Powerpc platforms:
P3041, P4080, P5040, P2041, T1024, T1042, T2080, T4240

changes since v4:
 - rebase to latest master
 - updated caam_jr_probe() with livetree APIs.
 - imx8m: moved jr0 disable code to *-uboot.dtsi files.

changes since v3:
 - rebase to latest master
 - fixed build error when new file arch/powerpc/include/asm/u-boot-ppc.h is
   included from assembly files.
 - removed arch/arm/dts/fsl-ls1028a.dtsi as it is conflicting with the series
   https://lore.kernel.org/u-boot/20211013161427.612033-1-michael@walle.cc/

Gaurav Jain (14):
  crypto/fsl: Add support for CAAM Job ring driver model
  crypto/fsl: Add CAAM support for bkek, random number generation
  i.MX8M: crypto: updated device tree for supporting DM in SPL
  crypto/fsl: i.MX8M: Enable Job ring driver model in SPL and U-Boot.
  i.MX6: Enable Job ring driver model in U-Boot.
  i.MX7: Enable Job ring driver model in U-Boot.
  i.MX7ULP: Enable Job ring driver model in U-Boot.
  i.MX8: Add crypto node in device tree
  crypto/fsl: i.MX8: Enable Job ring driver model in SPL and U-Boot.
  Layerscape: Add crypto node in device tree
  Layerscape: Enable Job ring driver model in U-Boot.
  PPC: Add crypto node in device tree
  PPC: Enable Job ring driver model in U-Boot
  update CAAM MAINTAINER

Ye Li (2):
  mx6sabre: Remove unnecessary SPL configs
  crypto/fsl: Fix kick_trng

 MAINTAINERS                                   |   7 +
 arch/arm/Kconfig                              |   9 +-
 arch/arm/cpu/armv7/ls102xa/Kconfig            |   4 +
 arch/arm/cpu/armv7/ls102xa/cpu.c              |  16 +
 arch/arm/cpu/armv8/fsl-layerscape/Kconfig     |  27 ++
 arch/arm/cpu/armv8/fsl-layerscape/cpu.c       |  10 +-
 arch/arm/dts/fsl-imx8dx.dtsi                  |  61 ++-
 arch/arm/dts/fsl-imx8qm-mek-u-boot.dtsi       |  34 +-
 arch/arm/dts/fsl-imx8qm.dtsi                  |  61 ++-
 arch/arm/dts/fsl-imx8qxp-mek-u-boot.dtsi      |  34 +-
 arch/arm/dts/fsl-ls1012a.dtsi                 |  46 +-
 arch/arm/dts/fsl-ls1043a.dtsi                 |  45 +-
 arch/arm/dts/fsl-ls1046a.dtsi                 |  44 ++
 arch/arm/dts/fsl-ls1088a.dtsi                 |  39 ++
 arch/arm/dts/fsl-ls2080a.dtsi                 |  39 ++
 arch/arm/dts/fsl-lx2160a.dtsi                 |  41 +-
 arch/arm/dts/imx7ulp.dtsi                     |  24 +
 arch/arm/dts/imx8mm-evk-u-boot.dtsi           |  19 +-
 arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi      |  19 +-
 arch/arm/dts/imx8mp-evk-u-boot.dtsi           |  19 +-
 arch/arm/dts/imx8mq-evk-u-boot.dtsi           |   4 +
 arch/arm/dts/ls1021a.dtsi                     |  40 ++
 arch/arm/include/asm/arch-imx8/imx-regs.h     |   5 +-
 arch/arm/include/asm/arch-imx8m/imx-regs.h    |   1 +
 arch/arm/mach-imx/cmd_dek.c                   |   1 +
 arch/arm/mach-imx/imx8/Kconfig                |   9 +
 arch/arm/mach-imx/imx8/cpu.c                  |  16 +-
 arch/arm/mach-imx/imx8m/Kconfig               |  23 +
 arch/arm/mach-imx/imx8m/soc.c                 |  10 +-
 arch/arm/mach-imx/mx6/Kconfig                 |  20 +
 arch/arm/mach-imx/mx6/soc.c                   |  12 +-
 arch/arm/mach-imx/mx7/Kconfig                 |   3 +
 arch/arm/mach-imx/mx7/soc.c                   |  11 +-
 arch/arm/mach-imx/mx7ulp/Kconfig              |   4 +
 arch/arm/mach-imx/mx7ulp/soc.c                |  16 +
 arch/powerpc/cpu/mpc85xx/Kconfig              |  44 ++
 arch/powerpc/cpu/mpc85xx/cpu_init.c           |  17 +-
 arch/powerpc/dts/p2041si-post.dtsi            |   1 +
 arch/powerpc/dts/p3041si-post.dtsi            |   1 +
 arch/powerpc/dts/p4080si-post.dtsi            |   1 +
 arch/powerpc/dts/p5040si-post.dtsi            |   1 +
 arch/powerpc/dts/qoriq-sec4.0-0.dtsi          |  74 +++
 arch/powerpc/dts/qoriq-sec4.2-0.dtsi          |  83 ++++
 arch/powerpc/dts/qoriq-sec5.2-0.dtsi          |  92 ++++
 arch/powerpc/dts/t1023si-post.dtsi            |   1 +
 arch/powerpc/dts/t1042si-post.dtsi            |   1 +
 arch/powerpc/dts/t2080si-post.dtsi            |   1 +
 arch/powerpc/dts/t4240si-post.dtsi            |   1 +
 arch/powerpc/include/asm/u-boot-ppc.h         |  17 +
 arch/powerpc/include/asm/u-boot.h             |   1 +
 board/freescale/imx8mm_evk/spl.c              |   9 +-
 board/freescale/imx8mn_evk/spl.c              |   8 +-
 board/freescale/imx8mp_evk/spl.c              |  13 +-
 board/freescale/imx8mq_evk/spl.c              |   9 +-
 board/freescale/imx8qm_mek/spl.c              |   6 +-
 board/freescale/imx8qxp_mek/spl.c             |   6 +-
 board/freescale/ls1012afrdm/ls1012afrdm.c     |   7 +-
 board/freescale/ls1012aqds/ls1012aqds.c       |   6 +-
 board/freescale/ls1012ardb/ls1012ardb.c       |   6 +-
 board/freescale/ls1021aiot/ls1021aiot.c       |   6 +-
 board/freescale/ls1021aqds/ls1021aqds.c       |   6 +-
 board/freescale/ls1021atsn/ls1021atsn.c       |   7 +-
 board/freescale/ls1021atwr/ls1021atwr.c       |   8 +-
 board/freescale/ls1028a/ls1028a.c             |   6 +-
 board/freescale/ls1043ardb/ls1043ardb.c       |   6 +-
 board/freescale/ls1046afrwy/ls1046afrwy.c     |   7 +-
 board/freescale/ls1046aqds/ls1046aqds.c       |   7 +-
 board/freescale/ls1046ardb/ls1046ardb.c       |   6 +-
 board/freescale/ls1088a/ls1088a.c             |   6 +-
 board/freescale/ls2080aqds/ls2080aqds.c       |   6 +-
 board/freescale/ls2080ardb/ls2080ardb.c       |   9 +-
 board/freescale/lx2160a/lx2160a.c             |   5 -
 cmd/Kconfig                                   |   1 +
 configs/P2041RDB_defconfig                    |   1 -
 configs/P3041DS_defconfig                     |   1 -
 configs/P4080DS_defconfig                     |   1 -
 configs/P5040DS_defconfig                     |   1 -
 configs/T1024RDB_defconfig                    |   1 -
 configs/T1042D4RDB_defconfig                  |   1 -
 configs/T2080QDS_defconfig                    |   1 -
 configs/T2080RDB_defconfig                    |   1 -
 configs/T4240RDB_defconfig                    |   1 -
 configs/ls1021aiot_qspi_defconfig             |   1 -
 configs/ls1021aqds_nor_defconfig              |   1 -
 configs/ls1021aqds_qspi_defconfig             |   1 -
 configs/ls1021atsn_qspi_defconfig             |   1 -
 configs/ls1021atwr_nor_defconfig              |   1 -
 ...s1021atwr_sdcard_ifc_SECURE_BOOT_defconfig |   1 +
 configs/ls1028ardb_tfa_defconfig              |   1 -
 configs/ls1043ardb_tfa_defconfig              |   1 -
 configs/ls1046afrwy_tfa_defconfig             |   1 -
 configs/ls1046aqds_tfa_defconfig              |   1 -
 configs/ls1046ardb_tfa_defconfig              |   1 -
 configs/ls2088aqds_tfa_defconfig              |   1 -
 configs/ls2088ardb_tfa_defconfig              |   1 -
 configs/lx2160aqds_tfa_defconfig              |   1 -
 configs/lx2160ardb_tfa_defconfig              |   1 -
 configs/lx2162aqds_tfa_defconfig              |   1 -
 configs/mx6sabreauto_defconfig                |   2 -
 configs/mx6sabresd_defconfig                  |   4 -
 drivers/crypto/fsl/Kconfig                    |   9 +-
 drivers/crypto/fsl/Makefile                   |   4 +-
 drivers/crypto/fsl/desc.h                     |   5 +
 drivers/crypto/fsl/fsl_blob.c                 |  82 ++++
 drivers/crypto/fsl/jobdesc.c                  |  20 +-
 drivers/crypto/fsl/jobdesc.h                  |   4 +
 drivers/crypto/fsl/jr.c                       | 459 +++++++++++++-----
 drivers/crypto/fsl/jr.h                       |  14 +
 include/fsl_sec.h                             |  13 +-
 scripts/config_whitelist.txt                  |   1 +
 110 files changed, 1615 insertions(+), 292 deletions(-)
 create mode 100644 arch/powerpc/dts/qoriq-sec4.0-0.dtsi
 create mode 100644 arch/powerpc/dts/qoriq-sec4.2-0.dtsi
 create mode 100644 arch/powerpc/dts/qoriq-sec5.2-0.dtsi
 create mode 100644 arch/powerpc/include/asm/u-boot-ppc.h

-- 
2.17.1

[PATCH v5 01/16] crypto/fsl: Add support for CAAM Job ring driver model

[Gaurav Jain]

added device tree support for job ring driver.
sec is initialized based on job ring information processed
from device tree.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
---
 cmd/Kconfig                 |   1 +
 drivers/crypto/fsl/Kconfig  |   7 +
 drivers/crypto/fsl/Makefile |   4 +-
 drivers/crypto/fsl/jr.c     | 316 +++++++++++++++++++++++-------------
 drivers/crypto/fsl/jr.h     |  14 ++
 5 files changed, 232 insertions(+), 110 deletions(-)

diff --git a/cmd/Kconfig b/cmd/Kconfig
index 5b30b13e43..2b24672505 100644
--- a/cmd/Kconfig
+++ b/cmd/Kconfig
@@ -2009,6 +2009,7 @@ config CMD_AES
 
 config CMD_BLOB
 	bool "Enable the 'blob' command"
+	select FSL_BLOB
 	depends on !MX6ULL && !MX6SLL && !MX6SL
 	select IMX_HAB if ARCH_MX6 || ARCH_MX7 || ARCH_MX7ULP || ARCH_IMX8M
 	help
diff --git a/drivers/crypto/fsl/Kconfig b/drivers/crypto/fsl/Kconfig
index 94ff540111..ab59d516f8 100644
--- a/drivers/crypto/fsl/Kconfig
+++ b/drivers/crypto/fsl/Kconfig
@@ -66,4 +66,11 @@ config FSL_CAAM_RNG
 	  using the prediction resistance flag which means the DRGB is
 	  reseeded from the TRNG every time random data is generated.
 
+config FSL_BLOB
+        bool "Enable Blob Encap/Decap, Blob KEK support"
+	help
+	  Enable support for the hardware based crytographic blob encap/decap
+	  module of the CAAM. blobs can be safely placed into non-volatile
+	  storage. blobs can only be decapsulated by the SoC that created it.
+	  Enable support for blob key encryption key generation.
 endif
diff --git a/drivers/crypto/fsl/Makefile b/drivers/crypto/fsl/Makefile
index f9c3ccecfc..738535b8e4 100644
--- a/drivers/crypto/fsl/Makefile
+++ b/drivers/crypto/fsl/Makefile
@@ -1,10 +1,12 @@
 # SPDX-License-Identifier: GPL-2.0+
 #
 # Copyright 2014 Freescale Semiconductor, Inc.
+# Copyright 2021 NXP
 
 obj-y += sec.o
 obj-$(CONFIG_FSL_CAAM) += jr.o fsl_hash.o jobdesc.o error.o
-obj-$(CONFIG_CMD_BLOB)$(CONFIG_IMX_CAAM_DEK_ENCAP) += fsl_blob.o
+obj-$(CONFIG_FSL_BLOB) += fsl_blob.o
+obj-$(CONFIG_IMX_CAAM_DEK_ENCAP) += fsl_blob.o
 obj-$(CONFIG_RSA_FREESCALE_EXP) += fsl_rsa.o
 obj-$(CONFIG_FSL_CAAM_RNG) += rng.o
 obj-$(CONFIG_FSL_MFGPROT) += fsl_mfgprot.o
diff --git a/drivers/crypto/fsl/jr.c b/drivers/crypto/fsl/jr.c
index 22b649219e..eea2225a1e 100644
--- a/drivers/crypto/fsl/jr.c
+++ b/drivers/crypto/fsl/jr.c
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
  * Copyright 2008-2014 Freescale Semiconductor, Inc.
- * Copyright 2018 NXP
+ * Copyright 2018, 2021 NXP
  *
  * Based on CAAM driver in drivers/crypto/caam in Linux
  */
@@ -11,7 +11,6 @@
 #include <linux/kernel.h>
 #include <log.h>
 #include <malloc.h>
-#include "fsl_sec.h"
 #include "jr.h"
 #include "jobdesc.h"
 #include "desc_constr.h"
@@ -21,8 +20,11 @@
 #include <asm/cache.h>
 #include <asm/fsl_pamu.h>
 #endif
+#include <dm.h>
 #include <dm/lists.h>
 #include <linux/delay.h>
+#include <dm/root.h>
+#include <dm/device-internal.h>
 
 #define CIRC_CNT(head, tail, size)	(((head) - (tail)) & (size - 1))
 #define CIRC_SPACE(head, tail, size)	CIRC_CNT((tail), (head) + 1, (size))
@@ -35,20 +37,30 @@ uint32_t sec_offset[CONFIG_SYS_FSL_MAX_NUM_OF_SEC] = {
 #endif
 };
 
+#if CONFIG_IS_ENABLED(DM)
+struct udevice *caam_dev;
+#else
 #define SEC_ADDR(idx)	\
 	(ulong)((CONFIG_SYS_FSL_SEC_ADDR + sec_offset[idx]))
 
 #define SEC_JR0_ADDR(idx)	\
 	(ulong)(SEC_ADDR(idx) +	\
 	 (CONFIG_SYS_FSL_JR0_OFFSET - CONFIG_SYS_FSL_SEC_OFFSET))
+struct caam_regs caam_st;
+#endif
 
-struct jobring jr0[CONFIG_SYS_FSL_MAX_NUM_OF_SEC];
+static inline u32 jr_start_reg(u8 jrid)
+{
+	return (1 << jrid);
+}
 
-static inline void start_jr0(uint8_t sec_idx)
+#ifndef CONFIG_ARCH_IMX8
+static inline void start_jr(struct caam_regs *caam)
 {
-	ccsr_sec_t *sec = (void *)SEC_ADDR(sec_idx);
+	ccsr_sec_t *sec = caam->sec;
 	u32 ctpr_ms = sec_in32(&sec->ctpr_ms);
 	u32 scfgr = sec_in32(&sec->scfgr);
+	u32 jrstart = jr_start_reg(caam->jrid);
 
 	if (ctpr_ms & SEC_CTPR_MS_VIRT_EN_INCL) {
 		/* VIRT_EN_INCL = 1 & VIRT_EN_POR = 1 or
@@ -56,23 +68,17 @@ static inline void start_jr0(uint8_t sec_idx)
 		 */
 		if ((ctpr_ms & SEC_CTPR_MS_VIRT_EN_POR) ||
 		    (scfgr & SEC_SCFGR_VIRT_EN))
-			sec_out32(&sec->jrstartr, CONFIG_JRSTARTR_JR0);
+			sec_out32(&sec->jrstartr, jrstart);
 	} else {
 		/* VIRT_EN_INCL = 0 && VIRT_EN_POR_VALUE = 1 */
 		if (ctpr_ms & SEC_CTPR_MS_VIRT_EN_POR)
-			sec_out32(&sec->jrstartr, CONFIG_JRSTARTR_JR0);
+			sec_out32(&sec->jrstartr, jrstart);
 	}
 }
+#endif
 
-static inline void jr_reset_liodn(uint8_t sec_idx)
-{
-	ccsr_sec_t *sec = (void *)SEC_ADDR(sec_idx);
-	sec_out32(&sec->jrliodnr[0].ls, 0);
-}
-
-static inline void jr_disable_irq(uint8_t sec_idx)
+static inline void jr_disable_irq(struct jr_regs *regs)
 {
-	struct jr_regs *regs = (struct jr_regs *)SEC_JR0_ADDR(sec_idx);
 	uint32_t jrcfg = sec_in32(&regs->jrcfg1);
 
 	jrcfg = jrcfg | JR_INTMASK;
@@ -80,10 +86,10 @@ static inline void jr_disable_irq(uint8_t sec_idx)
 	sec_out32(&regs->jrcfg1, jrcfg);
 }
 
-static void jr_initregs(uint8_t sec_idx)
+static void jr_initregs(uint8_t sec_idx, struct caam_regs *caam)
 {
-	struct jr_regs *regs = (struct jr_regs *)SEC_JR0_ADDR(sec_idx);
-	struct jobring *jr = &jr0[sec_idx];
+	struct jr_regs *regs = caam->regs;
+	struct jobring *jr = &caam->jr[sec_idx];
 	caam_dma_addr_t ip_base = virt_to_phys((void *)jr->input_ring);
 	caam_dma_addr_t op_base = virt_to_phys((void *)jr->output_ring);
 
@@ -103,16 +109,16 @@ static void jr_initregs(uint8_t sec_idx)
 	sec_out32(&regs->irs, JR_SIZE);
 
 	if (!jr->irq)
-		jr_disable_irq(sec_idx);
+		jr_disable_irq(regs);
 }
 
-static int jr_init(uint8_t sec_idx)
+static int jr_init(uint8_t sec_idx, struct caam_regs *caam)
 {
-	struct jobring *jr = &jr0[sec_idx];
+	struct jobring *jr = &caam->jr[sec_idx];
 
 	memset(jr, 0, sizeof(struct jobring));
 
-	jr->jq_id = DEFAULT_JR_ID;
+	jr->jq_id = caam->jrid;
 	jr->irq = DEFAULT_IRQ;
 
 #ifdef CONFIG_FSL_CORENET
@@ -134,53 +140,10 @@ static int jr_init(uint8_t sec_idx)
 	memset(jr->input_ring, 0, JR_SIZE * sizeof(caam_dma_addr_t));
 	memset(jr->output_ring, 0, jr->op_size);
 
-	start_jr0(sec_idx);
-
-	jr_initregs(sec_idx);
-
-	return 0;
-}
-
-static int jr_sw_cleanup(uint8_t sec_idx)
-{
-	struct jobring *jr = &jr0[sec_idx];
-
-	jr->head = 0;
-	jr->tail = 0;
-	jr->read_idx = 0;
-	jr->write_idx = 0;
-	memset(jr->info, 0, sizeof(jr->info));
-	memset(jr->input_ring, 0, jr->size * sizeof(caam_dma_addr_t));
-	memset(jr->output_ring, 0, jr->size * sizeof(struct op_ring));
-
-	return 0;
-}
-
-static int jr_hw_reset(uint8_t sec_idx)
-{
-	struct jr_regs *regs = (struct jr_regs *)SEC_JR0_ADDR(sec_idx);
-	uint32_t timeout = 100000;
-	uint32_t jrint, jrcr;
-
-	sec_out32(&regs->jrcr, JRCR_RESET);
-	do {
-		jrint = sec_in32(&regs->jrint);
-	} while (((jrint & JRINT_ERR_HALT_MASK) ==
-		  JRINT_ERR_HALT_INPROGRESS) && --timeout);
-
-	jrint = sec_in32(&regs->jrint);
-	if (((jrint & JRINT_ERR_HALT_MASK) !=
-	     JRINT_ERR_HALT_INPROGRESS) && timeout == 0)
-		return -1;
-
-	timeout = 100000;
-	sec_out32(&regs->jrcr, JRCR_RESET);
-	do {
-		jrcr = sec_in32(&regs->jrcr);
-	} while ((jrcr & JRCR_RESET) && --timeout);
-
-	if (timeout == 0)
-		return -1;
+#ifndef CONFIG_ARCH_IMX8
+	start_jr(caam);
+#endif
+	jr_initregs(sec_idx, caam);
 
 	return 0;
 }
@@ -188,10 +151,10 @@ static int jr_hw_reset(uint8_t sec_idx)
 /* -1 --- error, can't enqueue -- no space available */
 static int jr_enqueue(uint32_t *desc_addr,
 	       void (*callback)(uint32_t status, void *arg),
-	       void *arg, uint8_t sec_idx)
+	       void *arg, uint8_t sec_idx, struct caam_regs *caam)
 {
-	struct jr_regs *regs = (struct jr_regs *)SEC_JR0_ADDR(sec_idx);
-	struct jobring *jr = &jr0[sec_idx];
+	struct jr_regs *regs = caam->regs;
+	struct jobring *jr = &caam->jr[sec_idx];
 	int head = jr->head;
 	uint32_t desc_word;
 	int length = desc_len(desc_addr);
@@ -263,10 +226,10 @@ static int jr_enqueue(uint32_t *desc_addr,
 	return 0;
 }
 
-static int jr_dequeue(int sec_idx)
+static int jr_dequeue(int sec_idx, struct caam_regs *caam)
 {
-	struct jr_regs *regs = (struct jr_regs *)SEC_JR0_ADDR(sec_idx);
-	struct jobring *jr = &jr0[sec_idx];
+	struct jr_regs *regs = caam->regs;
+	struct jobring *jr = &caam->jr[sec_idx];
 	int head = jr->head;
 	int tail = jr->tail;
 	int idx, i, found;
@@ -349,14 +312,18 @@ static void desc_done(uint32_t status, void *arg)
 {
 	struct result *x = arg;
 	x->status = status;
-#ifndef CONFIG_SPL_BUILD
 	caam_jr_strstatus(status);
-#endif
 	x->done = 1;
 }
 
 static inline int run_descriptor_jr_idx(uint32_t *desc, uint8_t sec_idx)
 {
+	struct caam_regs *caam;
+#if CONFIG_IS_ENABLED(DM)
+	caam = dev_get_priv(caam_dev);
+#else
+	caam = &caam_st;
+#endif
 	unsigned long long timeval = 0;
 	unsigned long long timeout = CONFIG_USEC_DEQ_TIMEOUT;
 	struct result op;
@@ -364,7 +331,7 @@ static inline int run_descriptor_jr_idx(uint32_t *desc, uint8_t sec_idx)
 
 	memset(&op, 0, sizeof(op));
 
-	ret = jr_enqueue(desc, desc_done, &op, sec_idx);
+	ret = jr_enqueue(desc, desc_done, &op, sec_idx, caam);
 	if (ret) {
 		debug("Error in SEC enq\n");
 		ret = JQ_ENQ_ERR;
@@ -375,7 +342,7 @@ static inline int run_descriptor_jr_idx(uint32_t *desc, uint8_t sec_idx)
 		udelay(1);
 		timeval += 1;
 
-		ret = jr_dequeue(sec_idx);
+		ret = jr_dequeue(sec_idx, caam);
 		if (ret) {
 			debug("Error in SEC deq\n");
 			ret = JQ_DEQ_ERR;
@@ -402,13 +369,63 @@ int run_descriptor_jr(uint32_t *desc)
 	return run_descriptor_jr_idx(desc, 0);
 }
 
+#ifndef CONFIG_ARCH_IMX8
+static int jr_sw_cleanup(uint8_t sec_idx, struct caam_regs *caam)
+{
+	struct jobring *jr = &caam->jr[sec_idx];
+
+	jr->head = 0;
+	jr->tail = 0;
+	jr->read_idx = 0;
+	jr->write_idx = 0;
+	memset(jr->info, 0, sizeof(jr->info));
+	memset(jr->input_ring, 0, jr->size * sizeof(caam_dma_addr_t));
+	memset(jr->output_ring, 0, jr->size * sizeof(struct op_ring));
+
+	return 0;
+}
+
+static int jr_hw_reset(struct jr_regs *regs)
+{
+	uint32_t timeout = 100000;
+	uint32_t jrint, jrcr;
+
+	sec_out32(&regs->jrcr, JRCR_RESET);
+	do {
+		jrint = sec_in32(&regs->jrint);
+	} while (((jrint & JRINT_ERR_HALT_MASK) ==
+		  JRINT_ERR_HALT_INPROGRESS) && --timeout);
+
+	jrint = sec_in32(&regs->jrint);
+	if (((jrint & JRINT_ERR_HALT_MASK) !=
+	     JRINT_ERR_HALT_INPROGRESS) && timeout == 0)
+		return -1;
+
+	timeout = 100000;
+	sec_out32(&regs->jrcr, JRCR_RESET);
+	do {
+		jrcr = sec_in32(&regs->jrcr);
+	} while ((jrcr & JRCR_RESET) && --timeout);
+
+	if (timeout == 0)
+		return -1;
+
+	return 0;
+}
+
 static inline int jr_reset_sec(uint8_t sec_idx)
 {
-	if (jr_hw_reset(sec_idx) < 0)
+	struct caam_regs *caam;
+#if CONFIG_IS_ENABLED(DM)
+	caam = dev_get_priv(caam_dev);
+#else
+	caam = &caam_st;
+#endif
+	if (jr_hw_reset(caam->regs) < 0)
 		return -1;
 
 	/* Clean up the jobring structure maintained by software */
-	jr_sw_cleanup(sec_idx);
+	jr_sw_cleanup(sec_idx, caam);
 
 	return 0;
 }
@@ -418,9 +435,15 @@ int jr_reset(void)
 	return jr_reset_sec(0);
 }
 
-static inline int sec_reset_idx(uint8_t sec_idx)
+int sec_reset(void)
 {
-	ccsr_sec_t *sec = (void *)SEC_ADDR(sec_idx);
+	struct caam_regs *caam;
+#if CONFIG_IS_ENABLED(DM)
+	caam = dev_get_priv(caam_dev);
+#else
+	caam = &caam_st;
+#endif
+	ccsr_sec_t *sec = caam->sec;
 	uint32_t mcfgr = sec_in32(&sec->mcfgr);
 	uint32_t timeout = 100000;
 
@@ -446,11 +469,7 @@ static inline int sec_reset_idx(uint8_t sec_idx)
 
 	return 0;
 }
-int sec_reset(void)
-{
-	return sec_reset_idx(0);
-}
-#ifndef CONFIG_SPL_BUILD
+
 static int deinstantiate_rng(u8 sec_idx, int state_handle_mask)
 {
 	u32 *desc;
@@ -496,12 +515,11 @@ static int deinstantiate_rng(u8 sec_idx, int state_handle_mask)
 	return ret;
 }
 
-static int instantiate_rng(u8 sec_idx, int gen_sk)
+static int instantiate_rng(uint8_t sec_idx, ccsr_sec_t *sec, int gen_sk)
 {
 	u32 *desc;
 	u32 rdsta_val;
 	int ret = 0, sh_idx, size;
-	ccsr_sec_t __iomem *sec = (ccsr_sec_t __iomem *)SEC_ADDR(sec_idx);
 	struct rng4tst __iomem *rng =
 			(struct rng4tst __iomem *)&sec->rng;
 
@@ -554,9 +572,8 @@ static int instantiate_rng(u8 sec_idx, int gen_sk)
 	return ret;
 }
 
-static u8 get_rng_vid(uint8_t sec_idx)
+static u8 get_rng_vid(ccsr_sec_t *sec)
 {
-	ccsr_sec_t *sec = (void *)SEC_ADDR(sec_idx);
 	u8 vid;
 
 	if (caam_get_era() < 10) {
@@ -574,9 +591,8 @@ static u8 get_rng_vid(uint8_t sec_idx)
  * By default, the TRNG runs for 200 clocks per sample;
  * 1200 clocks per sample generates better entropy.
  */
-static void kick_trng(int ent_delay, uint8_t sec_idx)
+static void kick_trng(int ent_delay, ccsr_sec_t *sec)
 {
-	ccsr_sec_t __iomem *sec = (ccsr_sec_t __iomem *)SEC_ADDR(sec_idx);
 	struct rng4tst __iomem *rng =
 			(struct rng4tst __iomem *)&sec->rng;
 	u32 val;
@@ -603,10 +619,9 @@ static void kick_trng(int ent_delay, uint8_t sec_idx)
 	sec_clrbits32(&rng->rtmctl, RTMCTL_PRGM);
 }
 
-static int rng_init(uint8_t sec_idx)
+static int rng_init(uint8_t sec_idx, ccsr_sec_t *sec)
 {
 	int ret, gen_sk, ent_delay = RTSDCTL_ENT_DLY_MIN;
-	ccsr_sec_t __iomem *sec = (ccsr_sec_t __iomem *)SEC_ADDR(sec_idx);
 	struct rng4tst __iomem *rng =
 			(struct rng4tst __iomem *)&sec->rng;
 	u32 inst_handles;
@@ -624,7 +639,7 @@ static int rng_init(uint8_t sec_idx)
 		 * the TRNG parameters.
 		 */
 		if (!inst_handles) {
-			kick_trng(ent_delay, sec_idx);
+			kick_trng(ent_delay, sec);
 			ent_delay += 400;
 		}
 		/*
@@ -634,7 +649,7 @@ static int rng_init(uint8_t sec_idx)
 		 * interval, leading to a sucessful initialization of
 		 * the RNG.
 		 */
-		ret = instantiate_rng(sec_idx, gen_sk);
+		ret = instantiate_rng(sec_idx, sec, gen_sk);
 	} while ((ret == -1) && (ent_delay < RTSDCTL_ENT_DLY_MAX));
 	if (ret) {
 		printf("SEC%u:  Failed to instantiate RNG\n", sec_idx);
@@ -647,12 +662,29 @@ static int rng_init(uint8_t sec_idx)
 	return ret;
 }
 #endif
+
 int sec_init_idx(uint8_t sec_idx)
 {
-	ccsr_sec_t *sec = (void *)SEC_ADDR(sec_idx);
-	uint32_t mcr = sec_in32(&sec->mcfgr);
 	int ret = 0;
-
+	struct caam_regs *caam;
+#if CONFIG_IS_ENABLED(DM)
+	if (caam_dev == NULL) {
+		printf("caam_jr: caam not found\n");
+		return -1;
+	}
+	caam = dev_get_priv(caam_dev);
+#else
+	caam_st.sec = (void *)SEC_ADDR(sec_idx);
+	caam_st.regs = (struct jr_regs *)SEC_JR0_ADDR(sec_idx);
+	caam_st.jrid = 0;
+	caam = &caam_st;
+#endif
+#ifndef CONFIG_ARCH_IMX8
+	ccsr_sec_t *sec = caam->sec;
+	uint32_t mcr = sec_in32(&sec->mcfgr);
+#if defined(CONFIG_SPL_BUILD) && defined(CONFIG_IMX8M)
+	uint32_t jrdid_ms = 0;
+#endif
 #ifdef CONFIG_FSL_CORENET
 	uint32_t liodnr;
 	uint32_t liodn_ns;
@@ -682,6 +714,11 @@ int sec_init_idx(uint8_t sec_idx)
 	mcr |= (1 << MCFGR_PS_SHIFT);
 #endif
 	sec_out32(&sec->mcfgr, mcr);
+#if defined(CONFIG_SPL_BUILD) && defined(CONFIG_IMX8M)
+	jrdid_ms = JRDID_MS_TZ_OWN | JRDID_MS_PRIM_TZ | JRDID_MS_PRIM_DID;
+	sec_out32(&sec->jrliodnr[caam->jrid].ms, jrdid_ms);
+#endif
+	jr_reset();
 
 #ifdef CONFIG_FSL_CORENET
 #ifdef CONFIG_SPL_BUILD
@@ -693,25 +730,26 @@ int sec_init_idx(uint8_t sec_idx)
 	liodn_ns = CONFIG_SPL_JR0_LIODN_NS & JRNSLIODN_MASK;
 	liodn_s = CONFIG_SPL_JR0_LIODN_S & JRSLIODN_MASK;
 
-	liodnr = sec_in32(&sec->jrliodnr[0].ls) &
+	liodnr = sec_in32(&sec->jrliodnr[caam->jrid].ls) &
 		 ~(JRNSLIODN_MASK | JRSLIODN_MASK);
 	liodnr = liodnr |
 		 (liodn_ns << JRNSLIODN_SHIFT) |
 		 (liodn_s << JRSLIODN_SHIFT);
-	sec_out32(&sec->jrliodnr[0].ls, liodnr);
+	sec_out32(&sec->jrliodnr[caam->jrid].ls, liodnr);
 #else
-	liodnr = sec_in32(&sec->jrliodnr[0].ls);
+	liodnr = sec_in32(&sec->jrliodnr[caam->jrid].ls);
 	liodn_ns = (liodnr & JRNSLIODN_MASK) >> JRNSLIODN_SHIFT;
 	liodn_s = (liodnr & JRSLIODN_MASK) >> JRSLIODN_SHIFT;
 #endif
 #endif
-
-	ret = jr_init(sec_idx);
+#endif
+	ret = jr_init(sec_idx, caam);
 	if (ret < 0) {
 		printf("SEC%u:  initialization failed\n", sec_idx);
 		return -1;
 	}
 
+#ifndef CONFIG_ARCH_IMX8
 #ifdef CONFIG_FSL_CORENET
 	ret = sec_config_pamu_table(liodn_ns, liodn_s);
 	if (ret < 0)
@@ -719,9 +757,9 @@ int sec_init_idx(uint8_t sec_idx)
 
 	pamu_enable();
 #endif
-#ifndef CONFIG_SPL_BUILD
-	if (get_rng_vid(sec_idx) >= 4) {
-		if (rng_init(sec_idx) < 0) {
+
+	if (get_rng_vid(caam->sec) >= 4) {
+		if (rng_init(sec_idx, caam->sec) < 0) {
 			printf("SEC%u:  RNG instantiation failed\n", sec_idx);
 			return -1;
 		}
@@ -743,3 +781,63 @@ int sec_init(void)
 {
 	return sec_init_idx(0);
 }
+
+#if CONFIG_IS_ENABLED(DM)
+static int caam_jr_probe(struct udevice *dev)
+{
+	struct caam_regs *caam = dev_get_priv(dev);
+	fdt_addr_t addr;
+	ofnode node;
+	unsigned int jr_node = 0;
+
+	caam_dev = dev;
+
+	addr = dev_read_addr(dev);
+	if (addr == FDT_ADDR_T_NONE) {
+		printf("caam_jr: crypto not found\n");
+		return -EINVAL;
+	}
+	caam->sec = (ccsr_sec_t *)(uintptr_t)addr;
+	caam->regs = (struct jr_regs *)caam->sec;
+
+	/* Check for enabled job ring node */
+	ofnode_for_each_subnode(node, dev_ofnode(dev)) {
+		if (!ofnode_is_available(node)) {
+			continue;
+		}
+		jr_node = ofnode_read_u32_default(node, "reg", -1);
+		if (jr_node > 0) {
+			caam->regs = (struct jr_regs *)((ulong)caam->sec + jr_node);
+			while (!(jr_node & 0x0F)) {
+				jr_node = jr_node >> 4;
+			}
+			caam->jrid = jr_node - 1;
+			break;
+		}
+	}
+
+	if (sec_init())
+		printf("\nsec_init failed!\n");
+
+	return 0;
+}
+
+static int caam_jr_bind(struct udevice *dev)
+{
+	return 0;
+}
+
+static const struct udevice_id caam_jr_match[] = {
+	{ .compatible = "fsl,sec-v4.0" },
+	{ }
+};
+
+U_BOOT_DRIVER(caam_jr) = {
+	.name		= "caam_jr",
+	.id		= UCLASS_MISC,
+	.of_match	= caam_jr_match,
+	.bind		= caam_jr_bind,
+	.probe		= caam_jr_probe,
+	.priv_auto	= sizeof(struct caam_regs),
+};
+#endif
diff --git a/drivers/crypto/fsl/jr.h b/drivers/crypto/fsl/jr.h
index 1047aa772c..43cb5e0753 100644
--- a/drivers/crypto/fsl/jr.h
+++ b/drivers/crypto/fsl/jr.h
@@ -1,6 +1,7 @@
 /* SPDX-License-Identifier: GPL-2.0+ */
 /*
  * Copyright 2008-2014 Freescale Semiconductor, Inc.
+ * Copyright 2021 NXP
  *
  */
 
@@ -8,7 +9,9 @@
 #define __JR_H
 
 #include <linux/compiler.h>
+#include "fsl_sec.h"
 #include "type.h"
+#include <misc.h>
 
 #define JR_SIZE 4
 /* Timeout currently defined as 10 sec */
@@ -35,6 +38,10 @@
 #define JRSLIODN_SHIFT		0
 #define JRSLIODN_MASK		0x00000fff
 
+#define JRDID_MS_PRIM_DID	1
+#define JRDID_MS_PRIM_TZ	(1 << 4)
+#define JRDID_MS_TZ_OWN		(1 << 15)
+
 #define JQ_DEQ_ERR		-1
 #define JQ_DEQ_TO_ERR		-2
 #define JQ_ENQ_ERR		-3
@@ -102,6 +109,13 @@ struct result {
 	uint32_t status;
 };
 
+struct caam_regs {
+	ccsr_sec_t *sec;
+	struct jr_regs *regs;
+	u8 jrid;
+	struct jobring jr[CONFIG_SYS_FSL_MAX_NUM_OF_SEC];
+};
+
 void caam_jr_strstatus(u32 status);
 int run_descriptor_jr(uint32_t *desc);
 
-- 
2.17.1

[PATCH v5 02/16] crypto/fsl: Add CAAM support for bkek, random number generation

[Gaurav Jain]

added api and descriptor for blob key encryption key(bkek) generation.
added api for random number generation.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
---
 drivers/crypto/fsl/desc.h     |  5 +++
 drivers/crypto/fsl/fsl_blob.c | 82 +++++++++++++++++++++++++++++++++++
 drivers/crypto/fsl/jobdesc.c  | 20 +++++++--
 drivers/crypto/fsl/jobdesc.h  |  4 ++
 4 files changed, 108 insertions(+), 3 deletions(-)

diff --git a/drivers/crypto/fsl/desc.h b/drivers/crypto/fsl/desc.h
index 5705c4f944..5958ebd3ac 100644
--- a/drivers/crypto/fsl/desc.h
+++ b/drivers/crypto/fsl/desc.h
@@ -4,6 +4,7 @@
  * Definitions to support CAAM descriptor instruction generation
  *
  * Copyright 2008-2014 Freescale Semiconductor, Inc.
+ * Copyright 2021 NXP
  *
  * Based on desc.h file in linux drivers/crypto/caam
  */
@@ -15,6 +16,7 @@
 
 #define KEY_BLOB_SIZE		32
 #define MAC_SIZE			16
+#define BKEK_SIZE		32
 
 /* Max size of any CAAM descriptor in 32-bit words, inclusive of header */
 #define MAX_CAAM_DESCSIZE	64
@@ -463,6 +465,9 @@
 #define OP_PROTINFO_HASH_SHA384	0x00000200
 #define OP_PROTINFO_HASH_SHA512	0x00000280
 
+/* PROTINFO fields for Blob Operations */
+#define OP_PROTINFO_MKVB	0x00000002
+
 /* For non-protocol/alg-only op commands */
 #define OP_ALG_TYPE_SHIFT	24
 #define OP_ALG_TYPE_MASK	(0x7 << OP_ALG_TYPE_SHIFT)
diff --git a/drivers/crypto/fsl/fsl_blob.c b/drivers/crypto/fsl/fsl_blob.c
index e8202cc569..e8bc009daf 100644
--- a/drivers/crypto/fsl/fsl_blob.c
+++ b/drivers/crypto/fsl/fsl_blob.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
  * Copyright 2014 Freescale Semiconductor, Inc.
+ * Copyright 2021 NXP
  *
  */
 
@@ -152,6 +153,87 @@ int blob_encap(u8 *key_mod, u8 *src, u8 *dst, u32 len)
 	return ret;
 }
 
+int derive_blob_kek(u8 *bkek_buf, u8 *key_mod, u32 key_sz)
+{
+	int ret, size;
+	u32 *desc;
+
+	if (!IS_ALIGNED((uintptr_t)bkek_buf, ARCH_DMA_MINALIGN) ||
+	    !IS_ALIGNED((uintptr_t)key_mod, ARCH_DMA_MINALIGN)) {
+		puts("Error: derive_bkek: Address arguments are not aligned!\n");
+		return -EINVAL;
+	}
+
+	printf("\nBlob key encryption key(bkek)\n");
+	desc = malloc_cache_aligned(sizeof(int) * MAX_CAAM_DESCSIZE);
+	if (!desc) {
+		printf("Not enough memory for descriptor allocation\n");
+		return -ENOMEM;
+	}
+
+	size = ALIGN(key_sz, ARCH_DMA_MINALIGN);
+	flush_dcache_range((unsigned long)key_mod, (unsigned long)key_mod + size);
+
+	/* construct blob key encryption key(bkek) derive descriptor */
+	inline_cnstr_jobdesc_derive_bkek(desc, bkek_buf, key_mod, key_sz);
+
+	size = ALIGN(sizeof(int) * MAX_CAAM_DESCSIZE, ARCH_DMA_MINALIGN);
+	flush_dcache_range((unsigned long)desc, (unsigned long)desc + size);
+	size = ALIGN(BKEK_SIZE, ARCH_DMA_MINALIGN);
+	invalidate_dcache_range((unsigned long)bkek_buf,
+				(unsigned long)bkek_buf + size);
+
+	/* run descriptor */
+	ret = run_descriptor_jr(desc);
+	if (ret < 0) {
+		printf("Error: %s failed 0x%x\n", __func__, ret);
+	} else {
+		invalidate_dcache_range((unsigned long)bkek_buf,
+					(unsigned long)bkek_buf + size);
+		puts("derive bkek successful.\n");
+	}
+
+	free(desc);
+	return ret;
+}
+
+int hwrng_generate(u8 *dst, u32 len)
+{
+	int ret, size;
+	u32 *desc;
+
+	if (!IS_ALIGNED((uintptr_t)dst, ARCH_DMA_MINALIGN)) {
+		puts("Error: caam_hwrng_test: Address arguments are not aligned!\n");
+		return -EINVAL;
+	}
+
+	printf("\nRNG generate\n");
+	desc = malloc_cache_aligned(sizeof(int) * MAX_CAAM_DESCSIZE);
+	if (!desc) {
+		printf("Not enough memory for descriptor allocation\n");
+		return -ENOMEM;
+	}
+
+	inline_cnstr_jobdesc_rng(desc, dst, len);
+
+	size = ALIGN(sizeof(int) * MAX_CAAM_DESCSIZE, ARCH_DMA_MINALIGN);
+	flush_dcache_range((unsigned long)desc, (unsigned long)desc + size);
+	size = ALIGN(len, ARCH_DMA_MINALIGN);
+	invalidate_dcache_range((unsigned long)dst, (unsigned long)dst + size);
+
+	ret = run_descriptor_jr(desc);
+	if (ret < 0) {
+		printf("Error: RNG generate failed 0x%x\n", ret);
+	} else {
+		invalidate_dcache_range((unsigned long)dst,
+					(unsigned long)dst + size);
+		puts("RNG generation successful.\n");
+	}
+
+	free(desc);
+	return ret;
+}
+
 #ifdef CONFIG_CMD_DEKBLOB
 int blob_dek(const u8 *src, u8 *dst, u8 len)
 {
diff --git a/drivers/crypto/fsl/jobdesc.c b/drivers/crypto/fsl/jobdesc.c
index c350b32856..d58937c284 100644
--- a/drivers/crypto/fsl/jobdesc.c
+++ b/drivers/crypto/fsl/jobdesc.c
@@ -4,7 +4,7 @@
  * Basic job descriptor construction
  *
  * Copyright 2014 Freescale Semiconductor, Inc.
- * Copyright 2018 NXP
+ * Copyright 2018, 2021 NXP
  *
  */
 
@@ -207,7 +207,7 @@ void inline_cnstr_jobdesc_hash(uint32_t *desc,
 	append_store(desc, dma_addr_out, storelen,
 		     LDST_CLASS_2_CCB | LDST_SRCDST_BYTE_CONTEXT);
 }
-#ifndef CONFIG_SPL_BUILD
+
 void inline_cnstr_jobdesc_blob_encap(uint32_t *desc, uint8_t *key_idnfr,
 				     uint8_t *plain_txt, uint8_t *enc_blob,
 				     uint32_t in_sz)
@@ -255,7 +255,7 @@ void inline_cnstr_jobdesc_blob_decap(uint32_t *desc, uint8_t *key_idnfr,
 
 	append_operation(desc, OP_TYPE_DECAP_PROTOCOL | OP_PCLID_BLOB);
 }
-#endif
+
 /*
  * Descriptor to instantiate RNG State Handle 0 in normal mode and
  * load the JDKEK, TDKEK and TDSK registers
@@ -334,3 +334,17 @@ void inline_cnstr_jobdesc_pkha_rsaexp(uint32_t *desc,
 	append_fifo_store(desc, dma_addr_out, out_siz,
 			  LDST_CLASS_1_CCB | FIFOST_TYPE_PKHA_B);
 }
+
+void inline_cnstr_jobdesc_derive_bkek(uint32_t *desc, void *bkek_out,
+				      void *key_mod, uint32_t key_sz)
+{
+	dma_addr_t dma_key_mod = virt_to_phys(key_mod);
+	dma_addr_t dma_bkek_out = virt_to_phys(bkek_out);
+
+	init_job_desc(desc, 0);
+	append_load(desc, dma_key_mod, key_sz,	LDST_CLASS_2_CCB |
+						LDST_SRCDST_BYTE_KEY);
+	append_seq_out_ptr_intlen(desc, dma_bkek_out, BKEK_SIZE, 0);
+	append_operation(desc, OP_TYPE_ENCAP_PROTOCOL | OP_PCLID_BLOB |
+							OP_PROTINFO_MKVB);
+}
diff --git a/drivers/crypto/fsl/jobdesc.h b/drivers/crypto/fsl/jobdesc.h
index c4501abd26..a720d68e82 100644
--- a/drivers/crypto/fsl/jobdesc.h
+++ b/drivers/crypto/fsl/jobdesc.h
@@ -1,6 +1,7 @@
 /* SPDX-License-Identifier: GPL-2.0+ */
 /*
  * Copyright 2014 Freescale Semiconductor, Inc.
+ * Copyright 2021 NXP
  *
  */
 
@@ -49,4 +50,7 @@ void inline_cnstr_jobdesc_pkha_rsaexp(uint32_t *desc,
 				      struct pk_in_params *pkin, uint8_t *out,
 				      uint32_t out_siz);
 
+void inline_cnstr_jobdesc_derive_bkek(uint32_t *desc, void *bkek_out,
+				      void *key_mod, uint32_t key_sz);
+
 #endif
-- 
2.17.1

[PATCH v5 03/16] i.MX8M: crypto: updated device tree for supporting DM in SPL

[Gaurav Jain]

disabled use of JR0 in SPL and uboot, as JR0 is reserved
for secure boot.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
---
 arch/arm/dts/imx8mm-evk-u-boot.dtsi      | 19 ++++++++++++++++++-
 arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi | 19 ++++++++++++++++++-
 arch/arm/dts/imx8mp-evk-u-boot.dtsi      | 19 ++++++++++++++++++-
 arch/arm/dts/imx8mq-evk-u-boot.dtsi      |  4 ++++
 4 files changed, 58 insertions(+), 3 deletions(-)

diff --git a/arch/arm/dts/imx8mm-evk-u-boot.dtsi b/arch/arm/dts/imx8mm-evk-u-boot.dtsi
index 3c75415e8f..83517de52b 100644
--- a/arch/arm/dts/imx8mm-evk-u-boot.dtsi
+++ b/arch/arm/dts/imx8mm-evk-u-boot.dtsi
@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
- * Copyright 2019 NXP
+ * Copyright 2019, 2021 NXP
  */
 
 #include "imx8mm-u-boot.dtsi"
@@ -72,6 +72,23 @@
 	u-boot,dm-spl;
 };
 
+&crypto {
+	u-boot,dm-spl;
+};
+
+&sec_jr0 {
+	u-boot,dm-spl;
+	status = "disabled";
+};
+
+&sec_jr1 {
+	u-boot,dm-spl;
+};
+
+&sec_jr2 {
+	u-boot,dm-spl;
+};
+
 &usdhc1 {
 	u-boot,dm-spl;
 };
diff --git a/arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi b/arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi
index 1d3844437d..d8df863083 100644
--- a/arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi
+++ b/arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi
@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
- * Copyright 2019 NXP
+ * Copyright 2019, 2021 NXP
  */
 
 / {
@@ -104,6 +104,23 @@
 	u-boot,dm-spl;
 };
 
+&crypto {
+	u-boot,dm-spl;
+};
+
+&sec_jr0 {
+	u-boot,dm-spl;
+	status = "disabled";
+};
+
+&sec_jr1 {
+	u-boot,dm-spl;
+};
+
+&sec_jr2 {
+	u-boot,dm-spl;
+};
+
 &usdhc1 {
 	u-boot,dm-spl;
 };
diff --git a/arch/arm/dts/imx8mp-evk-u-boot.dtsi b/arch/arm/dts/imx8mp-evk-u-boot.dtsi
index ab849ebaac..f3f83ba303 100644
--- a/arch/arm/dts/imx8mp-evk-u-boot.dtsi
+++ b/arch/arm/dts/imx8mp-evk-u-boot.dtsi
@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
- * Copyright 2019 NXP
+ * Copyright 2019, 2021 NXP
  */
 
 #include "imx8mp-u-boot.dtsi"
@@ -67,6 +67,23 @@
 	u-boot,dm-spl;
 };
 
+&crypto {
+	u-boot,dm-spl;
+};
+
+&sec_jr0 {
+	u-boot,dm-spl;
+	status = "disabled";
+};
+
+&sec_jr1 {
+	u-boot,dm-spl;
+};
+
+&sec_jr2 {
+	u-boot,dm-spl;
+};
+
 &i2c1 {
 	u-boot,dm-spl;
 };
diff --git a/arch/arm/dts/imx8mq-evk-u-boot.dtsi b/arch/arm/dts/imx8mq-evk-u-boot.dtsi
index 2cfc12b7e0..23a3ffa18f 100644
--- a/arch/arm/dts/imx8mq-evk-u-boot.dtsi
+++ b/arch/arm/dts/imx8mq-evk-u-boot.dtsi
@@ -8,3 +8,7 @@
 	sd-uhs-sdr104;
 	sd-uhs-ddr50;
 };
+
+&sec_jr0 {
+	status = "disabled";
+};
-- 
2.17.1

[PATCH v5 04/16] crypto/fsl: i.MX8M: Enable Job ring driver model in SPL and U-Boot.

[Gaurav Jain]

i.MX8MM/MN/MP/MQ - added support for JR driver model.
sec is initialized based on job ring information processed
from device tree.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
---
 arch/arm/Kconfig                           |  2 +-
 arch/arm/include/asm/arch-imx8m/imx-regs.h |  1 +
 arch/arm/mach-imx/imx8m/Kconfig            | 23 ++++++++++++++++++++++
 arch/arm/mach-imx/imx8m/soc.c              | 10 +++++++++-
 board/freescale/imx8mm_evk/spl.c           |  9 ++++++++-
 board/freescale/imx8mn_evk/spl.c           |  8 ++++++--
 board/freescale/imx8mp_evk/spl.c           | 13 ++++++++++--
 board/freescale/imx8mq_evk/spl.c           |  9 +++++++--
 drivers/crypto/fsl/jr.c                    | 14 ++++++++++---
 scripts/config_whitelist.txt               |  1 +
 10 files changed, 78 insertions(+), 12 deletions(-)

diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index f7f03837fe..550f884077 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -815,7 +815,7 @@ config ARCH_IMX8M
 	select ARM64
 	select GPIO_EXTRA_HEADER
 	select MACH_IMX
-	select SYS_FSL_HAS_SEC if IMX_HAB
+	select SYS_FSL_HAS_SEC
 	select SYS_FSL_SEC_COMPAT_4
 	select SYS_FSL_SEC_LE
 	select SYS_I2C_MXC
diff --git a/arch/arm/include/asm/arch-imx8m/imx-regs.h b/arch/arm/include/asm/arch-imx8m/imx-regs.h
index b800da13a1..ff8de53f67 100644
--- a/arch/arm/include/asm/arch-imx8m/imx-regs.h
+++ b/arch/arm/include/asm/arch-imx8m/imx-regs.h
@@ -72,6 +72,7 @@
 #define CONFIG_SYS_FSL_SEC_ADDR         (CAAM_IPS_BASE_ADDR + \
 					 CONFIG_SYS_FSL_SEC_OFFSET)
 #define CONFIG_SYS_FSL_JR0_OFFSET       (0x1000)
+#define CONFIG_SYS_FSL_JR1_OFFSET       (0x2000)
 #define CONFIG_SYS_FSL_JR0_ADDR         (CONFIG_SYS_FSL_SEC_ADDR + \
 					 CONFIG_SYS_FSL_JR0_OFFSET)
 #define CONFIG_SYS_FSL_MAX_NUM_OF_SEC   1
diff --git a/arch/arm/mach-imx/imx8m/Kconfig b/arch/arm/mach-imx/imx8m/Kconfig
index 276b8bd974..4988171d2b 100644
--- a/arch/arm/mach-imx/imx8m/Kconfig
+++ b/arch/arm/mach-imx/imx8m/Kconfig
@@ -38,6 +38,11 @@ config TARGET_IMX8MQ_EVK
 	bool "imx8mq_evk"
 	select IMX8MQ
 	select IMX8M_LPDDR4
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
+	select ARCH_MISC_INIT
+	select SPL_CRYPTO if SPL
 
 config TARGET_IMX8MQ_PHANBELL
         bool "imx8mq_phanbell"
@@ -50,6 +55,11 @@ config TARGET_IMX8MM_EVK
 	select IMX8MM
 	select SUPPORT_SPL
 	select IMX8M_LPDDR4
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
+	select ARCH_MISC_INIT
+	select SPL_CRYPTO if SPL
 
 config TARGET_IMX8MM_ICORE_MX8MM
 	bool "Engicam i.Core MX8M Mini SOM"
@@ -88,6 +98,10 @@ config TARGET_IMX8MN_EVK
 	select IMX8MN
 	select SUPPORT_SPL
 	select IMX8M_LPDDR4
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
+	select SPL_CRYPTO if SPL
 
 config TARGET_IMX8MN_DDR4_EVK
 	bool "imx8mn DDR4 EVK board"
@@ -95,6 +109,10 @@ config TARGET_IMX8MN_DDR4_EVK
 	select IMX8MN
 	select SUPPORT_SPL
 	select IMX8M_DDR4
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
+	select SPL_CRYPTO if SPL
 
 config TARGET_IMX8MP_EVK
 	bool "imx8mp LPDDR4 EVK board"
@@ -102,6 +120,11 @@ config TARGET_IMX8MP_EVK
 	select IMX8MP
 	select SUPPORT_SPL
 	select IMX8M_LPDDR4
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
+	select ARCH_MISC_INIT
+	select SPL_CRYPTO if SPL
 
 config TARGET_PICO_IMX8MQ
 	bool "Support Technexion Pico iMX8MQ"
diff --git a/arch/arm/mach-imx/imx8m/soc.c b/arch/arm/mach-imx/imx8m/soc.c
index 863508776d..0f9bd77354 100644
--- a/arch/arm/mach-imx/imx8m/soc.c
+++ b/arch/arm/mach-imx/imx8m/soc.c
@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
- * Copyright 2017-2019 NXP
+ * Copyright 2017-2019, 2021 NXP
  *
  * Peng Fan <peng.fan@nxp.com>
  */
@@ -20,6 +20,7 @@
 #include <asm/ptrace.h>
 #include <asm/armv8/mmu.h>
 #include <dm/uclass.h>
+#include <dm/device.h>
 #include <efi_loader.h>
 #include <env.h>
 #include <env_internal.h>
@@ -1197,6 +1198,13 @@ static void acquire_buildinfo(void)
 
 int arch_misc_init(void)
 {
+	struct udevice *dev;
+	int ret;
+
+	ret = uclass_get_device_by_driver(UCLASS_MISC, DM_DRIVER_GET(caam_jr), &dev);
+	if (ret)
+		printf("Failed to initialize %s: %d\n", dev->name, ret);
+
 	acquire_buildinfo();
 
 	return 0;
diff --git a/board/freescale/imx8mm_evk/spl.c b/board/freescale/imx8mm_evk/spl.c
index 4ef7f6f180..c81128f442 100644
--- a/board/freescale/imx8mm_evk/spl.c
+++ b/board/freescale/imx8mm_evk/spl.c
@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
- * Copyright 2019 NXP
+ * Copyright 2019, 2021 NXP
  */
 
 #include <common.h>
@@ -51,6 +51,13 @@ static void spl_dram_init(void)
 
 void spl_board_init(void)
 {
+	struct udevice *dev;
+	int ret;
+
+	ret = uclass_get_device_by_driver(UCLASS_MISC, DM_DRIVER_GET(caam_jr), &dev);
+	if (ret)
+		printf("Failed to initialize %s: %d\n", dev->name, ret);
+
 	puts("Normal Boot\n");
 }
 
diff --git a/board/freescale/imx8mn_evk/spl.c b/board/freescale/imx8mn_evk/spl.c
index 03f2a56e80..ab19dabf7b 100644
--- a/board/freescale/imx8mn_evk/spl.c
+++ b/board/freescale/imx8mn_evk/spl.c
@@ -1,7 +1,7 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
- * Copyright 2018-2019 NXP
+ * Copyright 2018-2019, 2021 NXP
  *
- * SPDX-License-Identifier:	GPL-2.0+
  */
 
 #include <common.h>
@@ -49,6 +49,10 @@ void spl_board_init(void)
 	struct udevice *dev;
 	int ret;
 
+	ret = uclass_get_device_by_driver(UCLASS_MISC, DM_DRIVER_GET(caam_jr), &dev);
+	if (ret)
+		printf("Failed to initialize %s: %d\n", dev->name, ret);
+
 	puts("Normal Boot\n");
 
 	ret = uclass_get_device_by_name(UCLASS_CLK,
diff --git a/board/freescale/imx8mp_evk/spl.c b/board/freescale/imx8mp_evk/spl.c
index eca42c756e..bcef96caa3 100644
--- a/board/freescale/imx8mp_evk/spl.c
+++ b/board/freescale/imx8mp_evk/spl.c
@@ -1,7 +1,7 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
- * Copyright 2018-2019 NXP
+ * Copyright 2018-2019, 2021 NXP
  *
- * SPDX-License-Identifier:	GPL-2.0+
  */
 
 #include <common.h>
@@ -20,6 +20,8 @@
 #include <asm/arch/ddr.h>
 #include <power/pmic.h>
 #include <power/pca9450.h>
+#include <dm/uclass.h>
+#include <dm/device.h>
 
 DECLARE_GLOBAL_DATA_PTR;
 
@@ -35,6 +37,13 @@ void spl_dram_init(void)
 
 void spl_board_init(void)
 {
+	struct udevice *dev;
+	int ret;
+
+	ret = uclass_get_device_by_driver(UCLASS_MISC, DM_DRIVER_GET(caam_jr), &dev);
+	if (ret)
+		printf("Failed to initialize %s: %d\n", dev->name, ret);
+
 	/*
 	 * Set GIC clock to 500Mhz for OD VDD_SOC. Kernel driver does
 	 * not allow to change it. Should set the clock after PMIC
diff --git a/board/freescale/imx8mq_evk/spl.c b/board/freescale/imx8mq_evk/spl.c
index 67d069b2b0..8a47dd01a5 100644
--- a/board/freescale/imx8mq_evk/spl.c
+++ b/board/freescale/imx8mq_evk/spl.c
@@ -1,8 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
- * Copyright 2018 NXP
+ * Copyright 2018, 2021 NXP
  *
- * SPDX-License-Identifier:	GPL-2.0+
  */
 
 #include <common.h>
@@ -22,6 +21,7 @@
 #include <asm/mach-imx/gpio.h>
 #include <asm/mach-imx/mxc_i2c.h>
 #include <fsl_esdhc_imx.h>
+#include <fsl_sec.h>
 #include <mmc.h>
 #include <linux/delay.h>
 #include <power/pmic.h>
@@ -199,6 +199,11 @@ int power_init_board(void)
 
 void spl_board_init(void)
 {
+#ifdef CONFIG_FSL_CAAM
+	if (sec_init())
+		printf("\nsec_init failed!\n");
+
+#endif
 	puts("Normal Boot\n");
 }
 
diff --git a/drivers/crypto/fsl/jr.c b/drivers/crypto/fsl/jr.c
index eea2225a1e..a99792afbb 100644
--- a/drivers/crypto/fsl/jr.c
+++ b/drivers/crypto/fsl/jr.c
@@ -43,9 +43,17 @@ struct udevice *caam_dev;
 #define SEC_ADDR(idx)	\
 	(ulong)((CONFIG_SYS_FSL_SEC_ADDR + sec_offset[idx]))
 
-#define SEC_JR0_ADDR(idx)	\
+#ifndef CONFIG_IMX8M
+#define SEC_JR_ADDR(idx)	\
 	(ulong)(SEC_ADDR(idx) +	\
 	 (CONFIG_SYS_FSL_JR0_OFFSET - CONFIG_SYS_FSL_SEC_OFFSET))
+#define JR_ID 0
+#else
+#define SEC_JR_ADDR(idx)	\
+	(ulong)(SEC_ADDR(idx) + \
+	 (CONFIG_SYS_FSL_JR1_OFFSET - CONFIG_SYS_FSL_SEC_OFFSET))
+#define JR_ID 1
+#endif
 struct caam_regs caam_st;
 #endif
 
@@ -675,8 +683,8 @@ int sec_init_idx(uint8_t sec_idx)
 	caam = dev_get_priv(caam_dev);
 #else
 	caam_st.sec = (void *)SEC_ADDR(sec_idx);
-	caam_st.regs = (struct jr_regs *)SEC_JR0_ADDR(sec_idx);
-	caam_st.jrid = 0;
+	caam_st.regs = (struct jr_regs *)SEC_JR_ADDR(sec_idx);
+	caam_st.jrid = JR_ID;
 	caam = &caam_st;
 #endif
 #ifndef CONFIG_ARCH_IMX8
diff --git a/scripts/config_whitelist.txt b/scripts/config_whitelist.txt
index b9c1c61e13..81de1a3793 100644
--- a/scripts/config_whitelist.txt
+++ b/scripts/config_whitelist.txt
@@ -1848,6 +1848,7 @@ CONFIG_SYS_FSL_IFC_SIZE2
 CONFIG_SYS_FSL_ISBC_VER
 CONFIG_SYS_FSL_JR0_ADDR
 CONFIG_SYS_FSL_JR0_OFFSET
+CONFIG_SYS_FSL_JR1_OFFSET
 CONFIG_SYS_FSL_LS1_CLK_ADDR
 CONFIG_SYS_FSL_LSCH3_SERDES_ADDR
 CONFIG_SYS_FSL_MAX_NUM_OF_SEC
-- 
2.17.1

[PATCH v5 05/16] mx6sabre: Remove unnecessary SPL configs

[Gaurav Jain]

From: Ye Li <ye.li@nxp.com>

Because we don't use SPL_DM on mx6sabresd and mx6sabreauto, so it is
unnecessary to have SPL DTB related configs and SPL_OF_CONTROL enabled.

Signed-off-by: Ye Li <ye.li@nxp.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>
Reviewed-by: Gaurav Jain <gaurav.jain@nxp.com>
---
 configs/mx6sabreauto_defconfig | 2 --
 configs/mx6sabresd_defconfig   | 4 ----
 2 files changed, 6 deletions(-)

diff --git a/configs/mx6sabreauto_defconfig b/configs/mx6sabreauto_defconfig
index c5cdc3ac17..2b8b4f6b9f 100644
--- a/configs/mx6sabreauto_defconfig
+++ b/configs/mx6sabreauto_defconfig
@@ -60,10 +60,8 @@ CONFIG_CMD_EXT4_WRITE=y
 CONFIG_CMD_FAT=y
 CONFIG_CMD_FS_GENERIC=y
 CONFIG_OF_CONTROL=y
-CONFIG_SPL_OF_CONTROL=y
 CONFIG_OF_LIST="imx6dl-sabreauto imx6q-sabreauto imx6qp-sabreauto"
 CONFIG_MULTI_DTB_FIT=y
-CONFIG_SPL_MULTI_DTB_FIT=y
 CONFIG_ENV_OVERWRITE=y
 CONFIG_ENV_IS_IN_MMC=y
 CONFIG_SYS_RELOC_GD_ENV_ADDR=y
diff --git a/configs/mx6sabresd_defconfig b/configs/mx6sabresd_defconfig
index 6733038060..f40401d279 100644
--- a/configs/mx6sabresd_defconfig
+++ b/configs/mx6sabresd_defconfig
@@ -63,12 +63,8 @@ CONFIG_CMD_FS_GENERIC=y
 CONFIG_EFI_PARTITION=y
 # CONFIG_SPL_EFI_PARTITION is not set
 CONFIG_OF_CONTROL=y
-CONFIG_SPL_OF_CONTROL=y
 CONFIG_OF_LIST="imx6q-sabresd imx6qp-sabresd imx6dl-sabresd"
 CONFIG_MULTI_DTB_FIT=y
-CONFIG_SPL_MULTI_DTB_FIT=y
-CONFIG_SPL_OF_LIST="imx6dl-sabresd imx6q-sabresd imx6qp-sabresd"
-CONFIG_SPL_MULTI_DTB_FIT_NO_COMPRESSION=y
 CONFIG_ENV_OVERWRITE=y
 CONFIG_ENV_IS_IN_MMC=y
 CONFIG_SYS_RELOC_GD_ENV_ADDR=y
-- 
2.17.1

[PATCH v5 06/16] i.MX6: Enable Job ring driver model in U-Boot.

[Gaurav Jain]

i.MX6,i.MX6SX,i.MX6UL - added support for JR driver model.

removed sec_init() call, sec is initialized based on
job ring information processed from device tree.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
---
 arch/arm/mach-imx/mx6/Kconfig | 20 ++++++++++++++++++++
 arch/arm/mach-imx/mx6/soc.c   | 12 ++++++++----
 2 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/arch/arm/mach-imx/mx6/Kconfig b/arch/arm/mach-imx/mx6/Kconfig
index b4c8511cb8..0f40e84915 100644
--- a/arch/arm/mach-imx/mx6/Kconfig
+++ b/arch/arm/mach-imx/mx6/Kconfig
@@ -354,6 +354,10 @@ config TARGET_MX6SABREAUTO
 	select DM_THERMAL
 	select SUPPORT_SPL
 	imply CMD_DM
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
+	select ARCH_MISC_INIT
 
 config TARGET_MX6SABRESD
 	bool "mx6sabresd"
@@ -364,6 +368,10 @@ config TARGET_MX6SABRESD
 	select DM_THERMAL
 	select SUPPORT_SPL
 	imply CMD_DM
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
+	select ARCH_MISC_INIT
 
 config TARGET_MX6SLEVK
 	bool "mx6slevk"
@@ -386,6 +394,10 @@ config TARGET_MX6SXSABRESD
 	select DM
 	select DM_THERMAL
 	select SUPPORT_SPL
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
+	select ARCH_MISC_INIT
 
 config TARGET_MX6SXSABREAUTO
 	bool "mx6sxsabreauto"
@@ -404,6 +416,10 @@ config TARGET_MX6UL_9X9_EVK
 	select DM_THERMAL
 	select SUPPORT_SPL
 	imply CMD_DM
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
+	select ARCH_MISC_INIT
 
 config TARGET_MX6UL_14X14_EVK
 	bool "mx6ul_14x14_evk"
@@ -413,6 +429,10 @@ config TARGET_MX6UL_14X14_EVK
 	select DM_THERMAL
 	select SUPPORT_SPL
 	imply CMD_DM
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
+	select ARCH_MISC_INIT
 
 config TARGET_MX6UL_ENGICAM
 	bool "Support Engicam GEAM6UL/Is.IoT"
diff --git a/arch/arm/mach-imx/mx6/soc.c b/arch/arm/mach-imx/mx6/soc.c
index aacfc854a2..fa6c3778bb 100644
--- a/arch/arm/mach-imx/mx6/soc.c
+++ b/arch/arm/mach-imx/mx6/soc.c
@@ -4,6 +4,7 @@
  * Sascha Hauer, Pengutronix
  *
  * (C) Copyright 2009 Freescale Semiconductor, Inc.
+ * Copyright 2021 NXP
  */
 
 #include <common.h>
@@ -23,7 +24,6 @@
 #include <asm/arch/mxc_hdmi.h>
 #include <asm/arch/crm_regs.h>
 #include <dm.h>
-#include <fsl_sec.h>
 #include <imx_thermal.h>
 #include <mmc.h>
 
@@ -734,9 +734,13 @@ static void setup_serial_number(void)
 
 int arch_misc_init(void)
 {
-#ifdef CONFIG_FSL_CAAM
-	sec_init();
-#endif
+	struct udevice *dev;
+	int ret;
+
+	ret = uclass_get_device_by_driver(UCLASS_MISC, DM_DRIVER_GET(caam_jr), &dev);
+	if (ret)
+		printf("Failed to initialize %s: %d\n", dev->name, ret);
+
 	setup_serial_number();
 	return 0;
 }
-- 
2.17.1

[PATCH v5 07/16] i.MX7: Enable Job ring driver model in U-Boot.

[Gaurav Jain]

i.MX7D - added support for JR driver model.

removed sec_init() call, sec is initialized based on
job ring information processed from device tree.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
---
 arch/arm/Kconfig              |  2 +-
 arch/arm/mach-imx/mx7/Kconfig |  3 +++
 arch/arm/mach-imx/mx7/soc.c   | 11 +++++++----
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index 550f884077..516e1b5a8f 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -883,7 +883,7 @@ config ARCH_MX7
 	select CPU_V7A
 	select GPIO_EXTRA_HEADER
 	select MACH_IMX
-	select SYS_FSL_HAS_SEC if IMX_HAB
+	select SYS_FSL_HAS_SEC
 	select SYS_FSL_SEC_COMPAT_4
 	select SYS_FSL_SEC_LE
 	imply BOARD_EARLY_INIT_F
diff --git a/arch/arm/mach-imx/mx7/Kconfig b/arch/arm/mach-imx/mx7/Kconfig
index 0cad825287..d8f748a544 100644
--- a/arch/arm/mach-imx/mx7/Kconfig
+++ b/arch/arm/mach-imx/mx7/Kconfig
@@ -68,6 +68,9 @@ config TARGET_MX7DSABRESD
 	select DM_THERMAL
 	select MX7D
 	imply CMD_DM
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
 
 config TARGET_PICO_IMX7D
 	bool "pico-imx7d"
diff --git a/arch/arm/mach-imx/mx7/soc.c b/arch/arm/mach-imx/mx7/soc.c
index 21690072e1..6c991a6cb1 100644
--- a/arch/arm/mach-imx/mx7/soc.c
+++ b/arch/arm/mach-imx/mx7/soc.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
  * Copyright (C) 2015 Freescale Semiconductor, Inc.
+ * Copyright 2021 NXP
  */
 
 #include <common.h>
@@ -19,7 +20,6 @@
 #include <dm.h>
 #include <env.h>
 #include <imx_thermal.h>
-#include <fsl_sec.h>
 #include <asm/setup.h>
 #include <linux/delay.h>
 
@@ -337,6 +337,9 @@ int arch_cpu_init(void)
 #ifdef CONFIG_ARCH_MISC_INIT
 int arch_misc_init(void)
 {
+	struct udevice *dev;
+	int ret;
+
 #ifdef CONFIG_ENV_VARS_UBOOT_RUNTIME_CONFIG
 	struct tag_serialnr serialnr;
 	char serial_string[0x20];
@@ -353,9 +356,9 @@ int arch_misc_init(void)
 	env_set("serial#", serial_string);
 #endif
 
-#ifdef CONFIG_FSL_CAAM
-	sec_init();
-#endif
+	ret = uclass_get_device_by_driver(UCLASS_MISC, DM_DRIVER_GET(caam_jr), &dev);
+	if (ret)
+		printf("Failed to initialize %s: %d\n", dev->name, ret);
 
 	return 0;
 }
-- 
2.17.1

[PATCH v5 08/16] i.MX7ULP: Enable Job ring driver model in U-Boot.

[Gaurav Jain]

added crypto node in device tree.
sec is initialized based on job ring information processed
from device tree.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
---
 arch/arm/Kconfig                 |  2 +-
 arch/arm/dts/imx7ulp.dtsi        | 24 ++++++++++++++++++++++++
 arch/arm/mach-imx/mx7ulp/Kconfig |  4 ++++
 arch/arm/mach-imx/mx7ulp/soc.c   | 16 ++++++++++++++++
 4 files changed, 45 insertions(+), 1 deletion(-)

diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index 516e1b5a8f..524a2204eb 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -870,7 +870,7 @@ config ARCH_MX7ULP
 	select CPU_V7A
 	select GPIO_EXTRA_HEADER
 	select MACH_IMX
-	select SYS_FSL_HAS_SEC if IMX_HAB
+	select SYS_FSL_HAS_SEC
 	select SYS_FSL_SEC_COMPAT_4
 	select SYS_FSL_SEC_LE
 	select ROM_UNIFIED_SECTIONS
diff --git a/arch/arm/dts/imx7ulp.dtsi b/arch/arm/dts/imx7ulp.dtsi
index 7bcd2cc346..494b9d98b2 100644
--- a/arch/arm/dts/imx7ulp.dtsi
+++ b/arch/arm/dts/imx7ulp.dtsi
@@ -1,5 +1,6 @@
 /*
  * Copyright 2015-2016 Freescale Semiconductor, Inc.
+ * Copyright 2021 NXP
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -198,6 +199,29 @@
 			};
 		};
 
+		crypto: crypto@40240000 {
+			compatible = "fsl,sec-v4.0";
+			#address-cells = <1>;
+			#size-cells = <1>;
+			reg = <0x40240000 0x10000>;
+			ranges = <0 0x40240000 0x10000>;
+			clocks = <&clks IMX7ULP_CLK_CAAM>,
+				 <&clks IMX7ULP_CLK_NIC1_BUS_DIV>;
+			clock-names = "aclk", "ipg";
+
+			sec_jr0: jr@1000 {
+				compatible = "fsl,sec-v4.0-job-ring";
+				reg = <0x1000 0x1000>;
+				interrupts = <GIC_SPI 54 IRQ_TYPE_LEVEL_HIGH>;
+			};
+
+			sec_jr1: jr@2000 {
+				compatible = "fsl,sec-v4.0-job-ring";
+				reg = <0x2000 0x1000>;
+				interrupts = <GIC_SPI 54 IRQ_TYPE_LEVEL_HIGH>;
+			};
+		};
+
 		tpm5: tpm@40260000 {
 			compatible = "fsl,imx7ulp-tpm";
 			reg = <0x40260000 0x1000>;
diff --git a/arch/arm/mach-imx/mx7ulp/Kconfig b/arch/arm/mach-imx/mx7ulp/Kconfig
index 2ffac9cf7c..0d9f8ffed9 100644
--- a/arch/arm/mach-imx/mx7ulp/Kconfig
+++ b/arch/arm/mach-imx/mx7ulp/Kconfig
@@ -25,6 +25,10 @@ config TARGET_MX7ULP_EVK
 	bool "Support mx7ulp EVK board"
 	select MX7ULP
 	select SYS_ARCH_TIMER
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
+	select ARCH_MISC_INIT
 
 endchoice
 
diff --git a/arch/arm/mach-imx/mx7ulp/soc.c b/arch/arm/mach-imx/mx7ulp/soc.c
index c90ce22404..c1e55e7260 100644
--- a/arch/arm/mach-imx/mx7ulp/soc.c
+++ b/arch/arm/mach-imx/mx7ulp/soc.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
  * Copyright (C) 2016 Freescale Semiconductor, Inc.
+ * Copyright 2021 NXP
  */
 
 #include <common.h>
@@ -15,6 +16,7 @@
 #include <asm/mach-imx/hab.h>
 #include <asm/setup.h>
 #include <linux/bitops.h>
+#include <dm.h>
 
 #define PMC0_BASE_ADDR		0x410a1000
 #define PMC0_CTRL		0x28
@@ -80,6 +82,20 @@ int arch_cpu_init(void)
 	return 0;
 }
 
+#if defined(CONFIG_ARCH_MISC_INIT)
+int arch_misc_init(void)
+{
+	struct udevice *dev;
+	int ret;
+
+	ret = uclass_get_device_by_driver(UCLASS_MISC, DM_DRIVER_GET(caam_jr), &dev);
+	if (ret)
+		printf("Failed to initialize %s: %d\n", dev->name, ret);
+
+	return 0;
+}
+#endif
+
 #ifdef CONFIG_BOARD_POSTCLK_INIT
 int board_postclk_init(void)
 {
-- 
2.17.1

[PATCH v5 09/16] i.MX8: Add crypto node in device tree

[Gaurav Jain]

i.MX8(QM/QXP) - updated device tree for supporting DM in SPL.

disabled use of JR1 in SPL and uboot, as JR1 is reserved
for SECO FW.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
---
 arch/arm/dts/fsl-imx8dx.dtsi             | 61 +++++++++++++++++++++++-
 arch/arm/dts/fsl-imx8qm-mek-u-boot.dtsi  | 34 ++++++++++++-
 arch/arm/dts/fsl-imx8qm.dtsi             | 61 +++++++++++++++++++++++-
 arch/arm/dts/fsl-imx8qxp-mek-u-boot.dtsi | 34 ++++++++++++-
 4 files changed, 186 insertions(+), 4 deletions(-)

diff --git a/arch/arm/dts/fsl-imx8dx.dtsi b/arch/arm/dts/fsl-imx8dx.dtsi
index 7d95cf0b7d..63a56699b5 100644
--- a/arch/arm/dts/fsl-imx8dx.dtsi
+++ b/arch/arm/dts/fsl-imx8dx.dtsi
@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
- * Copyright 2018 NXP
+ * Copyright 2018, 2021 NXP
  */
 
 #include <dt-bindings/interrupt-controller/arm-gic.h>
@@ -261,6 +261,30 @@
 				power-domains = <&pd_dma>;
 			};
 		};
+
+		pd_caam: PD_CAAM {
+			compatible = "nxp,imx8-pd";
+			reg = <SC_R_NONE>;
+			#power-domain-cells = <0>;
+			#address-cells = <1>;
+			#size-cells = <0>;
+
+			pd_caam_jr1: PD_CAAM_JR1 {
+				reg = <SC_R_CAAM_JR1>;
+				#power-domain-cells = <0>;
+				power-domains = <&pd_caam>;
+			};
+			pd_caam_jr2: PD_CAAM_JR2 {
+				reg = <SC_R_CAAM_JR2>;
+				#power-domain-cells = <0>;
+				power-domains = <&pd_caam>;
+			};
+			pd_caam_jr3: PD_CAAM_JR3 {
+				reg = <SC_R_CAAM_JR3>;
+				#power-domain-cells = <0>;
+				power-domains = <&pd_caam>;
+			};
+		};
 	};
 
 	i2c0: i2c@5a800000 {
@@ -609,6 +633,41 @@
 			};
 		};
 	};
+
+	crypto: caam@0x31400000 {
+		compatible = "fsl,sec-v4.0";
+		reg = <0 0x31400000 0 0x400000>;
+		interrupts = <GIC_SPI 148 IRQ_TYPE_LEVEL_HIGH>;
+		#address-cells = <1>;
+		#size-cells = <1>;
+		ranges = <0 0 0x31400000 0x400000>;
+		fsl,first-jr-index = <2>;
+		fsl,sec-era = <9>;
+
+		sec_jr1: jr1@0x20000 {
+			compatible = "fsl,sec-v4.0-job-ring";
+			reg = <0x20000 0x1000>;
+			interrupts = <GIC_SPI 452 IRQ_TYPE_LEVEL_HIGH>;
+			power-domains = <&pd_caam_jr1>;
+			status = "disabled";
+		};
+
+		sec_jr2: jr2@30000 {
+			compatible = "fsl,sec-v4.0-job-ring";
+			reg = <0x30000 0x1000>;
+			interrupts = <GIC_SPI 453 IRQ_TYPE_LEVEL_HIGH>;
+			power-domains = <&pd_caam_jr2>;
+			status = "okay";
+		};
+
+		sec_jr3: jr3@40000 {
+			compatible = "fsl,sec-v4.0-job-ring";
+			reg = <0x40000 0x1000>;
+			interrupts = <GIC_SPI 454 IRQ_TYPE_LEVEL_HIGH>;
+			power-domains = <&pd_caam_jr3>;
+			status = "okay";
+		};
+	};
 };
 
 &A35_0 {
diff --git a/arch/arm/dts/fsl-imx8qm-mek-u-boot.dtsi b/arch/arm/dts/fsl-imx8qm-mek-u-boot.dtsi
index 9e0d264b71..a95209e141 100644
--- a/arch/arm/dts/fsl-imx8qm-mek-u-boot.dtsi
+++ b/arch/arm/dts/fsl-imx8qm-mek-u-boot.dtsi
@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
- * Copyright 2018 NXP
+ * Copyright 2018, 2021 NXP
  */
 
 &{/imx8qm-pm} {
@@ -80,6 +80,22 @@
 	u-boot,dm-spl;
 };
 
+&pd_caam {
+	u-boot,dm-spl;
+};
+
+&pd_caam_jr1 {
+	u-boot,dm-spl;
+};
+
+&pd_caam_jr2 {
+	u-boot,dm-spl;
+};
+
+&pd_caam_jr3 {
+	u-boot,dm-spl;
+};
+
 &gpio0 {
 	u-boot,dm-spl;
 };
@@ -126,3 +142,19 @@
 	sd-uhs-sdr104;
 	sd-uhs-ddr50;
 };
+
+&crypto {
+	u-boot,dm-spl;
+};
+
+&sec_jr1 {
+	u-boot,dm-spl;
+};
+
+&sec_jr2 {
+	u-boot,dm-spl;
+};
+
+&sec_jr3 {
+	u-boot,dm-spl;
+};
diff --git a/arch/arm/dts/fsl-imx8qm.dtsi b/arch/arm/dts/fsl-imx8qm.dtsi
index 88aeaf65b3..517fb13cad 100644
--- a/arch/arm/dts/fsl-imx8qm.dtsi
+++ b/arch/arm/dts/fsl-imx8qm.dtsi
@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
- * Copyright 2018 NXP
+ * Copyright 2018, 2021 NXP
  */
 
 #include <dt-bindings/interrupt-controller/arm-gic.h>
@@ -235,6 +235,30 @@
 				wakeup-irq = <349>;
 			};
 		};
+
+		pd_caam: PD_CAAM {
+			compatible = "nxp,imx8-pd";
+			reg = <SC_R_NONE>;
+			#power-domain-cells = <0>;
+			#address-cells = <1>;
+			#size-cells = <0>;
+
+			pd_caam_jr1: PD_CAAM_JR1 {
+				reg = <SC_R_CAAM_JR1>;
+				#power-domain-cells = <0>;
+				power-domains = <&pd_caam>;
+			};
+			pd_caam_jr2: PD_CAAM_JR2 {
+				reg = <SC_R_CAAM_JR2>;
+				#power-domain-cells = <0>;
+				power-domains = <&pd_caam>;
+			};
+			pd_caam_jr3: PD_CAAM_JR3 {
+				reg = <SC_R_CAAM_JR3>;
+				#power-domain-cells = <0>;
+				power-domains = <&pd_caam>;
+			};
+		};
 	};
 
 	i2c0: i2c@5a800000 {
@@ -556,6 +580,41 @@
 		power-domains = <&pd_conn_enet1>;
 		status = "disabled";
 	};
+
+	crypto: caam@0x31400000 {
+		compatible = "fsl,sec-v4.0";
+		reg = <0 0x31400000 0 0x400000>;
+		interrupts = <GIC_SPI 148 IRQ_TYPE_LEVEL_HIGH>;
+		#address-cells = <1>;
+		#size-cells = <1>;
+		ranges = <0 0 0x31400000 0x400000>;
+		fsl,first-jr-index = <2>;
+		fsl,sec-era = <9>;
+
+		sec_jr1: jr1@0x20000 {
+			compatible = "fsl,sec-v4.0-job-ring";
+			reg = <0x20000 0x1000>;
+			interrupts = <GIC_SPI 452 IRQ_TYPE_LEVEL_HIGH>;
+			power-domains = <&pd_caam_jr1>;
+			status = "disabled";
+		};
+
+		sec_jr2: jr2@30000 {
+			compatible = "fsl,sec-v4.0-job-ring";
+			reg = <0x30000 0x1000>;
+			interrupts = <GIC_SPI 453 IRQ_TYPE_LEVEL_HIGH>;
+			power-domains = <&pd_caam_jr2>;
+			status = "okay";
+		};
+
+		sec_jr3: jr3@40000 {
+			compatible = "fsl,sec-v4.0-job-ring";
+			reg = <0x40000 0x1000>;
+			interrupts = <GIC_SPI 454 IRQ_TYPE_LEVEL_HIGH>;
+			power-domains = <&pd_caam_jr3>;
+			status = "okay";
+		};
+	};
 };
 
 &A53_0 {
diff --git a/arch/arm/dts/fsl-imx8qxp-mek-u-boot.dtsi b/arch/arm/dts/fsl-imx8qxp-mek-u-boot.dtsi
index 701af4434d..ae037c7550 100644
--- a/arch/arm/dts/fsl-imx8qxp-mek-u-boot.dtsi
+++ b/arch/arm/dts/fsl-imx8qxp-mek-u-boot.dtsi
@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
- * Copyright 2018 NXP
+ * Copyright 2018, 2021 NXP
  */
 
 &{/imx8qx-pm} {
@@ -80,6 +80,22 @@
 	u-boot,dm-spl;
 };
 
+&pd_caam {
+	u-boot,dm-spl;
+};
+
+&pd_caam_jr1 {
+	u-boot,dm-spl;
+};
+
+&pd_caam_jr2 {
+	u-boot,dm-spl;
+};
+
+&pd_caam_jr3 {
+	u-boot,dm-spl;
+};
+
 &gpio0 {
 	u-boot,dm-spl;
 };
@@ -126,3 +142,19 @@
 	sd-uhs-sdr104;
 	sd-uhs-ddr50;
 };
+
+&crypto {
+	u-boot,dm-spl;
+};
+
+&sec_jr1 {
+	u-boot,dm-spl;
+};
+
+&sec_jr2 {
+	u-boot,dm-spl;
+};
+
+&sec_jr3 {
+	u-boot,dm-spl;
+};
-- 
2.17.1

[PATCH v5 10/16] crypto/fsl: i.MX8: Enable Job ring driver model in SPL and U-Boot.

[Gaurav Jain]

i.MX8(QM/QXP) - added support for JR driver model.
sec is initialized based on job ring information processed
from device tree.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
---
 arch/arm/Kconfig                          |  3 +++
 arch/arm/include/asm/arch-imx8/imx-regs.h |  5 ++++-
 arch/arm/mach-imx/cmd_dek.c               |  1 +
 arch/arm/mach-imx/imx8/Kconfig            |  9 +++++++++
 arch/arm/mach-imx/imx8/cpu.c              | 16 ++++++++++++++-
 board/freescale/imx8qm_mek/spl.c          |  6 ++++--
 board/freescale/imx8qxp_mek/spl.c         |  6 ++++--
 drivers/crypto/fsl/Kconfig                |  2 +-
 drivers/crypto/fsl/jr.c                   | 24 +++++++++++++++++++++++
 include/fsl_sec.h                         | 12 +++++-------
 10 files changed, 70 insertions(+), 14 deletions(-)

diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index 524a2204eb..7ce2bbc954 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -804,6 +804,9 @@ config ARCH_LPC32XX
 config ARCH_IMX8
 	bool "NXP i.MX8 platform"
 	select ARM64
+	select SYS_FSL_HAS_SEC
+	select SYS_FSL_SEC_COMPAT_4
+	select SYS_FSL_SEC_LE
 	select DM
 	select GPIO_EXTRA_HEADER
 	select MACH_IMX
diff --git a/arch/arm/include/asm/arch-imx8/imx-regs.h b/arch/arm/include/asm/arch-imx8/imx-regs.h
index ed6e05e556..2d64b0604b 100644
--- a/arch/arm/include/asm/arch-imx8/imx-regs.h
+++ b/arch/arm/include/asm/arch-imx8/imx-regs.h
@@ -1,6 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0+ */
 /*
- * Copyright 2018 NXP
+ * Copyright 2018, 2021 NXP
  */
 
 #ifndef __ASM_ARCH_IMX8_REGS_H__
@@ -47,4 +47,7 @@
 #define USB_BASE_ADDR		0x5b0d0000
 #define USB_PHY0_BASE_ADDR	0x5b100000
 
+#define CONFIG_SYS_FSL_SEC_ADDR (0x31400000)
+#define CONFIG_SYS_FSL_MAX_NUM_OF_SEC	1
+
 #endif /* __ASM_ARCH_IMX8_REGS_H__ */
diff --git a/arch/arm/mach-imx/cmd_dek.c b/arch/arm/mach-imx/cmd_dek.c
index 89da89c51d..04c4b20a84 100644
--- a/arch/arm/mach-imx/cmd_dek.c
+++ b/arch/arm/mach-imx/cmd_dek.c
@@ -9,6 +9,7 @@
 #include <command.h>
 #include <log.h>
 #include <malloc.h>
+#include <memalign.h>
 #include <asm/byteorder.h>
 #include <linux/compiler.h>
 #include <fsl_sec.h>
diff --git a/arch/arm/mach-imx/imx8/Kconfig b/arch/arm/mach-imx/imx8/Kconfig
index b43739e5c6..9a20ebe84e 100644
--- a/arch/arm/mach-imx/imx8/Kconfig
+++ b/arch/arm/mach-imx/imx8/Kconfig
@@ -8,6 +8,7 @@ config AHAB_BOOT
 
 config IMX8
 	bool
+	select HAS_CAAM
 
 config MU_BASE_SPL
 	hex "MU base address used in SPL"
@@ -72,6 +73,10 @@ config TARGET_IMX8QM_MEK
 	bool "Support i.MX8QM MEK board"
 	select BOARD_LATE_INIT
 	select IMX8QM
+	select FSL_CAAM
+	select FSL_BLOB
+	select ARCH_MISC_INIT
+	select SPL_CRYPTO if SPL
 
 config TARGET_CONGA_QMX8
 	bool "Support congatec conga-QMX8 board"
@@ -89,6 +94,10 @@ config TARGET_IMX8QXP_MEK
 	bool "Support i.MX8QXP MEK board"
 	select BOARD_LATE_INIT
 	select IMX8QXP
+	select FSL_CAAM
+	select FSL_BLOB
+	select ARCH_MISC_INIT
+	select SPL_CRYPTO if SPL
 
 endchoice
 
diff --git a/arch/arm/mach-imx/imx8/cpu.c b/arch/arm/mach-imx/imx8/cpu.c
index ee5cc47903..5140c93a37 100644
--- a/arch/arm/mach-imx/imx8/cpu.c
+++ b/arch/arm/mach-imx/imx8/cpu.c
@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
- * Copyright 2018 NXP
+ * Copyright 2018, 2021 NXP
  */
 
 #include <common.h>
@@ -89,6 +89,20 @@ int arch_cpu_init_dm(void)
 	return 0;
 }
 
+#if defined(CONFIG_ARCH_MISC_INIT)
+int arch_misc_init(void)
+{
+	struct udevice *dev;
+	int ret;
+
+	ret = uclass_get_device_by_driver(UCLASS_MISC, DM_DRIVER_GET(caam_jr), &dev);
+	if (ret)
+		printf("Failed to initialize %s: %d\n", dev->name, ret);
+
+	return 0;
+}
+#endif
+
 int print_bootinfo(void)
 {
 	enum boot_device bt_dev = get_boot_device();
diff --git a/board/freescale/imx8qm_mek/spl.c b/board/freescale/imx8qm_mek/spl.c
index 944ba745c0..332a662dee 100644
--- a/board/freescale/imx8qm_mek/spl.c
+++ b/board/freescale/imx8qm_mek/spl.c
@@ -1,7 +1,7 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
- * Copyright 2018 NXP
+ * Copyright 2018, 2021 NXP
  *
- * SPDX-License-Identifier:	GPL-2.0+
  */
 
 #include <common.h>
@@ -24,6 +24,8 @@ void spl_board_init(void)
 {
 	struct udevice *dev;
 
+	uclass_get_device_by_driver(UCLASS_MISC, DM_DRIVER_GET(imx8_scu), &dev);
+
 	uclass_find_first_device(UCLASS_MISC, &dev);
 
 	for (; dev; uclass_find_next_device(&dev)) {
diff --git a/board/freescale/imx8qxp_mek/spl.c b/board/freescale/imx8qxp_mek/spl.c
index ae6b64ff6e..2fa6840056 100644
--- a/board/freescale/imx8qxp_mek/spl.c
+++ b/board/freescale/imx8qxp_mek/spl.c
@@ -1,7 +1,7 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
- * Copyright 2018 NXP
+ * Copyright 2018, 2021 NXP
  *
- * SPDX-License-Identifier:	GPL-2.0+
  */
 
 #include <common.h>
@@ -39,6 +39,8 @@ void spl_board_init(void)
 {
 	struct udevice *dev;
 
+	uclass_get_device_by_driver(UCLASS_MISC, DM_DRIVER_GET(imx8_scu), &dev);
+
 	uclass_find_first_device(UCLASS_MISC, &dev);
 
 	for (; dev; uclass_find_next_device(&dev)) {
diff --git a/drivers/crypto/fsl/Kconfig b/drivers/crypto/fsl/Kconfig
index ab59d516f8..0bc1458eb5 100644
--- a/drivers/crypto/fsl/Kconfig
+++ b/drivers/crypto/fsl/Kconfig
@@ -11,7 +11,7 @@ config FSL_CAAM
 
 config CAAM_64BIT
 	bool
-	default y if PHYS_64BIT && !ARCH_IMX8M
+	default y if PHYS_64BIT && !ARCH_IMX8M && !ARCH_IMX8
 	help
 	  Select Crypto driver for 64 bits CAAM version
 
diff --git a/drivers/crypto/fsl/jr.c b/drivers/crypto/fsl/jr.c
index a99792afbb..9b751aca9b 100644
--- a/drivers/crypto/fsl/jr.c
+++ b/drivers/crypto/fsl/jr.c
@@ -25,6 +25,7 @@
 #include <linux/delay.h>
 #include <dm/root.h>
 #include <dm/device-internal.h>
+#include <power-domain.h>
 
 #define CIRC_CNT(head, tail, size)	(((head) - (tail)) & (size - 1))
 #define CIRC_SPACE(head, tail, size)	CIRC_CNT((tail), (head) + 1, (size))
@@ -790,6 +791,25 @@ int sec_init(void)
 	return sec_init_idx(0);
 }
 
+#ifdef CONFIG_ARCH_IMX8
+static int jr_power_on(ofnode node)
+{
+#if CONFIG_IS_ENABLED(POWER_DOMAIN)
+	struct udevice __maybe_unused jr_dev;
+	struct power_domain pd;
+
+	dev_set_ofnode(&jr_dev, node);
+
+	/* Power on Job Ring before access it */
+	if (!power_domain_get(&jr_dev, &pd)) {
+		if (power_domain_on(&pd))
+			return -EINVAL;
+	}
+#endif
+	return 0;
+}
+#endif
+
 #if CONFIG_IS_ENABLED(DM)
 static int caam_jr_probe(struct udevice *dev)
 {
@@ -820,6 +840,10 @@ static int caam_jr_probe(struct udevice *dev)
 				jr_node = jr_node >> 4;
 			}
 			caam->jrid = jr_node - 1;
+#ifdef CONFIG_ARCH_IMX8
+			if (jr_power_on(node))
+				return -EINVAL;
+#endif
 			break;
 		}
 	}
diff --git a/include/fsl_sec.h b/include/fsl_sec.h
index c4121696f8..7b6e3e2c20 100644
--- a/include/fsl_sec.h
+++ b/include/fsl_sec.h
@@ -3,7 +3,7 @@
  * Common internal memory map for some Freescale SoCs
  *
  * Copyright 2014 Freescale Semiconductor, Inc.
- * Copyright 2018 NXP
+ * Copyright 2018, 2021 NXP
  */
 
 #ifndef __FSL_SEC_H
@@ -194,12 +194,10 @@ typedef struct ccsr_sec {
 #define SEC_CHAVID_LS_RNG_SHIFT		16
 #define SEC_CHAVID_RNG_LS_MASK		0x000f0000
 
-#define CONFIG_JRSTARTR_JR0		0x00000001
-
 struct jr_regs {
 #if defined(CONFIG_SYS_FSL_SEC_LE) && \
 	!(defined(CONFIG_MX6) || defined(CONFIG_MX7) || \
-	  defined(CONFIG_MX7ULP) || defined(CONFIG_IMX8M))
+	  defined(CONFIG_MX7ULP) || defined(CONFIG_IMX8M) || defined(CONFIG_IMX8))
 	u32 irba_l;
 	u32 irba_h;
 #else
@@ -214,7 +212,7 @@ struct jr_regs {
 	u32 irja;
 #if defined(CONFIG_SYS_FSL_SEC_LE) && \
 	!(defined(CONFIG_MX6) || defined(CONFIG_MX7) || \
-	  defined(CONFIG_MX7ULP) || defined(CONFIG_IMX8M))
+	  defined(CONFIG_MX7ULP) || defined(CONFIG_IMX8M) || defined(CONFIG_IMX8))
 	u32 orba_l;
 	u32 orba_h;
 #else
@@ -248,7 +246,7 @@ struct jr_regs {
 struct sg_entry {
 #if defined(CONFIG_SYS_FSL_SEC_LE) && \
 	!(defined(CONFIG_MX6) || defined(CONFIG_MX7) || \
-	  defined(CONFIG_MX7ULP) || defined(CONFIG_IMX8M))
+	  defined(CONFIG_MX7ULP) || defined(CONFIG_IMX8M) || defined(CONFIG_IMX8))
 	uint32_t addr_lo;	/* Memory Address - lo */
 	uint32_t addr_hi;	/* Memory Address of start of buffer - hi */
 #else
@@ -268,7 +266,7 @@ struct sg_entry {
 };
 
 #if defined(CONFIG_MX6) || defined(CONFIG_MX7) || \
-	defined(CONFIG_MX7ULP) || defined(CONFIG_IMX8M)
+	defined(CONFIG_MX7ULP) || defined(CONFIG_IMX8M) || defined(CONFIG_IMX8)
 /* Job Ring Base Address */
 #define JR_BASE_ADDR(x) (CONFIG_SYS_FSL_SEC_ADDR + 0x1000 * (x + 1))
 /* Secure Memory Offset varies accross versions */
-- 
2.17.1

[PATCH v5 11/16] crypto/fsl: Fix kick_trng

[Gaurav Jain]

From: Ye Li <ye.li@nxp.com>

fix hwrng performance issue in kernel.

Signed-off-by: Ye Li <ye.li@nxp.com>
Acked-by: Gaurav Jain <gaurav.jain@nxp.com>>
---
 drivers/crypto/fsl/jr.c | 109 ++++++++++++++++++++++++++++++++++------
 include/fsl_sec.h       |   1 +
 2 files changed, 94 insertions(+), 16 deletions(-)

diff --git a/drivers/crypto/fsl/jr.c b/drivers/crypto/fsl/jr.c
index 9b751aca9b..ef136988b6 100644
--- a/drivers/crypto/fsl/jr.c
+++ b/drivers/crypto/fsl/jr.c
@@ -602,30 +602,107 @@ static u8 get_rng_vid(ccsr_sec_t *sec)
  */
 static void kick_trng(int ent_delay, ccsr_sec_t *sec)
 {
+	u32 samples  = 512; /* number of bits to generate and test */
+	u32 mono_min = 195;
+	u32 mono_max = 317;
+	u32 mono_range  = mono_max - mono_min;
+	u32 poker_min = 1031;
+	u32 poker_max = 1600;
+	u32 poker_range = poker_max - poker_min + 1;
+	u32 retries    = 2;
+	u32 lrun_max   = 32;
+	s32 run_1_min   = 27;
+	s32 run_1_max   = 107;
+	s32 run_1_range = run_1_max - run_1_min;
+	s32 run_2_min   = 7;
+	s32 run_2_max   = 62;
+	s32 run_2_range = run_2_max - run_2_min;
+	s32 run_3_min   = 0;
+	s32 run_3_max   = 39;
+	s32 run_3_range = run_3_max - run_3_min;
+	s32 run_4_min   = -1;
+	s32 run_4_max   = 26;
+	s32 run_4_range = run_4_max - run_4_min;
+	s32 run_5_min   = -1;
+	s32 run_5_max   = 18;
+	s32 run_5_range = run_5_max - run_5_min;
+	s32 run_6_min   = -1;
+	s32 run_6_max   = 17;
+	s32 run_6_range = run_6_max - run_6_min;
+	u32 val;
+
 	struct rng4tst __iomem *rng =
 			(struct rng4tst __iomem *)&sec->rng;
-	u32 val;
 
-	/* put RNG4 into program mode */
-	sec_setbits32(&rng->rtmctl, RTMCTL_PRGM);
-	/* rtsdctl bits 0-15 contain "Entropy Delay, which defines the
-	 * length (in system clocks) of each Entropy sample taken
-	 * */
+	/* Put RNG in program mode */
+	/* Setting both RTMCTL:PRGM and RTMCTL:TRNG_ACC causes TRNG to
+	 * properly invalidate the entropy in the entropy register and
+	 * force re-generation.
+	 */
+	sec_setbits32(&rng->rtmctl, RTMCTL_PRGM | RTMCTL_ACC);
+
+	/* Configure the RNG Entropy Delay
+	 * Performance-wise, it does not make sense to
+	 * set the delay to a value that is lower
+	 * than the last one that worked (i.e. the state handles
+	 * were instantiated properly. Thus, instead of wasting
+	 * time trying to set the values controlling the sample
+	 * frequency, the function simply returns.
+	 */
 	val = sec_in32(&rng->rtsdctl);
-	val = (val & ~RTSDCTL_ENT_DLY_MASK) |
-	      (ent_delay << RTSDCTL_ENT_DLY_SHIFT);
+	val &= RTSDCTL_ENT_DLY_MASK;
+	val >>= RTSDCTL_ENT_DLY_SHIFT;
+	if (ent_delay < val) {
+		/* Put RNG4 into run mode */
+		sec_clrbits32(&rng->rtmctl, RTMCTL_PRGM | RTMCTL_ACC);
+		return;
+	}
+
+	val = (ent_delay << RTSDCTL_ENT_DLY_SHIFT) | samples;
 	sec_out32(&rng->rtsdctl, val);
-	/* min. freq. count, equal to 1/4 of the entropy sample length */
-	sec_out32(&rng->rtfreqmin, ent_delay >> 2);
-	/* disable maximum frequency count */
-	sec_out32(&rng->rtfreqmax, RTFRQMAX_DISABLE);
+
 	/*
-	 * select raw sampling in both entropy shifter
+	 * Recommended margins (min,max) for freq. count:
+	 *   freq_mul = RO_freq / TRNG_clk_freq
+	 *   rtfrqmin = (ent_delay x freq_mul) >> 1;
+	 *   rtfrqmax = (ent_delay x freq_mul) << 3;
+	 * Given current deployments of CAAM in i.MX SoCs, and to simplify
+	 * the configuration, we consider [1,16] to be a safe interval
+	 * for the freq_mul and the limits of the interval are used to compute
+	 * rtfrqmin, rtfrqmax
+	 */
+	sec_out32(&rng->rtfreqmin, ent_delay >> 1);
+	sec_out32(&rng->rtfreqmax, ent_delay << 7);
+
+	sec_out32(&rng->rtscmisc, (retries << 16) | lrun_max);
+	sec_out32(&rng->rtpkrmax, poker_max);
+	sec_out32(&rng->rtpkrrng, poker_range);
+	sec_out32(&rng->rsvd1[0], (mono_range << 16) | mono_max);
+	sec_out32(&rng->rsvd1[1], (run_1_range << 16) | run_1_max);
+	sec_out32(&rng->rsvd1[2], (run_2_range << 16) | run_2_max);
+	sec_out32(&rng->rsvd1[3], (run_3_range << 16) | run_3_max);
+	sec_out32(&rng->rsvd1[4], (run_4_range << 16) | run_4_max);
+	sec_out32(&rng->rsvd1[5], (run_5_range << 16) | run_5_max);
+	sec_out32(&rng->rsvd1[6], (run_6_range << 16) | run_6_max);
+
+	val = sec_in32(&rng->rtmctl);
+	/*
+	 * Select raw sampling in both entropy shifter
 	 * and statistical checker
 	 */
-	sec_setbits32(&rng->rtmctl, RTMCTL_SAMP_MODE_RAW_ES_SC);
-	/* put RNG4 into run mode */
-	sec_clrbits32(&rng->rtmctl, RTMCTL_PRGM);
+	val &= ~RTMCTL_SAMP_MODE_INVALID;
+	val |= RTMCTL_SAMP_MODE_RAW_ES_SC;
+	/* Put RNG4 into run mode */
+	val &= ~(RTMCTL_PRGM | RTMCTL_ACC);
+	/*test with sample mode only */
+	sec_out32(&rng->rtmctl, val);
+
+	/* Clear the ERR bit in RTMCTL if set. The TRNG error can occur when the
+	 * RNG clock is not within 1/2x to 8x the system clock.
+	 * This error is possible if ROM code does not initialize the system PLLs
+	 * immediately after PoR.
+	 */
+	/* setbits_le32(CAAM_RTMCTL, RTMCTL_ERR); */
 }
 
 static int rng_init(uint8_t sec_idx, ccsr_sec_t *sec)
diff --git a/include/fsl_sec.h b/include/fsl_sec.h
index 7b6e3e2c20..2b3239414a 100644
--- a/include/fsl_sec.h
+++ b/include/fsl_sec.h
@@ -34,6 +34,7 @@
 #if CONFIG_SYS_FSL_SEC_COMPAT >= 4
 /* RNG4 TRNG test registers */
 struct rng4tst {
+#define RTMCTL_ACC  0x20
 #define RTMCTL_PRGM 0x00010000	/* 1 -> program mode, 0 -> run mode */
 #define RTMCTL_SAMP_MODE_VON_NEUMANN_ES_SC     0 /* use von Neumann data in
 						    both entropy shifter and
-- 
2.17.1

[PATCH v5 12/16] Layerscape: Add crypto node in device tree

[Gaurav Jain]

LS(1021/1012/1028/1043/1046/1088/2088), LX2160 - updated device tree

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
---
 arch/arm/dts/fsl-ls1012a.dtsi | 46 ++++++++++++++++++++++++++++++++++-
 arch/arm/dts/fsl-ls1043a.dtsi | 45 +++++++++++++++++++++++++++++++++-
 arch/arm/dts/fsl-ls1046a.dtsi | 44 +++++++++++++++++++++++++++++++++
 arch/arm/dts/fsl-ls1088a.dtsi | 39 +++++++++++++++++++++++++++++
 arch/arm/dts/fsl-ls2080a.dtsi | 39 +++++++++++++++++++++++++++++
 arch/arm/dts/fsl-lx2160a.dtsi | 41 ++++++++++++++++++++++++++++++-
 arch/arm/dts/ls1021a.dtsi     | 40 ++++++++++++++++++++++++++++++
 7 files changed, 291 insertions(+), 3 deletions(-)

diff --git a/arch/arm/dts/fsl-ls1012a.dtsi b/arch/arm/dts/fsl-ls1012a.dtsi
index 0ea899c7d7..1cdcc99c1e 100644
--- a/arch/arm/dts/fsl-ls1012a.dtsi
+++ b/arch/arm/dts/fsl-ls1012a.dtsi
@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0+ OR X11
 /*
- * Copyright 2020 NXP
+ * Copyright 2020-2021 NXP
  * Copyright 2016 Freescale Semiconductor
  */
 
@@ -71,6 +71,50 @@
 			bus-width = <4>;
 		};
 
+		crypto: crypto@1700000 {
+			compatible = "fsl,sec-v5.4", "fsl,sec-v5.0",
+				     "fsl,sec-v4.0";
+			fsl,sec-era = <8>;
+			#address-cells = <1>;
+			#size-cells = <1>;
+			ranges = <0x0 0x00 0x1700000 0x100000>;
+			reg = <0x00 0x1700000 0x0 0x100000>;
+			interrupts = <0 75 0x4>;
+			dma-coherent;
+
+			sec_jr0: jr@10000 {
+				compatible = "fsl,sec-v5.4-job-ring",
+					     "fsl,sec-v5.0-job-ring",
+					     "fsl,sec-v4.0-job-ring";
+				reg	   = <0x10000 0x10000>;
+				interrupts = <0 71 0x4>;
+			};
+
+			sec_jr1: jr@20000 {
+				compatible = "fsl,sec-v5.4-job-ring",
+					     "fsl,sec-v5.0-job-ring",
+					     "fsl,sec-v4.0-job-ring";
+				reg	   = <0x20000 0x10000>;
+				interrupts = <0 72 0x4>;
+			};
+
+			sec_jr2: jr@30000 {
+				compatible = "fsl,sec-v5.4-job-ring",
+					     "fsl,sec-v5.0-job-ring",
+					     "fsl,sec-v4.0-job-ring";
+				reg	   = <0x30000 0x10000>;
+				interrupts = <0 73 0x4>;
+			};
+
+			sec_jr3: jr@40000 {
+				compatible = "fsl,sec-v5.4-job-ring",
+					     "fsl,sec-v5.0-job-ring",
+					     "fsl,sec-v4.0-job-ring";
+				reg	   = <0x40000 0x10000>;
+				interrupts = <0 74 0x4>;
+			};
+		};
+
 		gpio0: gpio@2300000 {
 			compatible = "fsl,qoriq-gpio";
 			reg = <0x0 0x2300000 0x0 0x10000>;
diff --git a/arch/arm/dts/fsl-ls1043a.dtsi b/arch/arm/dts/fsl-ls1043a.dtsi
index 52dc5a9638..72877d2ff5 100644
--- a/arch/arm/dts/fsl-ls1043a.dtsi
+++ b/arch/arm/dts/fsl-ls1043a.dtsi
@@ -2,7 +2,7 @@
 /*
  * Device Tree Include file for NXP Layerscape-1043A family SoC.
  *
- * Copyright 2020 NXP
+ * Copyright 2020-2021 NXP
  * Copyright (C) 2014-2015, Freescale Semiconductor
  *
  * Mingkai Hu <Mingkai.hu@freescale.com>
@@ -125,6 +125,49 @@
 			interrupts = <0 43 0x4>;
 		};
 
+		crypto: crypto@1700000 {
+			compatible = "fsl,sec-v5.4", "fsl,sec-v5.0",
+				     "fsl,sec-v4.0";
+			fsl,sec-era = <3>;
+			#address-cells = <1>;
+			#size-cells = <1>;
+			ranges = <0x0 0x00 0x1700000 0x100000>;
+			reg = <0x00 0x1700000 0x0 0x100000>;
+			interrupts = <0 75 0x4>;
+
+			sec_jr0: jr@10000 {
+				compatible = "fsl,sec-v5.4-job-ring",
+					     "fsl,sec-v5.0-job-ring",
+					     "fsl,sec-v4.0-job-ring";
+				reg	   = <0x10000 0x10000>;
+				interrupts = <0 71 0x4>;
+			};
+
+			sec_jr1: jr@20000 {
+				compatible = "fsl,sec-v5.4-job-ring",
+					     "fsl,sec-v5.0-job-ring",
+					     "fsl,sec-v4.0-job-ring";
+				reg	   = <0x20000 0x10000>;
+				interrupts = <0 72 0x4>;
+			};
+
+			sec_jr2: jr@30000 {
+				compatible = "fsl,sec-v5.4-job-ring",
+					     "fsl,sec-v5.0-job-ring",
+					     "fsl,sec-v4.0-job-ring";
+				reg	   = <0x30000 0x10000>;
+				interrupts = <0 73 0x4>;
+			};
+
+			sec_jr3: jr@40000 {
+				compatible = "fsl,sec-v5.4-job-ring",
+					     "fsl,sec-v5.0-job-ring",
+					     "fsl,sec-v4.0-job-ring";
+				reg	   = <0x40000 0x10000>;
+				interrupts = <0 74 0x4>;
+			};
+		};
+
 		i2c0: i2c@2180000 {
 			compatible = "fsl,vf610-i2c";
 			#address-cells = <1>;
diff --git a/arch/arm/dts/fsl-ls1046a.dtsi b/arch/arm/dts/fsl-ls1046a.dtsi
index a60cbf11fc..c655e002aa 100644
--- a/arch/arm/dts/fsl-ls1046a.dtsi
+++ b/arch/arm/dts/fsl-ls1046a.dtsi
@@ -3,6 +3,7 @@
  * Device Tree Include file for Freescale Layerscape-1046A family SoC.
  *
  * Copyright (C) 2016, Freescale Semiconductor
+ * Copyright 2021 NXP
  *
  * Mingkai Hu <mingkai.hu@nxp.com>
  */
@@ -124,6 +125,49 @@
 			interrupts = <0 43 0x4>;
 		};
 
+		crypto: crypto@1700000 {
+			compatible = "fsl,sec-v5.4", "fsl,sec-v5.0",
+				     "fsl,sec-v4.0";
+			fsl,sec-era = <8>;
+			#address-cells = <1>;
+			#size-cells = <1>;
+			ranges = <0x0 0x00 0x1700000 0x100000>;
+			reg = <0x00 0x1700000 0x0 0x100000>;
+			interrupts = <0 75 0x4>;
+
+			sec_jr0: jr@10000 {
+				compatible = "fsl,sec-v5.4-job-ring",
+					     "fsl,sec-v5.0-job-ring",
+					     "fsl,sec-v4.0-job-ring";
+				reg	   = <0x10000 0x10000>;
+				interrupts = <0 71 0x4>;
+			};
+
+			sec_jr1: jr@20000 {
+				compatible = "fsl,sec-v5.4-job-ring",
+					     "fsl,sec-v5.0-job-ring",
+					     "fsl,sec-v4.0-job-ring";
+				reg	   = <0x20000 0x10000>;
+				interrupts = <0 72 0x4>;
+			};
+
+			sec_jr2: jr@30000 {
+				compatible = "fsl,sec-v5.4-job-ring",
+					     "fsl,sec-v5.0-job-ring",
+					     "fsl,sec-v4.0-job-ring";
+				reg	   = <0x30000 0x10000>;
+				interrupts = <0 73 0x4>;
+			};
+
+			sec_jr3: jr@40000 {
+				compatible = "fsl,sec-v5.4-job-ring",
+					     "fsl,sec-v5.0-job-ring",
+					     "fsl,sec-v4.0-job-ring";
+				reg	   = <0x40000 0x10000>;
+				interrupts = <0 74 0x4>;
+			};
+		};
+
 		i2c0: i2c@2180000 {
 			compatible = "fsl,vf610-i2c";
 			#address-cells = <1>;
diff --git a/arch/arm/dts/fsl-ls1088a.dtsi b/arch/arm/dts/fsl-ls1088a.dtsi
index f73fdfda8b..9b7c54b260 100644
--- a/arch/arm/dts/fsl-ls1088a.dtsi
+++ b/arch/arm/dts/fsl-ls1088a.dtsi
@@ -174,6 +174,45 @@
 		dr_mode = "host";
 	};
 
+	crypto: crypto@8000000 {
+		compatible = "fsl,sec-v5.0", "fsl,sec-v4.0";
+		fsl,sec-era = <8>;
+		#address-cells = <1>;
+		#size-cells = <1>;
+		ranges = <0x0 0x00 0x8000000 0x100000>;
+		reg = <0x00 0x8000000 0x0 0x100000>;
+		interrupts = <GIC_SPI 139 IRQ_TYPE_LEVEL_HIGH>;
+		dma-coherent;
+
+		sec_jr0: jr@10000 {
+			compatible = "fsl,sec-v5.0-job-ring",
+				     "fsl,sec-v4.0-job-ring";
+			reg	   = <0x10000 0x10000>;
+			interrupts = <GIC_SPI 140 IRQ_TYPE_LEVEL_HIGH>;
+		};
+
+		sec_jr1: jr@20000 {
+			compatible = "fsl,sec-v5.0-job-ring",
+				     "fsl,sec-v4.0-job-ring";
+			reg	   = <0x20000 0x10000>;
+			interrupts = <GIC_SPI 141 IRQ_TYPE_LEVEL_HIGH>;
+		};
+
+		sec_jr2: jr@30000 {
+			compatible = "fsl,sec-v5.0-job-ring",
+				     "fsl,sec-v4.0-job-ring";
+			reg	   = <0x30000 0x10000>;
+			interrupts = <GIC_SPI 142 IRQ_TYPE_LEVEL_HIGH>;
+		};
+
+		sec_jr3: jr@40000 {
+			compatible = "fsl,sec-v5.0-job-ring",
+				     "fsl,sec-v4.0-job-ring";
+			reg	   = <0x40000 0x10000>;
+			interrupts = <GIC_SPI 143 IRQ_TYPE_LEVEL_HIGH>;
+		};
+	};
+
 	pcie1: pcie@3400000 {
 		compatible = "fsl,ls-pcie", "snps,dw-pcie";
 		reg = <0x00 0x03400000 0x0 0x80000   /* dbi registers */
diff --git a/arch/arm/dts/fsl-ls2080a.dtsi b/arch/arm/dts/fsl-ls2080a.dtsi
index 72ba52594a..a1837454f4 100644
--- a/arch/arm/dts/fsl-ls2080a.dtsi
+++ b/arch/arm/dts/fsl-ls2080a.dtsi
@@ -239,6 +239,45 @@
 			status = "disabled";
 	};
 
+	crypto: crypto@8000000 {
+		compatible = "fsl,sec-v5.0", "fsl,sec-v4.0";
+		fsl,sec-era = <8>;
+		#address-cells = <1>;
+		#size-cells = <1>;
+		ranges = <0x0 0x00 0x8000000 0x100000>;
+		reg = <0x00 0x8000000 0x0 0x100000>;
+		interrupts = <0 139 0x4>;  /* Level high type */
+		dma-coherent;
+
+		sec_jr0: jr@10000 {
+			compatible = "fsl,sec-v5.0-job-ring",
+				     "fsl,sec-v4.0-job-ring";
+			reg	   = <0x10000 0x10000>;
+			interrupts = <0 140 0x4>;  /* Level high type */
+		};
+
+		sec_jr1: jr@20000 {
+			compatible = "fsl,sec-v5.0-job-ring",
+				     "fsl,sec-v4.0-job-ring";
+			reg	   = <0x20000 0x10000>;
+			interrupts = <0 141 0x4>;  /* Level high type */
+		};
+
+		sec_jr2: jr@30000 {
+			compatible = "fsl,sec-v5.0-job-ring",
+				     "fsl,sec-v4.0-job-ring";
+			reg	   = <0x30000 0x10000>;
+			interrupts = <0 142 0x4>;  /* Level high type */
+		};
+
+		sec_jr3: jr@40000 {
+			compatible = "fsl,sec-v5.0-job-ring",
+				     "fsl,sec-v4.0-job-ring";
+			reg	   = <0x40000 0x10000>;
+			interrupts = <0 143 0x4>;  /* Level high type */
+		};
+	};
+
 	fsl_mc: fsl-mc@80c000000 {
 		compatible = "fsl,qoriq-mc", "simple-mfd";
 		reg = <0x00000008 0x0c000000 0 0x40>,    /* MC portal base */
diff --git a/arch/arm/dts/fsl-lx2160a.dtsi b/arch/arm/dts/fsl-lx2160a.dtsi
index 52e4d7205a..57c7d3ef71 100644
--- a/arch/arm/dts/fsl-lx2160a.dtsi
+++ b/arch/arm/dts/fsl-lx2160a.dtsi
@@ -2,7 +2,7 @@
 /*
  * NXP lx2160a SOC common device tree source
  *
- * Copyright 2018-2020 NXP
+ * Copyright 2018-2021 NXP
  *
  */
 
@@ -27,6 +27,45 @@
 		clock-output-names = "sysclk";
 	};
 
+	crypto: crypto@8000000 {
+		compatible = "fsl,sec-v5.0", "fsl,sec-v4.0";
+		fsl,sec-era = <10>;
+		#address-cells = <1>;
+		#size-cells = <1>;
+		ranges = <0x0 0x00 0x8000000 0x100000>;
+		reg = <0x00 0x8000000 0x0 0x100000>;
+		interrupts = <GIC_SPI 139 IRQ_TYPE_LEVEL_HIGH>;
+		dma-coherent;
+
+		sec_jr0: jr@10000 {
+			compatible = "fsl,sec-v5.0-job-ring",
+				     "fsl,sec-v4.0-job-ring";
+			reg        = <0x10000 0x10000>;
+			interrupts = <GIC_SPI 140 IRQ_TYPE_LEVEL_HIGH>;
+		};
+
+		sec_jr1: jr@20000 {
+			compatible = "fsl,sec-v5.0-job-ring",
+				     "fsl,sec-v4.0-job-ring";
+			reg        = <0x20000 0x10000>;
+			interrupts = <GIC_SPI 141 IRQ_TYPE_LEVEL_HIGH>;
+		};
+
+		sec_jr2: jr@30000 {
+			compatible = "fsl,sec-v5.0-job-ring",
+				     "fsl,sec-v4.0-job-ring";
+			reg        = <0x30000 0x10000>;
+			interrupts = <GIC_SPI 142 IRQ_TYPE_LEVEL_HIGH>;
+		};
+
+		sec_jr3: jr@40000 {
+			compatible = "fsl,sec-v5.0-job-ring",
+				     "fsl,sec-v4.0-job-ring";
+			reg        = <0x40000 0x10000>;
+			interrupts = <GIC_SPI 143 IRQ_TYPE_LEVEL_HIGH>;
+		};
+	};
+
 	clockgen: clocking@1300000 {
 		compatible = "fsl,ls2080a-clockgen";
 		reg = <0 0x1300000 0 0xa0000>;
diff --git a/arch/arm/dts/ls1021a.dtsi b/arch/arm/dts/ls1021a.dtsi
index 86192cbb7f..be330c130f 100644
--- a/arch/arm/dts/ls1021a.dtsi
+++ b/arch/arm/dts/ls1021a.dtsi
@@ -3,6 +3,7 @@
  * Freescale ls1021a SOC common device tree source
  *
  * Copyright 2013-2015 Freescale Semiconductor, Inc.
+ * Copyright 2021 NXP
  */
 
 #include "skeleton.dtsi"
@@ -144,6 +145,45 @@
 			big-endian;
 		};
 
+		crypto: crypto@1700000 {
+			compatible = "fsl,sec-v5.0", "fsl,sec-v4.0";
+			fsl,sec-era = <7>;
+			#address-cells = <1>;
+			#size-cells = <1>;
+			reg		 = <0x1700000 0x100000>;
+			ranges		 = <0x0 0x1700000 0x100000>;
+			interrupts	 = <GIC_SPI 107 IRQ_TYPE_LEVEL_HIGH>;
+
+			sec_jr0: jr@10000 {
+				compatible = "fsl,sec-v5.0-job-ring",
+				     "fsl,sec-v4.0-job-ring";
+				reg = <0x10000 0x10000>;
+				interrupts = <GIC_SPI 103 IRQ_TYPE_LEVEL_HIGH>;
+			};
+
+			sec_jr1: jr@20000 {
+				compatible = "fsl,sec-v5.0-job-ring",
+				     "fsl,sec-v4.0-job-ring";
+				reg = <0x20000 0x10000>;
+				interrupts = <GIC_SPI 104 IRQ_TYPE_LEVEL_HIGH>;
+			};
+
+			sec_jr2: jr@30000 {
+				compatible = "fsl,sec-v5.0-job-ring",
+				     "fsl,sec-v4.0-job-ring";
+				reg = <0x30000 0x10000>;
+				interrupts = <GIC_SPI 105 IRQ_TYPE_LEVEL_HIGH>;
+			};
+
+			sec_jr3: jr@40000 {
+				compatible = "fsl,sec-v5.0-job-ring",
+				     "fsl,sec-v4.0-job-ring";
+				reg = <0x40000 0x10000>;
+				interrupts = <GIC_SPI 106 IRQ_TYPE_LEVEL_HIGH>;
+			};
+
+		};
+
 		clockgen: clocking@1ee1000 {
 			#address-cells = <1>;
 			#size-cells = <1>;
-- 
2.17.1

[PATCH v5 13/16] Layerscape: Enable Job ring driver model in U-Boot.

[Gaurav Jain]

LS(1021/1012/1028/1043/1046/1088/2088), LX2160, LX2162
platforms are enabled with JR driver model.

removed sec_init() call from board files.
removed CONFIG_FSL_CAAM from defconfig files.
sec is initialized based on job ring information processed
from device tree.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
---
 arch/arm/cpu/armv7/ls102xa/Kconfig            |  4 +++
 arch/arm/cpu/armv7/ls102xa/cpu.c              | 16 +++++++++++
 arch/arm/cpu/armv8/fsl-layerscape/Kconfig     | 27 +++++++++++++++++++
 arch/arm/cpu/armv8/fsl-layerscape/cpu.c       | 10 ++++++-
 board/freescale/ls1012afrdm/ls1012afrdm.c     |  7 +----
 board/freescale/ls1012aqds/ls1012aqds.c       |  6 +----
 board/freescale/ls1012ardb/ls1012ardb.c       |  6 +----
 board/freescale/ls1021aiot/ls1021aiot.c       |  6 ++---
 board/freescale/ls1021aqds/ls1021aqds.c       |  6 +----
 board/freescale/ls1021atsn/ls1021atsn.c       |  7 ++---
 board/freescale/ls1021atwr/ls1021atwr.c       |  8 ++----
 board/freescale/ls1028a/ls1028a.c             |  6 +----
 board/freescale/ls1043ardb/ls1043ardb.c       |  6 +----
 board/freescale/ls1046afrwy/ls1046afrwy.c     |  7 +----
 board/freescale/ls1046aqds/ls1046aqds.c       |  7 +----
 board/freescale/ls1046ardb/ls1046ardb.c       |  6 +----
 board/freescale/ls1088a/ls1088a.c             |  6 +----
 board/freescale/ls2080aqds/ls2080aqds.c       |  6 +----
 board/freescale/ls2080ardb/ls2080ardb.c       |  9 +------
 board/freescale/lx2160a/lx2160a.c             |  5 ----
 configs/ls1021aiot_qspi_defconfig             |  1 -
 configs/ls1021aqds_nor_defconfig              |  1 -
 configs/ls1021aqds_qspi_defconfig             |  1 -
 configs/ls1021atsn_qspi_defconfig             |  1 -
 configs/ls1021atwr_nor_defconfig              |  1 -
 ...s1021atwr_sdcard_ifc_SECURE_BOOT_defconfig |  1 +
 configs/ls1028ardb_tfa_defconfig              |  1 -
 configs/ls1043ardb_tfa_defconfig              |  1 -
 configs/ls1046afrwy_tfa_defconfig             |  1 -
 configs/ls1046aqds_tfa_defconfig              |  1 -
 configs/ls1046ardb_tfa_defconfig              |  1 -
 configs/ls2088aqds_tfa_defconfig              |  1 -
 configs/ls2088ardb_tfa_defconfig              |  1 -
 configs/lx2160aqds_tfa_defconfig              |  1 -
 configs/lx2160ardb_tfa_defconfig              |  1 -
 configs/lx2162aqds_tfa_defconfig              |  1 -
 36 files changed, 75 insertions(+), 102 deletions(-)

diff --git a/arch/arm/cpu/armv7/ls102xa/Kconfig b/arch/arm/cpu/armv7/ls102xa/Kconfig
index f919d02db4..8e8fb4e9db 100644
--- a/arch/arm/cpu/armv7/ls102xa/Kconfig
+++ b/arch/arm/cpu/armv7/ls102xa/Kconfig
@@ -21,6 +21,10 @@ config ARCH_LS1021A
 	select SYS_FSL_SRDS_1
 	select SYS_HAS_SERDES
 	select SYS_I2C_MXC
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
+	select ARCH_MISC_INIT
 	imply CMD_PCI
 	imply SCSI
 	imply SCSI_AHCI
diff --git a/arch/arm/cpu/armv7/ls102xa/cpu.c b/arch/arm/cpu/armv7/ls102xa/cpu.c
index d863c9625a..4904592703 100644
--- a/arch/arm/cpu/armv7/ls102xa/cpu.c
+++ b/arch/arm/cpu/armv7/ls102xa/cpu.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
  * Copyright 2014 Freescale Semiconductor, Inc.
+ * Copyright 2021 NXP
  */
 
 #include <common.h>
@@ -20,6 +21,7 @@
 #include <config.h>
 #include <fsl_wdog.h>
 #include <linux/delay.h>
+#include <dm.h>
 
 #include "fsl_epu.h"
 
@@ -397,3 +399,17 @@ void arch_preboot_os(void)
 	ctrl &= ~ARCH_TIMER_CTRL_ENABLE;
 	asm("mcr p15, 0, %0, c14, c2, 1" : : "r" (ctrl));
 }
+
+#ifdef CONFIG_ARCH_MISC_INIT
+int arch_misc_init(void)
+{
+	struct udevice *dev;
+	int ret;
+
+	ret = uclass_get_device_by_driver(UCLASS_MISC, DM_DRIVER_GET(caam_jr), &dev);
+	if (ret)
+		printf("Failed to initialize %s: %d\n", dev->name, ret);
+
+	return 0;
+}
+#endif
diff --git a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig
index 1a057f7059..f51c390ede 100644
--- a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig
+++ b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig
@@ -20,6 +20,10 @@ config ARCH_LS1012A
 	select SYS_I2C_MXC
 	select SYS_I2C_MXC_I2C1 if !DM_I2C
 	select SYS_I2C_MXC_I2C2 if !DM_I2C
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
+	select ARCH_MISC_INIT
 	imply PANIC_HANG
 
 config ARCH_LS1028A
@@ -53,6 +57,9 @@ config ARCH_LS1028A
 	select SYS_FSL_ERRATUM_A011334
 	select SYS_FSL_ESDHC_UNRELIABLE_PULSE_DETECTION_WORKAROUND
 	select RESV_RAM if GIC_V3_ITS
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
 	imply PANIC_HANG
 
 config ARCH_LS1043A
@@ -88,6 +95,10 @@ config ARCH_LS1043A
 	select SYS_I2C_MXC_I2C2 if !DM_I2C
 	select SYS_I2C_MXC_I2C3 if !DM_I2C
 	select SYS_I2C_MXC_I2C4 if !DM_I2C
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
+	select ARCH_MISC_INIT
 	imply CMD_PCI
 	imply ID_EEPROM
 
@@ -125,6 +136,10 @@ config ARCH_LS1046A
 	select SYS_I2C_MXC_I2C2 if !DM_I2C
 	select SYS_I2C_MXC_I2C3 if !DM_I2C
 	select SYS_I2C_MXC_I2C4 if !DM_I2C
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
+	select ARCH_MISC_INIT
 	imply ID_EEPROM
 	imply SCSI
 	imply SCSI_AHCI
@@ -170,6 +185,9 @@ config ARCH_LS1088A
 	select SYS_I2C_MXC_I2C3 if !TFABOOT
 	select SYS_I2C_MXC_I2C4 if !TFABOOT
 	select RESV_RAM if GIC_V3_ITS
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
 	imply ID_EEPROM
 	imply SCSI
 	imply SPL_SYS_I2C_LEGACY
@@ -225,6 +243,9 @@ config ARCH_LS2080A
 	select SYS_I2C_MXC_I2C3 if !TFABOOT
 	select SYS_I2C_MXC_I2C4 if !TFABOOT
 	select RESV_RAM if GIC_V3_ITS
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
 	imply DISTRO_DEFAULTS
 	imply ID_EEPROM
 	imply PANIC_HANG
@@ -258,6 +279,9 @@ config ARCH_LX2162A
 	select BOARD_EARLY_INIT_F
 	select SYS_I2C_MXC
 	select RESV_RAM if GIC_V3_ITS
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
 	imply DISTRO_DEFAULTS
 	imply PANIC_HANG
 	imply SCSI
@@ -294,6 +318,9 @@ config ARCH_LX2160A
 	select BOARD_EARLY_INIT_F
 	select SYS_I2C_MXC
 	select RESV_RAM if GIC_V3_ITS
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
 	imply DISTRO_DEFAULTS
 	imply ID_EEPROM
 	imply PANIC_HANG
diff --git a/arch/arm/cpu/armv8/fsl-layerscape/cpu.c b/arch/arm/cpu/armv8/fsl-layerscape/cpu.c
index 1a359d060e..ccd9116ff8 100644
--- a/arch/arm/cpu/armv8/fsl-layerscape/cpu.c
+++ b/arch/arm/cpu/armv8/fsl-layerscape/cpu.c
@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
- * Copyright 2017-2020 NXP
+ * Copyright 2017-2021 NXP
  * Copyright 2014-2015 Freescale Semiconductor, Inc.
  */
 
@@ -48,6 +48,7 @@
 #endif
 #endif
 #include <linux/mii.h>
+#include <dm.h>
 
 DECLARE_GLOBAL_DATA_PTR;
 
@@ -1649,6 +1650,13 @@ __weak int serdes_misc_init(void)
 
 int arch_misc_init(void)
 {
+	struct udevice *dev;
+	int ret;
+
+	ret = uclass_get_device_by_driver(UCLASS_MISC, DM_DRIVER_GET(caam_jr), &dev);
+	if (ret)
+		printf("Failed to initialize %s: %d\n", dev->name, ret);
+
 	serdes_misc_init();
 
 	return 0;
diff --git a/board/freescale/ls1012afrdm/ls1012afrdm.c b/board/freescale/ls1012afrdm/ls1012afrdm.c
index 5dd19cfcd9..bc37c553a5 100644
--- a/board/freescale/ls1012afrdm/ls1012afrdm.c
+++ b/board/freescale/ls1012afrdm/ls1012afrdm.c
@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
- * Copyright 2017-2018 NXP
+ * Copyright 2017-2018, 2021 NXP
  */
 
 #include <common.h>
@@ -22,7 +22,6 @@
 #include <env_internal.h>
 #include <fsl_mmdc.h>
 #include <netdev.h>
-#include <fsl_sec.h>
 #include <net/pfe_eth/pfe/pfe_hw.h>
 
 DECLARE_GLOBAL_DATA_PTR;
@@ -172,10 +171,6 @@ int board_init(void)
 	if (current_el() == 3)
 		out_le32(&cci->ctrl_ord, CCI400_CTRLORD_EN_BARRIER);
 
-#ifdef CONFIG_FSL_CAAM
-	sec_init();
-#endif
-
 #ifdef CONFIG_FSL_LS_PPA
 	ppa_init();
 #endif
diff --git a/board/freescale/ls1012aqds/ls1012aqds.c b/board/freescale/ls1012aqds/ls1012aqds.c
index 68578e81a5..361bd5c582 100644
--- a/board/freescale/ls1012aqds/ls1012aqds.c
+++ b/board/freescale/ls1012aqds/ls1012aqds.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
  * Copyright 2016 Freescale Semiconductor, Inc.
+ * Copyright 2021 NXP
  */
 
 #include <common.h>
@@ -28,7 +29,6 @@
 #include <fsl_mmdc.h>
 #include <spl.h>
 #include <netdev.h>
-#include <fsl_sec.h>
 #include "../common/qixis.h"
 #include "ls1012aqds_qixis.h"
 #include "ls1012aqds_pfe.h"
@@ -150,10 +150,6 @@ int board_init(void)
 	erratum_a010315();
 #endif
 
-#ifdef CONFIG_FSL_CAAM
-	sec_init();
-#endif
-
 #ifdef CONFIG_FSL_LS_PPA
 	ppa_init();
 #endif
diff --git a/board/freescale/ls1012ardb/ls1012ardb.c b/board/freescale/ls1012ardb/ls1012ardb.c
index 064fb4d39f..456609d993 100644
--- a/board/freescale/ls1012ardb/ls1012ardb.c
+++ b/board/freescale/ls1012ardb/ls1012ardb.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
  * Copyright 2016 Freescale Semiconductor, Inc.
+ * Copyright 2021 NXP
  */
 
 #include <common.h>
@@ -27,7 +28,6 @@
 #include <env_internal.h>
 #include <fsl_mmdc.h>
 #include <netdev.h>
-#include <fsl_sec.h>
 #include <net/pfe_eth/pfe/pfe_hw.h>
 
 DECLARE_GLOBAL_DATA_PTR;
@@ -173,10 +173,6 @@ int board_init(void)
 	erratum_a010315();
 #endif
 
-#ifdef CONFIG_FSL_CAAM
-	sec_init();
-#endif
-
 #ifdef CONFIG_FSL_LS_PPA
 	ppa_init();
 #endif
diff --git a/board/freescale/ls1021aiot/ls1021aiot.c b/board/freescale/ls1021aiot/ls1021aiot.c
index bfe6137604..5ab03b3340 100644
--- a/board/freescale/ls1021aiot/ls1021aiot.c
+++ b/board/freescale/ls1021aiot/ls1021aiot.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
  * Copyright 2016 Freescale Semiconductor, Inc.
+ * Copyright 2021 NXP
  */
 
 #include <common.h>
@@ -209,10 +210,7 @@ int misc_init_r(void)
 	device_disable(devdis_tbl, ARRAY_SIZE(devdis_tbl));
 
 #endif
-
-#ifdef CONFIG_FSL_CAAM
-	return sec_init();
-#endif
+	return 0;
 }
 #endif
 
diff --git a/board/freescale/ls1021aqds/ls1021aqds.c b/board/freescale/ls1021aqds/ls1021aqds.c
index fbbd27d9d7..f84b94d946 100644
--- a/board/freescale/ls1021aqds/ls1021aqds.c
+++ b/board/freescale/ls1021aqds/ls1021aqds.c
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
  * Copyright 2014 Freescale Semiconductor, Inc.
- * Copyright 2019 NXP
+ * Copyright 2019, 2021 NXP
  */
 
 #include <common.h>
@@ -20,7 +20,6 @@
 #include <mmc.h>
 #include <fsl_csu.h>
 #include <fsl_ifc.h>
-#include <fsl_sec.h>
 #include <spl.h>
 #include <fsl_devdis.h>
 #include <fsl_validate.h>
@@ -386,9 +385,6 @@ int misc_init_r(void)
 
 #ifdef CONFIG_FSL_DEVICE_DISABLE
 	device_disable(devdis_tbl, ARRAY_SIZE(devdis_tbl));
-#endif
-#ifdef CONFIG_FSL_CAAM
-	return sec_init();
 #endif
 	return 0;
 }
diff --git a/board/freescale/ls1021atsn/ls1021atsn.c b/board/freescale/ls1021atsn/ls1021atsn.c
index f31e16c419..f016088670 100644
--- a/board/freescale/ls1021atsn/ls1021atsn.c
+++ b/board/freescale/ls1021atsn/ls1021atsn.c
@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: GPL-2.0
-/* Copyright 2016-2019 NXP
+/* Copyright 2016-2019, 2021 NXP
  */
 #include <common.h>
 #include <clock_legacy.h>
@@ -238,10 +238,7 @@ int misc_init_r(void)
 #ifdef CONFIG_FSL_DEVICE_DISABLE
 	device_disable(devdis_tbl, ARRAY_SIZE(devdis_tbl));
 #endif
-
-#ifdef CONFIG_FSL_CAAM
-	return sec_init();
-#endif
+	return 0;
 }
 #endif
 
diff --git a/board/freescale/ls1021atwr/ls1021atwr.c b/board/freescale/ls1021atwr/ls1021atwr.c
index f0b441db63..a2a87eaf35 100644
--- a/board/freescale/ls1021atwr/ls1021atwr.c
+++ b/board/freescale/ls1021atwr/ls1021atwr.c
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
  * Copyright 2014 Freescale Semiconductor, Inc.
- * Copyright 2019 NXP
+ * Copyright 2019, 2021 NXP
  */
 
 #include <common.h>
@@ -26,7 +26,6 @@
 #include <netdev.h>
 #include <fsl_mdio.h>
 #include <tsec.h>
-#include <fsl_sec.h>
 #include <fsl_devdis.h>
 #include <spl.h>
 #include <linux/delay.h>
@@ -555,10 +554,7 @@ int misc_init_r(void)
 #if !defined(CONFIG_QSPI_BOOT) && !defined(CONFIG_SD_BOOT_QSPI)
 	config_board_mux();
 #endif
-
-#ifdef CONFIG_FSL_CAAM
-	return sec_init();
-#endif
+	return 0;
 }
 #endif
 
diff --git a/board/freescale/ls1028a/ls1028a.c b/board/freescale/ls1028a/ls1028a.c
index 486a544d35..71a086ef67 100644
--- a/board/freescale/ls1028a/ls1028a.c
+++ b/board/freescale/ls1028a/ls1028a.c
@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
- * Copyright 2019 NXP
+ * Copyright 2019, 2021 NXP
  */
 
 #include <common.h>
@@ -73,10 +73,6 @@ u32 get_lpuart_clk(void)
 
 int board_init(void)
 {
-#ifdef CONFIG_FSL_CAAM
-	sec_init();
-#endif
-
 #ifdef CONFIG_FSL_LS_PPA
 	ppa_init();
 #endif
diff --git a/board/freescale/ls1043ardb/ls1043ardb.c b/board/freescale/ls1043ardb/ls1043ardb.c
index beef26b084..c7f214c236 100644
--- a/board/freescale/ls1043ardb/ls1043ardb.c
+++ b/board/freescale/ls1043ardb/ls1043ardb.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
  * Copyright 2015 Freescale Semiconductor, Inc.
+ * Copyright 2021 NXP
  */
 
 #include <common.h>
@@ -20,7 +21,6 @@
 #include <fm_eth.h>
 #include <fsl_esdhc.h>
 #include <fsl_ifc.h>
-#include <fsl_sec.h>
 #include "cpld.h"
 #ifdef CONFIG_U_QE
 #include <fsl_qe.h>
@@ -211,10 +211,6 @@ int board_init(void)
 	out_le32(SMMU_NSCR0, val);
 #endif
 
-#ifdef CONFIG_FSL_CAAM
-	sec_init();
-#endif
-
 #ifdef CONFIG_FSL_LS_PPA
 	ppa_init();
 #endif
diff --git a/board/freescale/ls1046afrwy/ls1046afrwy.c b/board/freescale/ls1046afrwy/ls1046afrwy.c
index f1c08a13f7..5a298cd311 100644
--- a/board/freescale/ls1046afrwy/ls1046afrwy.c
+++ b/board/freescale/ls1046afrwy/ls1046afrwy.c
@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
- * Copyright 2019 NXP
+ * Copyright 2019, 2021 NXP
  */
 
 #include <common.h>
@@ -20,7 +20,6 @@
 #include <fm_eth.h>
 #include <fsl_csu.h>
 #include <fsl_esdhc.h>
-#include <fsl_sec.h>
 #include <fsl_dspi.h>
 #include "../common/i2c_mux.h"
 
@@ -135,10 +134,6 @@ val = (in_le32(SMMU_SCR0) | SCR0_CLIENTPD_MASK) & ~(SCR0_USFCFG_MASK);
 	out_le32(SMMU_NSCR0, val);
 #endif
 
-#ifdef CONFIG_FSL_CAAM
-	sec_init();
-#endif
-
 	select_i2c_ch_pca9547(I2C_MUX_CH_DEFAULT, 0);
 	return 0;
 }
diff --git a/board/freescale/ls1046aqds/ls1046aqds.c b/board/freescale/ls1046aqds/ls1046aqds.c
index cc95d441b6..79658693ab 100644
--- a/board/freescale/ls1046aqds/ls1046aqds.c
+++ b/board/freescale/ls1046aqds/ls1046aqds.c
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
  * Copyright 2016 Freescale Semiconductor, Inc.
- * Copyright 2019-2020 NXP
+ * Copyright 2019-2021 NXP
  */
 
 #include <common.h>
@@ -27,7 +27,6 @@
 #include <fsl_csu.h>
 #include <fsl_esdhc.h>
 #include <fsl_ifc.h>
-#include <fsl_sec.h>
 #include <spl.h>
 #include "../common/i2c_mux.h"
 
@@ -420,10 +419,6 @@ int board_init(void)
 	out_le32(SMMU_NSCR0, val);
 #endif
 
-#ifdef CONFIG_FSL_CAAM
-	sec_init();
-#endif
-
 	return 0;
 }
 
diff --git a/board/freescale/ls1046ardb/ls1046ardb.c b/board/freescale/ls1046ardb/ls1046ardb.c
index 93ef903f29..2e9a6d44eb 100644
--- a/board/freescale/ls1046ardb/ls1046ardb.c
+++ b/board/freescale/ls1046ardb/ls1046ardb.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
  * Copyright 2016 Freescale Semiconductor, Inc.
+ * Copyright 2021 NXP
  */
 
 #include <common.h>
@@ -23,7 +24,6 @@
 #include <fsl_esdhc.h>
 #include <power/mc34vr500_pmic.h>
 #include "cpld.h"
-#include <fsl_sec.h>
 
 DECLARE_GLOBAL_DATA_PTR;
 
@@ -85,10 +85,6 @@ int board_init(void)
 	out_le32(SMMU_NSCR0, val);
 #endif
 
-#ifdef CONFIG_FSL_CAAM
-	sec_init();
-#endif
-
 #ifdef CONFIG_FSL_LS_PPA
 	ppa_init();
 #endif
diff --git a/board/freescale/ls1088a/ls1088a.c b/board/freescale/ls1088a/ls1088a.c
index 7046fbaeb5..b8bc8f0d5a 100644
--- a/board/freescale/ls1088a/ls1088a.c
+++ b/board/freescale/ls1088a/ls1088a.c
@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
- * Copyright 2017-2018 NXP
+ * Copyright 2017-2018, 2021 NXP
  */
 #include <common.h>
 #include <env.h>
@@ -12,7 +12,6 @@
 #include <netdev.h>
 #include <fsl_ifc.h>
 #include <fsl_ddr.h>
-#include <fsl_sec.h>
 #include <asm/global_data.h>
 #include <asm/io.h>
 #include <fdt_support.h>
@@ -815,9 +814,6 @@ int board_init(void)
 	out_le32(irq_ccsr + IRQCR_OFFSET / 4, AQR105_IRQ_MASK);
 #endif
 
-#ifdef CONFIG_FSL_CAAM
-	sec_init();
-#endif
 #ifdef CONFIG_FSL_LS_PPA
 	ppa_init();
 #endif
diff --git a/board/freescale/ls2080aqds/ls2080aqds.c b/board/freescale/ls2080aqds/ls2080aqds.c
index 2f0139edef..5cc5d06823 100644
--- a/board/freescale/ls2080aqds/ls2080aqds.c
+++ b/board/freescale/ls2080aqds/ls2080aqds.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
  * Copyright 2015 Freescale Semiconductor
+ * Copyright 2021 NXP
  */
 #include <common.h>
 #include <env.h>
@@ -20,7 +21,6 @@
 #include <rtc.h>
 #include <asm/arch/soc.h>
 #include <hwconfig.h>
-#include <fsl_sec.h>
 #include <asm/arch/ppa.h>
 #include <asm/arch-fsl-layerscape/fsl_icid.h>
 #include "../common/i2c_mux.h"
@@ -221,10 +221,6 @@ int board_init(void)
 #endif
 #endif
 
-#ifdef CONFIG_FSL_CAAM
-	sec_init();
-#endif
-
 #ifdef CONFIG_FSL_LS_PPA
 	ppa_init();
 #endif
diff --git a/board/freescale/ls2080ardb/ls2080ardb.c b/board/freescale/ls2080ardb/ls2080ardb.c
index bf660a8e65..e657097ba7 100644
--- a/board/freescale/ls2080ardb/ls2080ardb.c
+++ b/board/freescale/ls2080ardb/ls2080ardb.c
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
  * Copyright 2015 Freescale Semiconductor
- * Copyright 2017 NXP
+ * Copyright 2017, 2021 NXP
  */
 #include <common.h>
 #include <env.h>
@@ -23,7 +23,6 @@
 #include <asm/arch/mmu.h>
 #include <asm/arch/soc.h>
 #include <asm/arch/ppa.h>
-#include <fsl_sec.h>
 #include <asm/arch-fsl-layerscape/fsl_icid.h>
 #include "../common/i2c_mux.h"
 
@@ -287,9 +286,6 @@ int board_init(void)
 	QIXIS_WRITE(rst_ctl, QIXIS_RST_CTL_RESET_EN);
 #endif
 
-#ifdef CONFIG_FSL_CAAM
-	sec_init();
-#endif
 #ifdef CONFIG_FSL_LS_PPA
 	ppa_init();
 #endif
@@ -298,9 +294,6 @@ int board_init(void)
 	/* invert AQR405 IRQ pins polarity */
 	out_le32(irq_ccsr + IRQCR_OFFSET / 4, AQR405_IRQ_MASK);
 #endif
-#ifdef CONFIG_FSL_CAAM
-	sec_init();
-#endif
 
 #if !defined(CONFIG_SYS_EARLY_PCI_INIT) && defined(CONFIG_DM_ETH)
 	pci_init();
diff --git a/board/freescale/lx2160a/lx2160a.c b/board/freescale/lx2160a/lx2160a.c
index bda665624d..c8a47c6bae 100644
--- a/board/freescale/lx2160a/lx2160a.c
+++ b/board/freescale/lx2160a/lx2160a.c
@@ -14,7 +14,6 @@
 #include <errno.h>
 #include <netdev.h>
 #include <fsl_ddr.h>
-#include <fsl_sec.h>
 #include <asm/io.h>
 #include <fdt_support.h>
 #include <linux/bitops.h>
@@ -596,10 +595,6 @@ int board_init(void)
 	out_le32(irq_ccsr + IRQCR_OFFSET / 4, AQR107_IRQ_MASK);
 #endif
 
-#ifdef CONFIG_FSL_CAAM
-	sec_init();
-#endif
-
 #if !defined(CONFIG_SYS_EARLY_PCI_INIT) && defined(CONFIG_DM_ETH)
 	pci_init();
 #endif
diff --git a/configs/ls1021aiot_qspi_defconfig b/configs/ls1021aiot_qspi_defconfig
index 2a999e8798..c59ccd37f3 100644
--- a/configs/ls1021aiot_qspi_defconfig
+++ b/configs/ls1021aiot_qspi_defconfig
@@ -36,7 +36,6 @@ CONFIG_ENV_IS_IN_SPI_FLASH=y
 CONFIG_SYS_RELOC_GD_ENV_ADDR=y
 CONFIG_DM=y
 CONFIG_SATA_CEVA=y
-CONFIG_FSL_CAAM=y
 CONFIG_DM_I2C=y
 CONFIG_SPL_SYS_I2C_LEGACY=y
 CONFIG_I2C_SET_DEFAULT_BUS_NUM=y
diff --git a/configs/ls1021aqds_nor_defconfig b/configs/ls1021aqds_nor_defconfig
index 3a2fe03139..f0236e35d8 100644
--- a/configs/ls1021aqds_nor_defconfig
+++ b/configs/ls1021aqds_nor_defconfig
@@ -50,7 +50,6 @@ CONFIG_ENV_IS_IN_FLASH=y
 CONFIG_ENV_ADDR=0x60300000
 CONFIG_DM=y
 CONFIG_SATA_CEVA=y
-CONFIG_FSL_CAAM=y
 CONFIG_DYNAMIC_DDR_CLK_FREQ=y
 CONFIG_SYS_FSL_DDR3=y
 CONFIG_DDR_ECC=y
diff --git a/configs/ls1021aqds_qspi_defconfig b/configs/ls1021aqds_qspi_defconfig
index a787ce0b7c..73c78753f9 100644
--- a/configs/ls1021aqds_qspi_defconfig
+++ b/configs/ls1021aqds_qspi_defconfig
@@ -50,7 +50,6 @@ CONFIG_ENV_IS_IN_SPI_FLASH=y
 CONFIG_SYS_RELOC_GD_ENV_ADDR=y
 CONFIG_DM=y
 CONFIG_SATA_CEVA=y
-CONFIG_FSL_CAAM=y
 CONFIG_SYS_FSL_DDR3=y
 CONFIG_DDR_ECC=y
 CONFIG_ECC_INIT_VIA_DDRCONTROLLER=y
diff --git a/configs/ls1021atsn_qspi_defconfig b/configs/ls1021atsn_qspi_defconfig
index d92fdf4a15..5abf6cdbb9 100644
--- a/configs/ls1021atsn_qspi_defconfig
+++ b/configs/ls1021atsn_qspi_defconfig
@@ -36,7 +36,6 @@ CONFIG_ENV_OVERWRITE=y
 CONFIG_ENV_IS_IN_SPI_FLASH=y
 CONFIG_SYS_RELOC_GD_ENV_ADDR=y
 CONFIG_DM=y
-CONFIG_FSL_CAAM=y
 CONFIG_DM_I2C=y
 CONFIG_SPL_SYS_I2C_LEGACY=y
 CONFIG_I2C_SET_DEFAULT_BUS_NUM=y
diff --git a/configs/ls1021atwr_nor_defconfig b/configs/ls1021atwr_nor_defconfig
index 548ec897bc..10026d0549 100644
--- a/configs/ls1021atwr_nor_defconfig
+++ b/configs/ls1021atwr_nor_defconfig
@@ -44,7 +44,6 @@ CONFIG_ENV_IS_IN_FLASH=y
 CONFIG_ENV_ADDR=0x60300000
 CONFIG_DM=y
 CONFIG_SATA_CEVA=y
-CONFIG_FSL_CAAM=y
 CONFIG_DM_I2C=y
 CONFIG_SPL_SYS_I2C_LEGACY=y
 CONFIG_I2C_SET_DEFAULT_BUS_NUM=y
diff --git a/configs/ls1021atwr_sdcard_ifc_SECURE_BOOT_defconfig b/configs/ls1021atwr_sdcard_ifc_SECURE_BOOT_defconfig
index 404b33f938..e6c12c9104 100644
--- a/configs/ls1021atwr_sdcard_ifc_SECURE_BOOT_defconfig
+++ b/configs/ls1021atwr_sdcard_ifc_SECURE_BOOT_defconfig
@@ -61,6 +61,7 @@ CONFIG_ENV_OVERWRITE=y
 CONFIG_SYS_RELOC_GD_ENV_ADDR=y
 CONFIG_DM=y
 CONFIG_SPL_DM=y
+CONFIG_SPL_OF_CONTROL=y
 # CONFIG_SPL_BLK is not set
 CONFIG_DM_I2C=y
 # CONFIG_SPL_DM_I2C is not set
diff --git a/configs/ls1028ardb_tfa_defconfig b/configs/ls1028ardb_tfa_defconfig
index 035974afd8..d447358107 100644
--- a/configs/ls1028ardb_tfa_defconfig
+++ b/configs/ls1028ardb_tfa_defconfig
@@ -48,7 +48,6 @@ CONFIG_NETCONSOLE=y
 CONFIG_DM=y
 CONFIG_SCSI_AHCI=y
 CONFIG_SATA_CEVA=y
-CONFIG_FSL_CAAM=y
 # CONFIG_DDR_SPD is not set
 CONFIG_DM_I2C=y
 CONFIG_I2C_SET_DEFAULT_BUS_NUM=y
diff --git a/configs/ls1043ardb_tfa_defconfig b/configs/ls1043ardb_tfa_defconfig
index 7e741c7183..a0474ac2e3 100644
--- a/configs/ls1043ardb_tfa_defconfig
+++ b/configs/ls1043ardb_tfa_defconfig
@@ -41,7 +41,6 @@ CONFIG_ENV_IS_IN_MMC=y
 CONFIG_ENV_IS_IN_NAND=y
 CONFIG_ENV_ADDR=0x60500000
 CONFIG_DM=y
-CONFIG_FSL_CAAM=y
 # CONFIG_DDR_SPD is not set
 CONFIG_ECC_INIT_VIA_DDRCONTROLLER=y
 CONFIG_DM_I2C=y
diff --git a/configs/ls1046afrwy_tfa_defconfig b/configs/ls1046afrwy_tfa_defconfig
index 85db989f96..9d60bd199a 100644
--- a/configs/ls1046afrwy_tfa_defconfig
+++ b/configs/ls1046afrwy_tfa_defconfig
@@ -39,7 +39,6 @@ CONFIG_ENV_ADDR=0x40500000
 CONFIG_SYS_RELOC_GD_ENV_ADDR=y
 CONFIG_DM=y
 CONFIG_SATA_CEVA=y
-CONFIG_FSL_CAAM=y
 # CONFIG_DDR_SPD is not set
 CONFIG_DM_I2C=y
 CONFIG_I2C_SET_DEFAULT_BUS_NUM=y
diff --git a/configs/ls1046aqds_tfa_defconfig b/configs/ls1046aqds_tfa_defconfig
index 4bf413c0eb..0a2d317c8b 100644
--- a/configs/ls1046aqds_tfa_defconfig
+++ b/configs/ls1046aqds_tfa_defconfig
@@ -55,7 +55,6 @@ CONFIG_ENV_ADDR=0x60500000
 CONFIG_SYS_RELOC_GD_ENV_ADDR=y
 CONFIG_DM=y
 CONFIG_SATA_CEVA=y
-CONFIG_FSL_CAAM=y
 CONFIG_DYNAMIC_DDR_CLK_FREQ=y
 CONFIG_DDR_ECC=y
 CONFIG_ECC_INIT_VIA_DDRCONTROLLER=y
diff --git a/configs/ls1046ardb_tfa_defconfig b/configs/ls1046ardb_tfa_defconfig
index 3501764e6f..10093b59d4 100644
--- a/configs/ls1046ardb_tfa_defconfig
+++ b/configs/ls1046ardb_tfa_defconfig
@@ -44,7 +44,6 @@ CONFIG_ENV_ADDR=0x40500000
 CONFIG_SYS_RELOC_GD_ENV_ADDR=y
 CONFIG_DM=y
 CONFIG_SATA_CEVA=y
-CONFIG_FSL_CAAM=y
 CONFIG_DDR_ECC=y
 CONFIG_ECC_INIT_VIA_DDRCONTROLLER=y
 CONFIG_DM_I2C=y
diff --git a/configs/ls2088aqds_tfa_defconfig b/configs/ls2088aqds_tfa_defconfig
index 6821ed1a45..fb2fc3d0f7 100644
--- a/configs/ls2088aqds_tfa_defconfig
+++ b/configs/ls2088aqds_tfa_defconfig
@@ -51,7 +51,6 @@ CONFIG_SYS_RELOC_GD_ENV_ADDR=y
 CONFIG_NET_RANDOM_ETHADDR=y
 CONFIG_DM=y
 CONFIG_SATA_CEVA=y
-CONFIG_FSL_CAAM=y
 CONFIG_DYNAMIC_DDR_CLK_FREQ=y
 CONFIG_DDR_ECC=y
 CONFIG_ECC_INIT_VIA_DDRCONTROLLER=y
diff --git a/configs/ls2088ardb_tfa_defconfig b/configs/ls2088ardb_tfa_defconfig
index 8e76f59b92..6a99143e54 100644
--- a/configs/ls2088ardb_tfa_defconfig
+++ b/configs/ls2088ardb_tfa_defconfig
@@ -49,7 +49,6 @@ CONFIG_ENV_ADDR=0x580500000
 CONFIG_NET_RANDOM_ETHADDR=y
 CONFIG_DM=y
 CONFIG_SATA_CEVA=y
-CONFIG_FSL_CAAM=y
 CONFIG_DDR_CLK_FREQ=133333333
 CONFIG_DDR_ECC=y
 CONFIG_ECC_INIT_VIA_DDRCONTROLLER=y
diff --git a/configs/lx2160aqds_tfa_defconfig b/configs/lx2160aqds_tfa_defconfig
index ddcf681255..9b6c7323cb 100644
--- a/configs/lx2160aqds_tfa_defconfig
+++ b/configs/lx2160aqds_tfa_defconfig
@@ -51,7 +51,6 @@ CONFIG_ENV_ADDR=0x20500000
 CONFIG_NET_RANDOM_ETHADDR=y
 CONFIG_DM=y
 CONFIG_SATA_CEVA=y
-CONFIG_FSL_CAAM=y
 CONFIG_DYNAMIC_DDR_CLK_FREQ=y
 CONFIG_DDR_ECC=y
 CONFIG_ECC_INIT_VIA_DDRCONTROLLER=y
diff --git a/configs/lx2160ardb_tfa_defconfig b/configs/lx2160ardb_tfa_defconfig
index d81a4b10b1..9bf92881be 100644
--- a/configs/lx2160ardb_tfa_defconfig
+++ b/configs/lx2160ardb_tfa_defconfig
@@ -50,7 +50,6 @@ CONFIG_ENV_ADDR=0x20500000
 CONFIG_NET_RANDOM_ETHADDR=y
 CONFIG_DM=y
 CONFIG_SATA_CEVA=y
-CONFIG_FSL_CAAM=y
 CONFIG_DYNAMIC_DDR_CLK_FREQ=y
 CONFIG_DDR_ECC=y
 CONFIG_ECC_INIT_VIA_DDRCONTROLLER=y
diff --git a/configs/lx2162aqds_tfa_defconfig b/configs/lx2162aqds_tfa_defconfig
index 2028bfc524..441932417a 100644
--- a/configs/lx2162aqds_tfa_defconfig
+++ b/configs/lx2162aqds_tfa_defconfig
@@ -53,7 +53,6 @@ CONFIG_ENV_ADDR=0x20500000
 CONFIG_NET_RANDOM_ETHADDR=y
 CONFIG_DM=y
 CONFIG_SATA_CEVA=y
-CONFIG_FSL_CAAM=y
 CONFIG_DYNAMIC_DDR_CLK_FREQ=y
 CONFIG_DDR_ECC=y
 CONFIG_ECC_INIT_VIA_DDRCONTROLLER=y
-- 
2.17.1

[PATCH v5 14/16] PPC: Add crypto node in device tree

[Gaurav Jain]

device tree imported from linux kernel.
c500bee1c5b2 (tag: v5.14-rc4) Linux 5.14-rc4

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
---
 arch/powerpc/dts/p2041si-post.dtsi   |  1 +
 arch/powerpc/dts/p3041si-post.dtsi   |  1 +
 arch/powerpc/dts/p4080si-post.dtsi   |  1 +
 arch/powerpc/dts/p5040si-post.dtsi   |  1 +
 arch/powerpc/dts/qoriq-sec4.0-0.dtsi | 74 ++++++++++++++++++++++
 arch/powerpc/dts/qoriq-sec4.2-0.dtsi | 83 +++++++++++++++++++++++++
 arch/powerpc/dts/qoriq-sec5.2-0.dtsi | 92 ++++++++++++++++++++++++++++
 arch/powerpc/dts/t1023si-post.dtsi   |  1 +
 arch/powerpc/dts/t1042si-post.dtsi   |  1 +
 arch/powerpc/dts/t2080si-post.dtsi   |  1 +
 arch/powerpc/dts/t4240si-post.dtsi   |  1 +
 11 files changed, 257 insertions(+)
 create mode 100644 arch/powerpc/dts/qoriq-sec4.0-0.dtsi
 create mode 100644 arch/powerpc/dts/qoriq-sec4.2-0.dtsi
 create mode 100644 arch/powerpc/dts/qoriq-sec5.2-0.dtsi

diff --git a/arch/powerpc/dts/p2041si-post.dtsi b/arch/powerpc/dts/p2041si-post.dtsi
index 01ab395950..8819199646 100644
--- a/arch/powerpc/dts/p2041si-post.dtsi
+++ b/arch/powerpc/dts/p2041si-post.dtsi
@@ -11,6 +11,7 @@
 
 /include/ "qoriq-clockgen1.dtsi"
 /include/ "qoriq-gpio-0.dtsi"
+/include/ "qoriq-sec4.2-0.dtsi"
 
 /* include used FMan blocks */
 /include/ "qoriq-fman-0.dtsi"
diff --git a/arch/powerpc/dts/p3041si-post.dtsi b/arch/powerpc/dts/p3041si-post.dtsi
index 21f322f06f..a3e8088d25 100644
--- a/arch/powerpc/dts/p3041si-post.dtsi
+++ b/arch/powerpc/dts/p3041si-post.dtsi
@@ -11,6 +11,7 @@
 
 /include/ "qoriq-clockgen1.dtsi"
 /include/ "qoriq-gpio-0.dtsi"
+/include/ "qoriq-sec4.2-0.dtsi"
 
 /* include used FMan blocks */
 /include/ "qoriq-fman-0.dtsi"
diff --git a/arch/powerpc/dts/p4080si-post.dtsi b/arch/powerpc/dts/p4080si-post.dtsi
index 7c3f2fb92e..56b79b14f4 100644
--- a/arch/powerpc/dts/p4080si-post.dtsi
+++ b/arch/powerpc/dts/p4080si-post.dtsi
@@ -11,6 +11,7 @@
 
 /include/ "qoriq-clockgen1.dtsi"
 /include/ "qoriq-gpio-0.dtsi"
+/include/ "qoriq-sec4.0-0.dtsi"
 
 /* include used FMan blocks */
 /include/ "qoriq-fman-0.dtsi"
diff --git a/arch/powerpc/dts/p5040si-post.dtsi b/arch/powerpc/dts/p5040si-post.dtsi
index 1efad2d017..fae3ed31a5 100644
--- a/arch/powerpc/dts/p5040si-post.dtsi
+++ b/arch/powerpc/dts/p5040si-post.dtsi
@@ -11,6 +11,7 @@
 
 /include/ "qoriq-clockgen1.dtsi"
 /include/ "qoriq-gpio-0.dtsi"
+/include/ "qoriq-sec5.2-0.dtsi"
 
 /* include used FMan blocks */
 /include/ "qoriq-fman-0.dtsi"
diff --git a/arch/powerpc/dts/qoriq-sec4.0-0.dtsi b/arch/powerpc/dts/qoriq-sec4.0-0.dtsi
new file mode 100644
index 0000000000..ff348d70f1
--- /dev/null
+++ b/arch/powerpc/dts/qoriq-sec4.0-0.dtsi
@@ -0,0 +1,74 @@
+// SPDX-License-Identifier: (GPL-2.0-or-later OR BSD-3-Clause)
+/*
+ * QorIQ Sec/Crypto 4.0 device tree stub [ controller @ offset 0x300000 ]
+ *
+ * Copyright 2011 Freescale Semiconductor Inc.
+ */
+
+crypto: crypto@300000 {
+	compatible = "fsl,sec-v4.0";
+	fsl,sec-era = <1>;
+	#address-cells = <1>;
+	#size-cells = <1>;
+	reg = <0x300000 0x10000>;
+	ranges = <0 0x300000 0x10000>;
+	interrupts = <92 2 0 0>;
+
+	sec_jr0: jr@1000 {
+		compatible = "fsl,sec-v4.0-job-ring";
+		reg = <0x1000 0x1000>;
+		interrupts = <88 2 0 0>;
+	};
+
+	sec_jr1: jr@2000 {
+		compatible = "fsl,sec-v4.0-job-ring";
+		reg = <0x2000 0x1000>;
+		interrupts = <89 2 0 0>;
+	};
+
+	sec_jr2: jr@3000 {
+		compatible = "fsl,sec-v4.0-job-ring";
+		reg = <0x3000 0x1000>;
+		interrupts = <90 2 0 0>;
+	};
+
+	sec_jr3: jr@4000 {
+		compatible = "fsl,sec-v4.0-job-ring";
+		reg = <0x4000 0x1000>;
+		interrupts = <91 2 0 0>;
+	};
+
+	rtic@6000 {
+		compatible = "fsl,sec-v4.0-rtic";
+		#address-cells = <1>;
+		#size-cells = <1>;
+		reg = <0x6000 0x100>;
+		ranges = <0x0 0x6100 0xe00>;
+
+		rtic_a: rtic-a@0 {
+			compatible = "fsl,sec-v4.0-rtic-memory";
+			reg = <0x00 0x20 0x100 0x80>;
+		};
+
+		rtic_b: rtic-b@20 {
+			compatible = "fsl,sec-v4.0-rtic-memory";
+			reg = <0x20 0x20 0x200 0x80>;
+		};
+
+		rtic_c: rtic-c@40 {
+			compatible = "fsl,sec-v4.0-rtic-memory";
+			reg = <0x40 0x20 0x300 0x80>;
+		};
+
+		rtic_d: rtic-d@60 {
+			compatible = "fsl,sec-v4.0-rtic-memory";
+			reg = <0x60 0x20 0x500 0x80>;
+		};
+	};
+};
+
+sec_mon: sec_mon@314000 {
+	compatible = "fsl,sec-v4.0-mon";
+	reg = <0x314000 0x1000>;
+	interrupts = <93 2 0 0>;
+};
diff --git a/arch/powerpc/dts/qoriq-sec4.2-0.dtsi b/arch/powerpc/dts/qoriq-sec4.2-0.dtsi
new file mode 100644
index 0000000000..57a0bc5c56
--- /dev/null
+++ b/arch/powerpc/dts/qoriq-sec4.2-0.dtsi
@@ -0,0 +1,83 @@
+// SPDX-License-Identifier: (GPL-2.0-or-later OR BSD-3-Clause)
+/*
+ * QorIQ Sec/Crypto 4.2 device tree stub [ controller @ offset 0x300000 ]
+ *
+ * Copyright 2011 Freescale Semiconductor Inc.
+ */
+
+crypto: crypto@300000 {
+	compatible = "fsl,sec-v4.2", "fsl,sec-v4.0";
+	fsl,sec-era = <3>;
+	#address-cells = <1>;
+	#size-cells = <1>;
+	reg		 = <0x300000 0x10000>;
+	ranges		 = <0 0x300000 0x10000>;
+	interrupts	 = <92 2 0 0>;
+
+	sec_jr0: jr@1000 {
+		compatible = "fsl,sec-v4.2-job-ring",
+			     "fsl,sec-v4.0-job-ring";
+		reg = <0x1000 0x1000>;
+		interrupts = <88 2 0 0>;
+	};
+
+	sec_jr1: jr@2000 {
+		compatible = "fsl,sec-v4.2-job-ring",
+			     "fsl,sec-v4.0-job-ring";
+		reg = <0x2000 0x1000>;
+		interrupts = <89 2 0 0>;
+	};
+
+	sec_jr2: jr@3000 {
+		compatible = "fsl,sec-v4.2-job-ring",
+			     "fsl,sec-v4.0-job-ring";
+		reg = <0x3000 0x1000>;
+		interrupts = <90 2 0 0>;
+	};
+
+	sec_jr3: jr@4000 {
+		compatible = "fsl,sec-v4.2-job-ring",
+			     "fsl,sec-v4.0-job-ring";
+		reg = <0x4000 0x1000>;
+		interrupts = <91 2 0 0>;
+	};
+
+	rtic@6000 {
+		compatible = "fsl,sec-v4.2-rtic",
+			     "fsl,sec-v4.0-rtic";
+		#address-cells = <1>;
+		#size-cells = <1>;
+		reg = <0x6000 0x100>;
+		ranges = <0x0 0x6100 0xe00>;
+
+		rtic_a: rtic-a@0 {
+			compatible = "fsl,sec-v4.2-rtic-memory",
+				     "fsl,sec-v4.0-rtic-memory";
+			reg = <0x00 0x20 0x100 0x80>;
+		};
+
+		rtic_b: rtic-b@20 {
+			compatible = "fsl,sec-v4.2-rtic-memory",
+				     "fsl,sec-v4.0-rtic-memory";
+			reg = <0x20 0x20 0x200 0x80>;
+		};
+
+		rtic_c: rtic-c@40 {
+			compatible = "fsl,sec-v4.2-rtic-memory",
+				     "fsl,sec-v4.0-rtic-memory";
+			reg = <0x40 0x20 0x300 0x80>;
+		};
+
+		rtic_d: rtic-d@60 {
+			compatible = "fsl,sec-v4.2-rtic-memory",
+				     "fsl,sec-v4.0-rtic-memory";
+			reg = <0x60 0x20 0x500 0x80>;
+		};
+	};
+};
+
+sec_mon: sec_mon@314000 {
+	compatible = "fsl,sec-v4.2-mon", "fsl,sec-v4.0-mon";
+	reg = <0x314000 0x1000>;
+	interrupts = <93 2 0 0>;
+};
diff --git a/arch/powerpc/dts/qoriq-sec5.2-0.dtsi b/arch/powerpc/dts/qoriq-sec5.2-0.dtsi
new file mode 100644
index 0000000000..e5f87effd3
--- /dev/null
+++ b/arch/powerpc/dts/qoriq-sec5.2-0.dtsi
@@ -0,0 +1,92 @@
+// SPDX-License-Identifier: (GPL-2.0-or-later OR BSD-3-Clause)
+/*
+ * QorIQ Sec/Crypto 5.2 device tree stub [ controller @ offset 0x300000 ]
+ *
+ * Copyright 2011-2012 Freescale Semiconductor Inc.
+ */
+
+crypto: crypto@300000 {
+	compatible = "fsl,sec-v5.2", "fsl,sec-v5.0", "fsl,sec-v4.0";
+	fsl,sec-era = <5>;
+	#address-cells = <1>;
+	#size-cells = <1>;
+	reg		 = <0x300000 0x10000>;
+	ranges		 = <0 0x300000 0x10000>;
+	interrupts	 = <92 2 0 0>;
+
+	sec_jr0: jr@1000 {
+		compatible = "fsl,sec-v5.2-job-ring",
+			     "fsl,sec-v5.0-job-ring",
+			     "fsl,sec-v4.0-job-ring";
+		reg = <0x1000 0x1000>;
+		interrupts = <88 2 0 0>;
+	};
+
+	sec_jr1: jr@2000 {
+		compatible = "fsl,sec-v5.2-job-ring",
+			     "fsl,sec-v5.0-job-ring",
+			     "fsl,sec-v4.0-job-ring";
+		reg = <0x2000 0x1000>;
+		interrupts = <89 2 0 0>;
+	};
+
+	sec_jr2: jr@3000 {
+		compatible = "fsl,sec-v5.2-job-ring",
+			     "fsl,sec-v5.0-job-ring",
+			     "fsl,sec-v4.0-job-ring";
+		reg = <0x3000 0x1000>;
+		interrupts = <90 2 0 0>;
+	};
+
+	sec_jr3: jr@4000 {
+		compatible = "fsl,sec-v5.2-job-ring",
+			     "fsl,sec-v5.0-job-ring",
+			     "fsl,sec-v4.0-job-ring";
+		reg = <0x4000 0x1000>;
+		interrupts = <91 2 0 0>;
+	};
+
+	rtic@6000 {
+		compatible = "fsl,sec-v5.2-rtic",
+			     "fsl,sec-v5.0-rtic",
+			     "fsl,sec-v4.0-rtic";
+		#address-cells = <1>;
+		#size-cells = <1>;
+		reg = <0x6000 0x100>;
+		ranges = <0x0 0x6100 0xe00>;
+
+		rtic_a: rtic-a@0 {
+			compatible = "fsl,sec-v5.2-rtic-memory",
+				     "fsl,sec-v5.0-rtic-memory",
+				     "fsl,sec-v4.0-rtic-memory";
+			reg = <0x00 0x20 0x100 0x80>;
+		};
+
+		rtic_b: rtic-b@20 {
+			compatible = "fsl,sec-v5.2-rtic-memory",
+				     "fsl,sec-v5.0-rtic-memory",
+				     "fsl,sec-v4.0-rtic-memory";
+			reg = <0x20 0x20 0x200 0x80>;
+		};
+
+		rtic_c: rtic-c@40 {
+			compatible = "fsl,sec-v5.2-rtic-memory",
+				     "fsl,sec-v5.0-rtic-memory",
+				     "fsl,sec-v4.0-rtic-memory";
+			reg = <0x40 0x20 0x300 0x80>;
+		};
+
+		rtic_d: rtic-d@60 {
+			compatible = "fsl,sec-v5.2-rtic-memory",
+				     "fsl,sec-v5.0-rtic-memory",
+				     "fsl,sec-v4.0-rtic-memory";
+			reg = <0x60 0x20 0x500 0x80>;
+		};
+	};
+};
+
+sec_mon: sec_mon@314000 {
+	compatible = "fsl,sec-v5.2-mon", "fsl,sec-v5.0-mon", "fsl,sec-v4.0-mon";
+	reg = <0x314000 0x1000>;
+	interrupts = <93 2 0 0>;
+};
diff --git a/arch/powerpc/dts/t1023si-post.dtsi b/arch/powerpc/dts/t1023si-post.dtsi
index 7284eb9791..6f666a1554 100644
--- a/arch/powerpc/dts/t1023si-post.dtsi
+++ b/arch/powerpc/dts/t1023si-post.dtsi
@@ -14,6 +14,7 @@
 /include/ "qoriq-gpio-1.dtsi"
 /include/ "qoriq-gpio-2.dtsi"
 /include/ "qoriq-gpio-3.dtsi"
+/include/ "qoriq-sec5.0-0.dtsi"
 
 /* include used FMan blocks */
 /include/ "qoriq-fman3l-0.dtsi"
diff --git a/arch/powerpc/dts/t1042si-post.dtsi b/arch/powerpc/dts/t1042si-post.dtsi
index 5c60944e60..eebbbaf0e1 100644
--- a/arch/powerpc/dts/t1042si-post.dtsi
+++ b/arch/powerpc/dts/t1042si-post.dtsi
@@ -12,6 +12,7 @@
 /include/ "qoriq-gpio-1.dtsi"
 /include/ "qoriq-gpio-2.dtsi"
 /include/ "qoriq-gpio-3.dtsi"
+/include/ "qoriq-sec5.0-0.dtsi"
 
 /include/ "qoriq-fman3l-0.dtsi"
 /include/ "qoriq-fman3-0-1g-0.dtsi"
diff --git a/arch/powerpc/dts/t2080si-post.dtsi b/arch/powerpc/dts/t2080si-post.dtsi
index d8ef579cb7..c06526b3db 100644
--- a/arch/powerpc/dts/t2080si-post.dtsi
+++ b/arch/powerpc/dts/t2080si-post.dtsi
@@ -13,6 +13,7 @@
 /include/ "qoriq-gpio-1.dtsi"
 /include/ "qoriq-gpio-2.dtsi"
 /include/ "qoriq-gpio-3.dtsi"
+/include/ "qoriq-sec5.2-0.dtsi"
 
 /include/ "qoriq-fman3-0.dtsi"
 /include/ "qoriq-fman3-0-10g-0-best-effort.dtsi"
diff --git a/arch/powerpc/dts/t4240si-post.dtsi b/arch/powerpc/dts/t4240si-post.dtsi
index a596f48b54..9fa99ae771 100644
--- a/arch/powerpc/dts/t4240si-post.dtsi
+++ b/arch/powerpc/dts/t4240si-post.dtsi
@@ -12,6 +12,7 @@
 /include/ "qoriq-gpio-1.dtsi"
 /include/ "qoriq-gpio-2.dtsi"
 /include/ "qoriq-gpio-3.dtsi"
+/include/ "qoriq-sec5.0-0.dtsi"
 
 /include/ "qoriq-fman3-0.dtsi"
 /include/ "qoriq-fman3-0-1g-0.dtsi"
-- 
2.17.1

[PATCH v5 15/16] PPC: Enable Job ring driver model in U-Boot

[Gaurav Jain]

removed sec_init() call and CONFIG_FSL_CAAM from defconfig.
sec is initialized based on job ring information processed
from device tree.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
---
 arch/powerpc/cpu/mpc85xx/Kconfig      | 44 +++++++++++++++++++++++++++
 arch/powerpc/cpu/mpc85xx/cpu_init.c   | 17 +++++++++--
 arch/powerpc/include/asm/u-boot-ppc.h | 17 +++++++++++
 arch/powerpc/include/asm/u-boot.h     |  1 +
 configs/P2041RDB_defconfig            |  1 -
 configs/P3041DS_defconfig             |  1 -
 configs/P4080DS_defconfig             |  1 -
 configs/P5040DS_defconfig             |  1 -
 configs/T1024RDB_defconfig            |  1 -
 configs/T1042D4RDB_defconfig          |  1 -
 configs/T2080QDS_defconfig            |  1 -
 configs/T2080RDB_defconfig            |  1 -
 configs/T4240RDB_defconfig            |  1 -
 13 files changed, 77 insertions(+), 11 deletions(-)
 create mode 100644 arch/powerpc/include/asm/u-boot-ppc.h

diff --git a/arch/powerpc/cpu/mpc85xx/Kconfig b/arch/powerpc/cpu/mpc85xx/Kconfig
index 836aeddbe2..aaf599f616 100644
--- a/arch/powerpc/cpu/mpc85xx/Kconfig
+++ b/arch/powerpc/cpu/mpc85xx/Kconfig
@@ -25,6 +25,10 @@ config TARGET_P3041DS
 	select PHYS_64BIT
 	select ARCH_P3041
 	select BOARD_LATE_INIT if CHAIN_OF_TRUST
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
+	select ARCH_MISC_INIT
 	imply CMD_SATA
 	imply PANIC_HANG
 
@@ -33,6 +37,10 @@ config TARGET_P4080DS
 	select PHYS_64BIT
 	select ARCH_P4080
 	select BOARD_LATE_INIT if CHAIN_OF_TRUST
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
+	select ARCH_MISC_INIT
 	imply CMD_SATA
 	imply PANIC_HANG
 
@@ -41,6 +49,10 @@ config TARGET_P5040DS
 	select PHYS_64BIT
 	select ARCH_P5040
 	select BOARD_LATE_INIT if CHAIN_OF_TRUST
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
+	select ARCH_MISC_INIT
 	imply CMD_SATA
 	imply PANIC_HANG
 
@@ -102,6 +114,10 @@ config TARGET_P2041RDB
 	select ARCH_P2041
 	select BOARD_LATE_INIT if CHAIN_OF_TRUST
 	select PHYS_64BIT
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
+	select ARCH_MISC_INIT
 	imply CMD_SATA
 	imply FSL_SATA
 
@@ -117,6 +133,10 @@ config TARGET_T1024RDB
 	select SUPPORT_SPL
 	select PHYS_64BIT
 	select FSL_DDR_INTERACTIVE
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
+	select ARCH_MISC_INIT
 	imply CMD_EEPROM
 	imply PANIC_HANG
 
@@ -126,6 +146,10 @@ config TARGET_T1042RDB
 	select BOARD_LATE_INIT if CHAIN_OF_TRUST
 	select SUPPORT_SPL
 	select PHYS_64BIT
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
+	select ARCH_MISC_INIT
 
 config TARGET_T1042D4RDB
 	bool "Support T1042D4RDB"
@@ -133,6 +157,10 @@ config TARGET_T1042D4RDB
 	select BOARD_LATE_INIT if CHAIN_OF_TRUST
 	select SUPPORT_SPL
 	select PHYS_64BIT
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
+	select ARCH_MISC_INIT
 	imply PANIC_HANG
 
 config TARGET_T1042RDB_PI
@@ -141,6 +169,10 @@ config TARGET_T1042RDB_PI
 	select BOARD_LATE_INIT if CHAIN_OF_TRUST
 	select SUPPORT_SPL
 	select PHYS_64BIT
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
+	select ARCH_MISC_INIT
 	imply PANIC_HANG
 
 config TARGET_T2080QDS
@@ -151,6 +183,10 @@ config TARGET_T2080QDS
 	select PHYS_64BIT
 	select FSL_DDR_FIRST_SLOT_QUAD_CAPABLE
 	select FSL_DDR_INTERACTIVE
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
+	select ARCH_MISC_INIT
 	imply CMD_SATA
 
 config TARGET_T2080RDB
@@ -159,6 +195,10 @@ config TARGET_T2080RDB
 	select BOARD_LATE_INIT if CHAIN_OF_TRUST
 	select SUPPORT_SPL
 	select PHYS_64BIT
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
+	select ARCH_MISC_INIT
 	imply CMD_SATA
 	imply PANIC_HANG
 
@@ -168,6 +208,10 @@ config TARGET_T4240RDB
 	select SUPPORT_SPL
 	select PHYS_64BIT
 	select FSL_DDR_FIRST_SLOT_QUAD_CAPABLE
+	select FSL_CAAM
+	select FSL_BLOB
+	select MISC
+	select ARCH_MISC_INIT
 	imply CMD_SATA
 	imply PANIC_HANG
 
diff --git a/arch/powerpc/cpu/mpc85xx/cpu_init.c b/arch/powerpc/cpu/mpc85xx/cpu_init.c
index e920e01b25..728c6447a8 100644
--- a/arch/powerpc/cpu/mpc85xx/cpu_init.c
+++ b/arch/powerpc/cpu/mpc85xx/cpu_init.c
@@ -56,6 +56,7 @@
 #ifdef CONFIG_U_QE
 #include <fsl_qe.h>
 #endif
+#include <dm.h>
 
 #ifdef CONFIG_SYS_FSL_SINGLE_SOURCE_CLK
 /*
@@ -974,8 +975,6 @@ int cpu_init_r(void)
 #endif
 
 #ifdef CONFIG_FSL_CAAM
-	sec_init();
-
 #if defined(CONFIG_ARCH_C29X)
 	if ((SVR_SOC_VER(svr) == SVR_C292) ||
 	    (SVR_SOC_VER(svr) == SVR_C293))
@@ -1014,6 +1013,20 @@ int cpu_init_r(void)
 	return 0;
 }
 
+#ifdef CONFIG_ARCH_MISC_INIT
+int arch_misc_init(void)
+{
+	struct udevice *dev;
+	int ret;
+
+	ret = uclass_get_device_by_driver(UCLASS_MISC, DM_DRIVER_GET(caam_jr), &dev);
+	if (ret)
+		printf("Failed to initialize %s: %d\n", dev->name, ret);
+
+	return 0;
+}
+#endif
+
 void arch_preboot_os(void)
 {
 	u32 msr;
diff --git a/arch/powerpc/include/asm/u-boot-ppc.h b/arch/powerpc/include/asm/u-boot-ppc.h
new file mode 100644
index 0000000000..372ca3e037
--- /dev/null
+++ b/arch/powerpc/include/asm/u-boot-ppc.h
@@ -0,0 +1,17 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+/*
+ * Copyright 2021 NXP
+ *
+ * Gaurav Jain <gaurav.jain@nxp.com>
+ */
+
+#ifndef _U_BOOT_PPC_H_
+#define _U_BOOT_PPC_H_
+
+#ifndef __ASSEMBLY__
+
+int arch_misc_init(void);
+
+#endif /* __ASSEMBLY__ */
+
+#endif /* _U_BOOT_PPC_H_ */
diff --git a/arch/powerpc/include/asm/u-boot.h b/arch/powerpc/include/asm/u-boot.h
index 19b3c0db5f..36af8e5403 100644
--- a/arch/powerpc/include/asm/u-boot.h
+++ b/arch/powerpc/include/asm/u-boot.h
@@ -21,5 +21,6 @@
 /* Use the generic board which requires a unified bd_info */
 #include <asm-generic/u-boot.h>
 #include <asm/ppc.h>
+#include <asm/u-boot-ppc.h>
 
 #endif	/* __U_BOOT_H__ */
diff --git a/configs/P2041RDB_defconfig b/configs/P2041RDB_defconfig
index 7b430f69e2..7c82812b28 100644
--- a/configs/P2041RDB_defconfig
+++ b/configs/P2041RDB_defconfig
@@ -34,7 +34,6 @@ CONFIG_ENV_OVERWRITE=y
 CONFIG_ENV_IS_IN_FLASH=y
 CONFIG_ENV_ADDR=0xEFF20000
 CONFIG_DM=y
-CONFIG_FSL_CAAM=y
 CONFIG_DM_I2C=y
 CONFIG_I2C_SET_DEFAULT_BUS_NUM=y
 CONFIG_SYS_I2C_FSL=y
diff --git a/configs/P3041DS_defconfig b/configs/P3041DS_defconfig
index 821a7c3bc1..fcd0214c71 100644
--- a/configs/P3041DS_defconfig
+++ b/configs/P3041DS_defconfig
@@ -32,7 +32,6 @@ CONFIG_ENV_OVERWRITE=y
 CONFIG_ENV_IS_IN_FLASH=y
 CONFIG_ENV_ADDR=0xEFF20000
 CONFIG_DM=y
-CONFIG_FSL_CAAM=y
 CONFIG_DDR_ECC=y
 CONFIG_ECC_INIT_VIA_DDRCONTROLLER=y
 CONFIG_DM_I2C=y
diff --git a/configs/P4080DS_defconfig b/configs/P4080DS_defconfig
index 564f28caba..723ef1c457 100644
--- a/configs/P4080DS_defconfig
+++ b/configs/P4080DS_defconfig
@@ -32,7 +32,6 @@ CONFIG_ENV_OVERWRITE=y
 CONFIG_ENV_IS_IN_FLASH=y
 CONFIG_ENV_ADDR=0xEFF20000
 CONFIG_DM=y
-CONFIG_FSL_CAAM=y
 CONFIG_DDR_ECC=y
 CONFIG_ECC_INIT_VIA_DDRCONTROLLER=y
 CONFIG_DM_I2C=y
diff --git a/configs/P5040DS_defconfig b/configs/P5040DS_defconfig
index 79c6e466c7..0a13763d71 100644
--- a/configs/P5040DS_defconfig
+++ b/configs/P5040DS_defconfig
@@ -32,7 +32,6 @@ CONFIG_ENV_OVERWRITE=y
 CONFIG_ENV_IS_IN_FLASH=y
 CONFIG_ENV_ADDR=0xEFF20000
 CONFIG_DM=y
-CONFIG_FSL_CAAM=y
 CONFIG_DDR_ECC=y
 CONFIG_ECC_INIT_VIA_DDRCONTROLLER=y
 CONFIG_DM_I2C=y
diff --git a/configs/T1024RDB_defconfig b/configs/T1024RDB_defconfig
index 3ed1c6db4b..f8fbee2e4c 100644
--- a/configs/T1024RDB_defconfig
+++ b/configs/T1024RDB_defconfig
@@ -44,7 +44,6 @@ CONFIG_ENV_OVERWRITE=y
 CONFIG_ENV_IS_IN_FLASH=y
 CONFIG_ENV_ADDR=0xEFF20000
 CONFIG_DM=y
-CONFIG_FSL_CAAM=y
 CONFIG_SYS_FSL_DDR3=y
 CONFIG_DDR_ECC=y
 CONFIG_ECC_INIT_VIA_DDRCONTROLLER=y
diff --git a/configs/T1042D4RDB_defconfig b/configs/T1042D4RDB_defconfig
index f1ec400636..62cb8c4a37 100644
--- a/configs/T1042D4RDB_defconfig
+++ b/configs/T1042D4RDB_defconfig
@@ -35,7 +35,6 @@ CONFIG_ENV_OVERWRITE=y
 CONFIG_ENV_IS_IN_FLASH=y
 CONFIG_ENV_ADDR=0xEFF20000
 CONFIG_DM=y
-CONFIG_FSL_CAAM=y
 CONFIG_DDR_CLK_FREQ=66666666
 CONFIG_DDR_ECC=y
 CONFIG_ECC_INIT_VIA_DDRCONTROLLER=y
diff --git a/configs/T2080QDS_defconfig b/configs/T2080QDS_defconfig
index d76547ab63..c5b0c28391 100644
--- a/configs/T2080QDS_defconfig
+++ b/configs/T2080QDS_defconfig
@@ -33,7 +33,6 @@ CONFIG_ENV_OVERWRITE=y
 CONFIG_ENV_IS_IN_FLASH=y
 CONFIG_ENV_ADDR=0xEFF20000
 CONFIG_DM=y
-CONFIG_FSL_CAAM=y
 CONFIG_DYNAMIC_DDR_CLK_FREQ=y
 CONFIG_DDR_ECC=y
 CONFIG_ECC_INIT_VIA_DDRCONTROLLER=y
diff --git a/configs/T2080RDB_defconfig b/configs/T2080RDB_defconfig
index 610f706473..cb8d5eb69b 100644
--- a/configs/T2080RDB_defconfig
+++ b/configs/T2080RDB_defconfig
@@ -38,7 +38,6 @@ CONFIG_ENV_OVERWRITE=y
 CONFIG_ENV_IS_IN_FLASH=y
 CONFIG_ENV_ADDR=0xEFF20000
 CONFIG_DM=y
-CONFIG_FSL_CAAM=y
 CONFIG_DDR_CLK_FREQ=133330000
 CONFIG_DDR_ECC=y
 CONFIG_ECC_INIT_VIA_DDRCONTROLLER=y
diff --git a/configs/T4240RDB_defconfig b/configs/T4240RDB_defconfig
index c66b152d20..b57410bf58 100644
--- a/configs/T4240RDB_defconfig
+++ b/configs/T4240RDB_defconfig
@@ -30,7 +30,6 @@ CONFIG_ENV_OVERWRITE=y
 CONFIG_ENV_IS_IN_FLASH=y
 CONFIG_ENV_ADDR=0xEFF20000
 CONFIG_DM=y
-CONFIG_FSL_CAAM=y
 CONFIG_DDR_CLK_FREQ=133333333
 CONFIG_DDR_ECC=y
 CONFIG_ECC_INIT_VIA_DDRCONTROLLER=y
-- 
2.17.1

[PATCH v5 16/16] update CAAM MAINTAINER

[Gaurav Jain]

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
---
 MAINTAINERS | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/MAINTAINERS b/MAINTAINERS
index 6db5354322..7d6f0051a2 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1296,3 +1296,10 @@ T:	git https://source.denx.de/u-boot/u-boot.git
 F:	configs/tools-only_defconfig
 F:	*
 F:	*/
+
+CAAM
+M:	Gaurav Jain <gaurav.jain@nxp.com>
+S:	Maintained
+F:	drivers/crypto/fsl/
+F:	include/fsl_sec.h
+F:	cmd/blob.c
-- 
2.17.1

Re: [PATCH v5 02/16] crypto/fsl: Add CAAM support for bkek, random number generation

[Michael Walle]

Hi,

> --- a/drivers/crypto/fsl/fsl_blob.c
> +++ b/drivers/crypto/fsl/fsl_blob.c
> @@ -1,6 +1,7 @@
>  // SPDX-License-Identifier: GPL-2.0+
>  /*
>   * Copyright 2014 Freescale Semiconductor, Inc.
> + * Copyright 2021 NXP
>   *
>   */
>  
> @@ -152,6 +153,87 @@ int blob_encap(u8 *key_mod, u8 *src, u8 *dst, u32 len)
>  	return ret;
>  }
>  
> +int derive_blob_kek(u8 *bkek_buf, u8 *key_mod, u32 key_sz)

where is this function actually used? looks like dead code to me.

> +{
> +	int ret, size;
> +	u32 *desc;
> +
> +	if (!IS_ALIGNED((uintptr_t)bkek_buf, ARCH_DMA_MINALIGN) ||
> +	    !IS_ALIGNED((uintptr_t)key_mod, ARCH_DMA_MINALIGN)) {
> +		puts("Error: derive_bkek: Address arguments are not aligned!\n");
> +		return -EINVAL;
> +	}
> +
> +	printf("\nBlob key encryption key(bkek)\n");
> +	desc = malloc_cache_aligned(sizeof(int) * MAX_CAAM_DESCSIZE);
> +	if (!desc) {
> +		printf("Not enough memory for descriptor allocation\n");
> +		return -ENOMEM;
> +	}
> +
> +	size = ALIGN(key_sz, ARCH_DMA_MINALIGN);
> +	flush_dcache_range((unsigned long)key_mod, (unsigned long)key_mod + size);
> +
> +	/* construct blob key encryption key(bkek) derive descriptor */
> +	inline_cnstr_jobdesc_derive_bkek(desc, bkek_buf, key_mod, key_sz);
> +
> +	size = ALIGN(sizeof(int) * MAX_CAAM_DESCSIZE, ARCH_DMA_MINALIGN);
> +	flush_dcache_range((unsigned long)desc, (unsigned long)desc + size);
> +	size = ALIGN(BKEK_SIZE, ARCH_DMA_MINALIGN);
> +	invalidate_dcache_range((unsigned long)bkek_buf,
> +				(unsigned long)bkek_buf + size);
> +
> +	/* run descriptor */
> +	ret = run_descriptor_jr(desc);
> +	if (ret < 0) {
> +		printf("Error: %s failed 0x%x\n", __func__, ret);
> +	} else {
> +		invalidate_dcache_range((unsigned long)bkek_buf,
> +					(unsigned long)bkek_buf + size);
> +		puts("derive bkek successful.\n");
> +	}
> +
> +	free(desc);
> +	return ret;
> +}
> +
> +int hwrng_generate(u8 *dst, u32 len)

likewise.
But more important what is the difference to drivers/crypto/fsl/rng.c? Why
do you need a new function here?

> +{
> +	int ret, size;
> +	u32 *desc;
> +
> +	if (!IS_ALIGNED((uintptr_t)dst, ARCH_DMA_MINALIGN)) {
> +		puts("Error: caam_hwrng_test: Address arguments are not aligned!\n");
> +		return -EINVAL;
> +	}
> +
> +	printf("\nRNG generate\n");
> +	desc = malloc_cache_aligned(sizeof(int) * MAX_CAAM_DESCSIZE);
> +	if (!desc) {
> +		printf("Not enough memory for descriptor allocation\n");
> +		return -ENOMEM;
> +	}
> +
> +	inline_cnstr_jobdesc_rng(desc, dst, len);
> +
> +	size = ALIGN(sizeof(int) * MAX_CAAM_DESCSIZE, ARCH_DMA_MINALIGN);
> +	flush_dcache_range((unsigned long)desc, (unsigned long)desc + size);
> +	size = ALIGN(len, ARCH_DMA_MINALIGN);
> +	invalidate_dcache_range((unsigned long)dst, (unsigned long)dst + size);
> +
> +	ret = run_descriptor_jr(desc);
> +	if (ret < 0) {
> +		printf("Error: RNG generate failed 0x%x\n", ret);
> +	} else {
> +		invalidate_dcache_range((unsigned long)dst,
> +					(unsigned long)dst + size);
> +		puts("RNG generation successful.\n");
> +	}
> +
> +	free(desc);
> +	return ret;
> +}
> +
>  #ifdef CONFIG_CMD_DEKBLOB
>  int blob_dek(const u8 *src, u8 *dst, u8 len)
>  {

-michael

Re: [PATCH v5 01/16] crypto/fsl: Add support for CAAM Job ring driver model

[Michael Walle]

> diff --git a/cmd/Kconfig b/cmd/Kconfig
> index 5b30b13e43..2b24672505 100644
> --- a/cmd/Kconfig
> +++ b/cmd/Kconfig
> @@ -2009,6 +2009,7 @@ config CMD_AES
>  
>  config CMD_BLOB
>  	bool "Enable the 'blob' command"
> +	select FSL_BLOB

this looks wrong, because CMD_BLOB sounds like a generic command but it
will automatically select FSL_BLOB which in turn sounds freescale specific.
Looking at the help text, this command is (at least at the moment) freescale
specific, but the code seems to be generic and the blob_encap() and
blob_decap() are weak functions, thus they could be implemented in a
different way and not just by fsl_blob.c.

I don't think this should automatically select FSL_BLOB.

Also, shouldn't this be an uclass with encap and decap ops?

>  	depends on !MX6ULL && !MX6SLL && !MX6SL
>  	select IMX_HAB if ARCH_MX6 || ARCH_MX7 || ARCH_MX7ULP || ARCH_IMX8M
>  	help
> diff --git a/drivers/crypto/fsl/Kconfig b/drivers/crypto/fsl/Kconfig
> index 94ff540111..ab59d516f8 100644
> --- a/drivers/crypto/fsl/Kconfig
> +++ b/drivers/crypto/fsl/Kconfig
> @@ -66,4 +66,11 @@ config FSL_CAAM_RNG
>  	  using the prediction resistance flag which means the DRGB is
>  	  reseeded from the TRNG every time random data is generated.
>  
> +config FSL_BLOB
> +        bool "Enable Blob Encap/Decap, Blob KEK support"

wrong indendation?

> +	help
> +	  Enable support for the hardware based crytographic blob encap/decap
> +	  module of the CAAM. blobs can be safely placed into non-volatile
> +	  storage. blobs can only be decapsulated by the SoC that created it.
> +	  Enable support for blob key encryption key generation.
>  endif

RE: [EXT] Re: [PATCH v5 02/16] crypto/fsl: Add CAAM support for bkek, random number generation

[Gaurav Jain]

Hello Michael,

> -----Original Message-----
> From: Michael Walle <michael@walle.cc>
> Sent: Tuesday, November 16, 2021 4:16 PM
> To: Gaurav Jain <gaurav.jain@nxp.com>
> Cc: Shengzhou Liu <shengzhou.liu@nxp.com>; Varun Sethi
> <V.Sethi@nxp.com>; Adrian Alonso <adrian.alonso@nxp.com>; Alison Wang
> <alison.wang@nxp.com>; Andy Tang <andy.tang@nxp.com>;
> festevam@gmail.com; Franck Lenormand <franck.lenormand@nxp.com>;
> Horia Geanta <horia.geanta@nxp.com>; Ji Luo <ji.luo@nxp.com>;
> Meenakshi Aggarwal <meenakshi.aggarwal@nxp.com>; Mingkai Hu
> <mingkai.hu@nxp.com>; olteanv@gmail.com; Pankaj Gupta
> <pankaj.gupta@nxp.com>; Peng Fan <peng.fan@nxp.com>; Pramod Kumar
> <pramod.kumar_1@nxp.com>; Priyanka Jain <priyanka.jain@nxp.com>;
> Rajesh Bhagat <rajesh.bhagat@nxp.com>; Sahil Malhotra
> <sahil.malhotra@nxp.com>; sbabic@denx.de; Silvano Di Ninno
> <silvano.dininno@nxp.com>; sjg@chromium.org; u-boot@lists.denx.de; dl-
> uboot-imx <uboot-imx@nxp.com>; Wasim Khan <wasim.khan@nxp.com>;
> Ye Li <ye.li@nxp.com>; Michael Walle <michael@walle.cc>
> Subject: [EXT] Re: [PATCH v5 02/16] crypto/fsl: Add CAAM support for bkek,
> random number generation
> 
> Caution: EXT Email
> 
> Hi,
> 
> > --- a/drivers/crypto/fsl/fsl_blob.c
> > +++ b/drivers/crypto/fsl/fsl_blob.c
> > @@ -1,6 +1,7 @@
> >  // SPDX-License-Identifier: GPL-2.0+
> >  /*
> >   * Copyright 2014 Freescale Semiconductor, Inc.
> > + * Copyright 2021 NXP
> >   *
> >   */
> >
> > @@ -152,6 +153,87 @@ int blob_encap(u8 *key_mod, u8 *src, u8 *dst,
> u32 len)
> >       return ret;
> >  }
> >
> > +int derive_blob_kek(u8 *bkek_buf, u8 *key_mod, u32 key_sz)
> 
> where is this function actually used? looks like dead code to me.

I was thinking to add the command for this function later.
But will remove this patch from this series and send this later with derive blob kek cmd implementation.

Regards
Gaurav Jain
> 
> > +{
> > +     int ret, size;
> > +     u32 *desc;
> > +
> > +     if (!IS_ALIGNED((uintptr_t)bkek_buf, ARCH_DMA_MINALIGN) ||
> > +         !IS_ALIGNED((uintptr_t)key_mod, ARCH_DMA_MINALIGN)) {
> > +             puts("Error: derive_bkek: Address arguments are not aligned!\n");
> > +             return -EINVAL;
> > +     }
> > +
> > +     printf("\nBlob key encryption key(bkek)\n");
> > +     desc = malloc_cache_aligned(sizeof(int) * MAX_CAAM_DESCSIZE);
> > +     if (!desc) {
> > +             printf("Not enough memory for descriptor allocation\n");
> > +             return -ENOMEM;
> > +     }
> > +
> > +     size = ALIGN(key_sz, ARCH_DMA_MINALIGN);
> > +     flush_dcache_range((unsigned long)key_mod, (unsigned
> > + long)key_mod + size);
> > +
> > +     /* construct blob key encryption key(bkek) derive descriptor */
> > +     inline_cnstr_jobdesc_derive_bkek(desc, bkek_buf, key_mod,
> > + key_sz);
> > +
> > +     size = ALIGN(sizeof(int) * MAX_CAAM_DESCSIZE,
> ARCH_DMA_MINALIGN);
> > +     flush_dcache_range((unsigned long)desc, (unsigned long)desc + size);
> > +     size = ALIGN(BKEK_SIZE, ARCH_DMA_MINALIGN);
> > +     invalidate_dcache_range((unsigned long)bkek_buf,
> > +                             (unsigned long)bkek_buf + size);
> > +
> > +     /* run descriptor */
> > +     ret = run_descriptor_jr(desc);
> > +     if (ret < 0) {
> > +             printf("Error: %s failed 0x%x\n", __func__, ret);
> > +     } else {
> > +             invalidate_dcache_range((unsigned long)bkek_buf,
> > +                                     (unsigned long)bkek_buf + size);
> > +             puts("derive bkek successful.\n");
> > +     }
> > +
> > +     free(desc);
> > +     return ret;
> > +}
> > +
> > +int hwrng_generate(u8 *dst, u32 len)
> 
> likewise.
> But more important what is the difference to drivers/crypto/fsl/rng.c? Why
> do you need a new function here?
> 
> > +{
> > +     int ret, size;
> > +     u32 *desc;
> > +
> > +     if (!IS_ALIGNED((uintptr_t)dst, ARCH_DMA_MINALIGN)) {
> > +             puts("Error: caam_hwrng_test: Address arguments are not
> aligned!\n");
> > +             return -EINVAL;
> > +     }
> > +
> > +     printf("\nRNG generate\n");
> > +     desc = malloc_cache_aligned(sizeof(int) * MAX_CAAM_DESCSIZE);
> > +     if (!desc) {
> > +             printf("Not enough memory for descriptor allocation\n");
> > +             return -ENOMEM;
> > +     }
> > +
> > +     inline_cnstr_jobdesc_rng(desc, dst, len);
> > +
> > +     size = ALIGN(sizeof(int) * MAX_CAAM_DESCSIZE,
> ARCH_DMA_MINALIGN);
> > +     flush_dcache_range((unsigned long)desc, (unsigned long)desc + size);
> > +     size = ALIGN(len, ARCH_DMA_MINALIGN);
> > +     invalidate_dcache_range((unsigned long)dst, (unsigned long)dst +
> > + size);
> > +
> > +     ret = run_descriptor_jr(desc);
> > +     if (ret < 0) {
> > +             printf("Error: RNG generate failed 0x%x\n", ret);
> > +     } else {
> > +             invalidate_dcache_range((unsigned long)dst,
> > +                                     (unsigned long)dst + size);
> > +             puts("RNG generation successful.\n");
> > +     }
> > +
> > +     free(desc);
> > +     return ret;
> > +}
> > +
> >  #ifdef CONFIG_CMD_DEKBLOB
> >  int blob_dek(const u8 *src, u8 *dst, u8 len)  {
> 
> -michael

Re: [PATCH v5 13/16] Layerscape: Enable Job ring driver model in U-Boot.

[Michael Walle]

> LS(1021/1012/1028/1043/1046/1088/2088), LX2160, LX2162
> platforms are enabled with JR driver model.
> 
> removed sec_init() call from board files.
> removed CONFIG_FSL_CAAM from defconfig files.
> sec is initialized based on job ring information processed
> from device tree.
> 
> Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
> Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
> ---
>  arch/arm/cpu/armv7/ls102xa/Kconfig            |  4 +++
>  arch/arm/cpu/armv7/ls102xa/cpu.c              | 16 +++++++++++
>  arch/arm/cpu/armv8/fsl-layerscape/Kconfig     | 27 +++++++++++++++++++
>  arch/arm/cpu/armv8/fsl-layerscape/cpu.c       | 10 ++++++-
>  board/freescale/ls1012afrdm/ls1012afrdm.c     |  7 +----
>  board/freescale/ls1012aqds/ls1012aqds.c       |  6 +----
>  board/freescale/ls1012ardb/ls1012ardb.c       |  6 +----
>  board/freescale/ls1021aiot/ls1021aiot.c       |  6 ++---
>  board/freescale/ls1021aqds/ls1021aqds.c       |  6 +----
>  board/freescale/ls1021atsn/ls1021atsn.c       |  7 ++---
>  board/freescale/ls1021atwr/ls1021atwr.c       |  8 ++----
>  board/freescale/ls1028a/ls1028a.c             |  6 +----
>  board/freescale/ls1043ardb/ls1043ardb.c       |  6 +----
>  board/freescale/ls1046afrwy/ls1046afrwy.c     |  7 +----
>  board/freescale/ls1046aqds/ls1046aqds.c       |  7 +----
>  board/freescale/ls1046ardb/ls1046ardb.c       |  6 +----
>  board/freescale/ls1088a/ls1088a.c             |  6 +----
>  board/freescale/ls2080aqds/ls2080aqds.c       |  6 +----
>  board/freescale/ls2080ardb/ls2080ardb.c       |  9 +------
>  board/freescale/lx2160a/lx2160a.c             |  5 ----
>  configs/ls1021aiot_qspi_defconfig             |  1 -
>  configs/ls1021aqds_nor_defconfig              |  1 -
>  configs/ls1021aqds_qspi_defconfig             |  1 -
>  configs/ls1021atsn_qspi_defconfig             |  1 -
>  configs/ls1021atwr_nor_defconfig              |  1 -
>  ...s1021atwr_sdcard_ifc_SECURE_BOOT_defconfig |  1 +
>  configs/ls1028ardb_tfa_defconfig              |  1 -
>  configs/ls1043ardb_tfa_defconfig              |  1 -
>  configs/ls1046afrwy_tfa_defconfig             |  1 -
>  configs/ls1046aqds_tfa_defconfig              |  1 -
>  configs/ls1046ardb_tfa_defconfig              |  1 -
>  configs/ls2088aqds_tfa_defconfig              |  1 -
>  configs/ls2088ardb_tfa_defconfig              |  1 -
>  configs/lx2160aqds_tfa_defconfig              |  1 -
>  configs/lx2160ardb_tfa_defconfig              |  1 -
>  configs/lx2162aqds_tfa_defconfig              |  1 -
>  36 files changed, 75 insertions(+), 102 deletions(-)

board/kontron/sl28/sl28.c fixes are missing here. With this patch
applied I'll get the following error during boot:

U-Boot 2022.01-rc2-00026-gf82ded5126-dirty (Nov 16 2021 - 11:16:40 +0100)

SoC:  LS1028A Rev1.0 (0x870b0110)
Clock Configuration:
       CPU0(A72):1300 MHz  CPU1(A72):1300 MHz  
       Bus:      400  MHz  DDR:      1600 MT/s
Reset Configuration Word (RCW):
       00000000: 34004010 00000030 00000000 00000000
       00000010: 00000000 008f0000 0030c000 00000000
       00000020: 06200000 00002580 00000000 00019016
       00000030: 00000000 00000048 00000000 00000000
       00000040: 00000000 00000000 00000000 00000000
       00000050: 00000000 00000000 00000000 00000000
       00000060: 00000304 00000000 000e7000 00000000
       00000070: bb580000 00020000
Model: Kontron SMARC-sAL28 (Dual PHY)
EL:    3
CPLD:  v64
DRAM:  4 GiB (DDR3, 32-bit, CL=11, ECC on)
caam_jr: caam not found

^^ this error.

please add the following hunk to this patch:

diff --git a/board/kontron/sl28/sl28.c b/board/kontron/sl28/sl28.c
index 9572502499..555e831f2a 100644
--- a/board/kontron/sl28/sl28.c
+++ b/board/kontron/sl28/sl28.c
@@ -31,9 +31,6 @@ int board_early_init_f(void)
 
 int board_init(void)
 {
-       if (CONFIG_IS_ENABLED(FSL_CAAM))
-               sec_init();
-
        return 0;
 }

>  config ARCH_LS1028A
> @@ -53,6 +57,9 @@ config ARCH_LS1028A
>  	select SYS_FSL_ERRATUM_A011334
>  	select SYS_FSL_ESDHC_UNRELIABLE_PULSE_DETECTION_WORKAROUND
>  	select RESV_RAM if GIC_V3_ITS
> +	select FSL_CAAM
> +	select FSL_BLOB
> +	select MISC

There are boards like the sl28 which also have ARCH_LS1028A set and
doesn't depend on neither FSL_CAAM nor FSL_BLOB. Please don't set
this per architecture. Both should be set by the individual boards
instead as they are optional and having this here will just increase
binary size.

Of course this is like to be true for all ARCH_LSxxx Kconfig options.

>  	imply PANIC_HANG 

-michael

Re: [EXT] Re: [PATCH v5 02/16] crypto/fsl: Add CAAM support for bkek, random number generation

[Michael Walle]

Hi,

Am 2021-11-16 12:09, schrieb Gaurav Jain:
>> > --- a/drivers/crypto/fsl/fsl_blob.c
>> > +++ b/drivers/crypto/fsl/fsl_blob.c
>> > @@ -1,6 +1,7 @@
>> >  // SPDX-License-Identifier: GPL-2.0+
>> >  /*
>> >   * Copyright 2014 Freescale Semiconductor, Inc.
>> > + * Copyright 2021 NXP
>> >   *
>> >   */
>> >
>> > @@ -152,6 +153,87 @@ int blob_encap(u8 *key_mod, u8 *src, u8 *dst,
>> u32 len)
>> >       return ret;
>> >  }
>> >
>> > +int derive_blob_kek(u8 *bkek_buf, u8 *key_mod, u32 key_sz)
>> 
>> where is this function actually used? looks like dead code to me.
> 
> I was thinking to add the command for this function later.
> But will remove this patch from this series and send this later with
> derive blob kek cmd implementation.

ok, but you've missed the question below.

>> 
>> > +{
>> > +     int ret, size;
>> > +     u32 *desc;
>> > +
>> > +     if (!IS_ALIGNED((uintptr_t)bkek_buf, ARCH_DMA_MINALIGN) ||
>> > +         !IS_ALIGNED((uintptr_t)key_mod, ARCH_DMA_MINALIGN)) {
>> > +             puts("Error: derive_bkek: Address arguments are not aligned!\n");
>> > +             return -EINVAL;
>> > +     }
>> > +
>> > +     printf("\nBlob key encryption key(bkek)\n");
>> > +     desc = malloc_cache_aligned(sizeof(int) * MAX_CAAM_DESCSIZE);
>> > +     if (!desc) {
>> > +             printf("Not enough memory for descriptor allocation\n");
>> > +             return -ENOMEM;
>> > +     }
>> > +
>> > +     size = ALIGN(key_sz, ARCH_DMA_MINALIGN);
>> > +     flush_dcache_range((unsigned long)key_mod, (unsigned
>> > + long)key_mod + size);
>> > +
>> > +     /* construct blob key encryption key(bkek) derive descriptor */
>> > +     inline_cnstr_jobdesc_derive_bkek(desc, bkek_buf, key_mod,
>> > + key_sz);
>> > +
>> > +     size = ALIGN(sizeof(int) * MAX_CAAM_DESCSIZE,
>> ARCH_DMA_MINALIGN);
>> > +     flush_dcache_range((unsigned long)desc, (unsigned long)desc + size);
>> > +     size = ALIGN(BKEK_SIZE, ARCH_DMA_MINALIGN);
>> > +     invalidate_dcache_range((unsigned long)bkek_buf,
>> > +                             (unsigned long)bkek_buf + size);
>> > +
>> > +     /* run descriptor */
>> > +     ret = run_descriptor_jr(desc);
>> > +     if (ret < 0) {
>> > +             printf("Error: %s failed 0x%x\n", __func__, ret);
>> > +     } else {
>> > +             invalidate_dcache_range((unsigned long)bkek_buf,
>> > +                                     (unsigned long)bkek_buf + size);
>> > +             puts("derive bkek successful.\n");
>> > +     }
>> > +
>> > +     free(desc);
>> > +     return ret;
>> > +}
>> > +
>> > +int hwrng_generate(u8 *dst, u32 len)
>> 
>> likewise.
>> But more important what is the difference to drivers/crypto/fsl/rng.c? 
>> Why
>> do you need a new function here?

This one. Why can't you reuse the code which is already there?

-michael

RE: [EXT] Re: [PATCH v5 02/16] crypto/fsl: Add CAAM support for bkek, random number generation

[Gaurav Jain]

Hi

> -----Original Message-----
> From: Michael Walle <michael@walle.cc>
> Sent: Tuesday, November 16, 2021 4:53 PM
> To: Gaurav Jain <gaurav.jain@nxp.com>
> Cc: Shengzhou Liu <shengzhou.liu@nxp.com>; Varun Sethi
> <V.Sethi@nxp.com>; Adrian Alonso <adrian.alonso@nxp.com>; Alison Wang
> <alison.wang@nxp.com>; Andy Tang <andy.tang@nxp.com>;
> festevam@gmail.com; Franck Lenormand <franck.lenormand@nxp.com>;
> Horia Geanta <horia.geanta@nxp.com>; Ji Luo <ji.luo@nxp.com>;
> Meenakshi Aggarwal <meenakshi.aggarwal@nxp.com>; Mingkai Hu
> <mingkai.hu@nxp.com>; olteanv@gmail.com; Pankaj Gupta
> <pankaj.gupta@nxp.com>; Peng Fan <peng.fan@nxp.com>; Pramod Kumar
> <pramod.kumar_1@nxp.com>; Priyanka Jain <priyanka.jain@nxp.com>;
> Rajesh Bhagat <rajesh.bhagat@nxp.com>; Sahil Malhotra
> <sahil.malhotra@nxp.com>; sbabic@denx.de; Silvano Di Ninno
> <silvano.dininno@nxp.com>; sjg@chromium.org; u-boot@lists.denx.de; dl-
> uboot-imx <uboot-imx@nxp.com>; Wasim Khan <wasim.khan@nxp.com>;
> Ye Li <ye.li@nxp.com>
> Subject: Re: [EXT] Re: [PATCH v5 02/16] crypto/fsl: Add CAAM support for
> bkek, random number generation
> 
> Caution: EXT Email
> 
> Hi,
> 
> Am 2021-11-16 12:09, schrieb Gaurav Jain:
> >> > --- a/drivers/crypto/fsl/fsl_blob.c
> >> > +++ b/drivers/crypto/fsl/fsl_blob.c
> >> > @@ -1,6 +1,7 @@
> >> >  // SPDX-License-Identifier: GPL-2.0+
> >> >  /*
> >> >   * Copyright 2014 Freescale Semiconductor, Inc.
> >> > + * Copyright 2021 NXP
> >> >   *
> >> >   */
> >> >
> >> > @@ -152,6 +153,87 @@ int blob_encap(u8 *key_mod, u8 *src, u8 *dst,
> >> u32 len)
> >> >       return ret;
> >> >  }
> >> >
> >> > +int derive_blob_kek(u8 *bkek_buf, u8 *key_mod, u32 key_sz)
> >>
> >> where is this function actually used? looks like dead code to me.
> >
> > I was thinking to add the command for this function later.
> > But will remove this patch from this series and send this later with
> > derive blob kek cmd implementation.
> 
> ok, but you've missed the question below.
> 
> >>
> >> > +{
> >> > +     int ret, size;
> >> > +     u32 *desc;
> >> > +
> >> > +     if (!IS_ALIGNED((uintptr_t)bkek_buf, ARCH_DMA_MINALIGN) ||
> >> > +         !IS_ALIGNED((uintptr_t)key_mod, ARCH_DMA_MINALIGN)) {
> >> > +             puts("Error: derive_bkek: Address arguments are not
> aligned!\n");
> >> > +             return -EINVAL;
> >> > +     }
> >> > +
> >> > +     printf("\nBlob key encryption key(bkek)\n");
> >> > +     desc = malloc_cache_aligned(sizeof(int) * MAX_CAAM_DESCSIZE);
> >> > +     if (!desc) {
> >> > +             printf("Not enough memory for descriptor allocation\n");
> >> > +             return -ENOMEM;
> >> > +     }
> >> > +
> >> > +     size = ALIGN(key_sz, ARCH_DMA_MINALIGN);
> >> > +     flush_dcache_range((unsigned long)key_mod, (unsigned
> >> > + long)key_mod + size);
> >> > +
> >> > +     /* construct blob key encryption key(bkek) derive descriptor */
> >> > +     inline_cnstr_jobdesc_derive_bkek(desc, bkek_buf, key_mod,
> >> > + key_sz);
> >> > +
> >> > +     size = ALIGN(sizeof(int) * MAX_CAAM_DESCSIZE,
> >> ARCH_DMA_MINALIGN);
> >> > +     flush_dcache_range((unsigned long)desc, (unsigned long)desc +
> size);
> >> > +     size = ALIGN(BKEK_SIZE, ARCH_DMA_MINALIGN);
> >> > +     invalidate_dcache_range((unsigned long)bkek_buf,
> >> > +                             (unsigned long)bkek_buf + size);
> >> > +
> >> > +     /* run descriptor */
> >> > +     ret = run_descriptor_jr(desc);
> >> > +     if (ret < 0) {
> >> > +             printf("Error: %s failed 0x%x\n", __func__, ret);
> >> > +     } else {
> >> > +             invalidate_dcache_range((unsigned long)bkek_buf,
> >> > +                                     (unsigned long)bkek_buf + size);
> >> > +             puts("derive bkek successful.\n");
> >> > +     }
> >> > +
> >> > +     free(desc);
> >> > +     return ret;
> >> > +}
> >> > +
> >> > +int hwrng_generate(u8 *dst, u32 len)
> >>
> >> likewise.
> >> But more important what is the difference to drivers/crypto/fsl/rng.c?
> >> Why
> >> do you need a new function here?
> 
> This one. Why can't you reuse the code which is already there?

I might have missed to update this.
dm_rng_read() can be used. Will remove hwrng_generate().

Regards
Gaurav Jain
> 
> -michael

Re: [EXT] Re: [PATCH v5 02/16] crypto/fsl: Add CAAM support for bkek, random number generation

[Michael Walle]

Am 2021-11-16 12:57, schrieb Gaurav Jain:
>> >> > +int hwrng_generate(u8 *dst, u32 len)
>> >>
>> >> likewise.
>> >> But more important what is the difference to drivers/crypto/fsl/rng.c?
>> >> Why
>> >> do you need a new function here?
>> 
>> This one. Why can't you reuse the code which is already there?
> 
> I might have missed to update this.
> dm_rng_read() can be used. Will remove hwrng_generate().

Nice, thanks. Slightly lesser code :)

-michael

RE: [PATCH v5 01/16] crypto/fsl: Add support for CAAM Job ring driver model

[ZHIZHIKIN Andrey]

Hello Gaurav,

> -----Original Message-----
> From: U-Boot <u-boot-bounces@lists.denx.de> On Behalf Of Gaurav Jain
> Sent: Monday, November 15, 2021 8:00 AM
> To: u-boot@lists.denx.de
> Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam <festevam@gmail.com>; Peng Fan
> <peng.fan@nxp.com>; Simon Glass <sjg@chromium.org>; Priyanka Jain
> <priyanka.jain@nxp.com>; Ye Li <ye.li@nxp.com>; Horia Geanta
> <horia.geanta@nxp.com>; Ji Luo <ji.luo@nxp.com>; Franck Lenormand
> <franck.lenormand@nxp.com>; Silvano Di Ninno <silvano.dininno@nxp.com>; Sahil
> malhotra <sahil.malhotra@nxp.com>; Pankaj Gupta <pankaj.gupta@nxp.com>; Varun
> Sethi <V.Sethi@nxp.com>; NXP i . MX U-Boot Team <uboot-imx@nxp.com>; Shengzhou
> Liu <Shengzhou.Liu@nxp.com>; Mingkai Hu <mingkai.hu@nxp.com>; Rajesh Bhagat
> <rajesh.bhagat@nxp.com>; Meenakshi Aggarwal <meenakshi.aggarwal@nxp.com>; Wasim
> Khan <wasim.khan@nxp.com>; Alison Wang <alison.wang@nxp.com>; Pramod Kumar
> <pramod.kumar_1@nxp.com>; Tang Yuantian <andy.tang@nxp.com>; Adrian Alonso
> <adrian.alonso@nxp.com>; Vladimir Oltean <olteanv@gmail.com>; Gaurav Jain
> <gaurav.jain@nxp.com>
> Subject: [PATCH v5 01/16] crypto/fsl: Add support for CAAM Job ring driver model
> 
> 
> added device tree support for job ring driver.
> sec is initialized based on job ring information processed
> from device tree.
> 
> Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
> Reviewed-by: Ye Li <ye.li@nxp.com>
> ---
>  cmd/Kconfig                 |   1 +
>  drivers/crypto/fsl/Kconfig  |   7 +
>  drivers/crypto/fsl/Makefile |   4 +-
>  drivers/crypto/fsl/jr.c     | 316 +++++++++++++++++++++++-------------
>  drivers/crypto/fsl/jr.h     |  14 ++
>  5 files changed, 232 insertions(+), 110 deletions(-)
> 
> diff --git a/cmd/Kconfig b/cmd/Kconfig
> index 5b30b13e43..2b24672505 100644
> --- a/cmd/Kconfig
> +++ b/cmd/Kconfig
> @@ -2009,6 +2009,7 @@ config CMD_AES
> 
>  config CMD_BLOB
>         bool "Enable the 'blob' command"
> +       select FSL_BLOB
>         depends on !MX6ULL && !MX6SLL && !MX6SL
>         select IMX_HAB if ARCH_MX6 || ARCH_MX7 || ARCH_MX7ULP || ARCH_IMX8M
>         help
> diff --git a/drivers/crypto/fsl/Kconfig b/drivers/crypto/fsl/Kconfig
> index 94ff540111..ab59d516f8 100644
> --- a/drivers/crypto/fsl/Kconfig
> +++ b/drivers/crypto/fsl/Kconfig
> @@ -66,4 +66,11 @@ config FSL_CAAM_RNG
>           using the prediction resistance flag which means the DRGB is
>           reseeded from the TRNG every time random data is generated.
> 
> +config FSL_BLOB
> +        bool "Enable Blob Encap/Decap, Blob KEK support"
> +       help
> +         Enable support for the hardware based crytographic blob encap/decap
> +         module of the CAAM. blobs can be safely placed into non-volatile
> +         storage. blobs can only be decapsulated by the SoC that created it.
> +         Enable support for blob key encryption key generation.
>  endif
> diff --git a/drivers/crypto/fsl/Makefile b/drivers/crypto/fsl/Makefile
> index f9c3ccecfc..738535b8e4 100644
> --- a/drivers/crypto/fsl/Makefile
> +++ b/drivers/crypto/fsl/Makefile
> @@ -1,10 +1,12 @@
>  # SPDX-License-Identifier: GPL-2.0+
>  #
>  # Copyright 2014 Freescale Semiconductor, Inc.
> +# Copyright 2021 NXP
> 
>  obj-y += sec.o
>  obj-$(CONFIG_FSL_CAAM) += jr.o fsl_hash.o jobdesc.o error.o
> -obj-$(CONFIG_CMD_BLOB)$(CONFIG_IMX_CAAM_DEK_ENCAP) += fsl_blob.o
> +obj-$(CONFIG_FSL_BLOB) += fsl_blob.o
> +obj-$(CONFIG_IMX_CAAM_DEK_ENCAP) += fsl_blob.o
>  obj-$(CONFIG_RSA_FREESCALE_EXP) += fsl_rsa.o
>  obj-$(CONFIG_FSL_CAAM_RNG) += rng.o
>  obj-$(CONFIG_FSL_MFGPROT) += fsl_mfgprot.o
> diff --git a/drivers/crypto/fsl/jr.c b/drivers/crypto/fsl/jr.c
> index 22b649219e..eea2225a1e 100644
> --- a/drivers/crypto/fsl/jr.c
> +++ b/drivers/crypto/fsl/jr.c
> @@ -1,7 +1,7 @@
>  // SPDX-License-Identifier: GPL-2.0+
>  /*
>   * Copyright 2008-2014 Freescale Semiconductor, Inc.
> - * Copyright 2018 NXP
> + * Copyright 2018, 2021 NXP
>   *
>   * Based on CAAM driver in drivers/crypto/caam in Linux
>   */
> @@ -11,7 +11,6 @@
>  #include <linux/kernel.h>
>  #include <log.h>
>  #include <malloc.h>
> -#include "fsl_sec.h"
>  #include "jr.h"
>  #include "jobdesc.h"
>  #include "desc_constr.h"
> @@ -21,8 +20,11 @@
>  #include <asm/cache.h>
>  #include <asm/fsl_pamu.h>
>  #endif
> +#include <dm.h>
>  #include <dm/lists.h>
>  #include <linux/delay.h>
> +#include <dm/root.h>
> +#include <dm/device-internal.h>
> 
>  #define CIRC_CNT(head, tail, size)     (((head) - (tail)) & (size - 1))
>  #define CIRC_SPACE(head, tail, size)   CIRC_CNT((tail), (head) + 1, (size))
> @@ -35,20 +37,30 @@ uint32_t sec_offset[CONFIG_SYS_FSL_MAX_NUM_OF_SEC] = {
>  #endif
>  };
> 
> +#if CONFIG_IS_ENABLED(DM)
> +struct udevice *caam_dev;
> +#else
>  #define SEC_ADDR(idx)  \
>         (ulong)((CONFIG_SYS_FSL_SEC_ADDR + sec_offset[idx]))
> 
>  #define SEC_JR0_ADDR(idx)      \
>         (ulong)(SEC_ADDR(idx) + \
>          (CONFIG_SYS_FSL_JR0_OFFSET - CONFIG_SYS_FSL_SEC_OFFSET))
> +struct caam_regs caam_st;
> +#endif
> 
> -struct jobring jr0[CONFIG_SYS_FSL_MAX_NUM_OF_SEC];
> +static inline u32 jr_start_reg(u8 jrid)
> +{
> +       return (1 << jrid);
> +}
> 
> -static inline void start_jr0(uint8_t sec_idx)
> +#ifndef CONFIG_ARCH_IMX8
> +static inline void start_jr(struct caam_regs *caam)
>  {
> -       ccsr_sec_t *sec = (void *)SEC_ADDR(sec_idx);
> +       ccsr_sec_t *sec = caam->sec;
>         u32 ctpr_ms = sec_in32(&sec->ctpr_ms);
>         u32 scfgr = sec_in32(&sec->scfgr);
> +       u32 jrstart = jr_start_reg(caam->jrid);
> 
>         if (ctpr_ms & SEC_CTPR_MS_VIRT_EN_INCL) {
>                 /* VIRT_EN_INCL = 1 & VIRT_EN_POR = 1 or
> @@ -56,23 +68,17 @@ static inline void start_jr0(uint8_t sec_idx)
>                  */
>                 if ((ctpr_ms & SEC_CTPR_MS_VIRT_EN_POR) ||
>                     (scfgr & SEC_SCFGR_VIRT_EN))
> -                       sec_out32(&sec->jrstartr, CONFIG_JRSTARTR_JR0);
> +                       sec_out32(&sec->jrstartr, jrstart);
>         } else {
>                 /* VIRT_EN_INCL = 0 && VIRT_EN_POR_VALUE = 1 */
>                 if (ctpr_ms & SEC_CTPR_MS_VIRT_EN_POR)
> -                       sec_out32(&sec->jrstartr, CONFIG_JRSTARTR_JR0);
> +                       sec_out32(&sec->jrstartr, jrstart);
>         }
>  }
> +#endif
> 
> -static inline void jr_reset_liodn(uint8_t sec_idx)
> -{
> -       ccsr_sec_t *sec = (void *)SEC_ADDR(sec_idx);
> -       sec_out32(&sec->jrliodnr[0].ls, 0);
> -}
> -
> -static inline void jr_disable_irq(uint8_t sec_idx)
> +static inline void jr_disable_irq(struct jr_regs *regs)
>  {
> -       struct jr_regs *regs = (struct jr_regs *)SEC_JR0_ADDR(sec_idx);
>         uint32_t jrcfg = sec_in32(&regs->jrcfg1);
> 
>         jrcfg = jrcfg | JR_INTMASK;
> @@ -80,10 +86,10 @@ static inline void jr_disable_irq(uint8_t sec_idx)
>         sec_out32(&regs->jrcfg1, jrcfg);
>  }
> 
> -static void jr_initregs(uint8_t sec_idx)
> +static void jr_initregs(uint8_t sec_idx, struct caam_regs *caam)
>  {
> -       struct jr_regs *regs = (struct jr_regs *)SEC_JR0_ADDR(sec_idx);
> -       struct jobring *jr = &jr0[sec_idx];
> +       struct jr_regs *regs = caam->regs;
> +       struct jobring *jr = &caam->jr[sec_idx];
>         caam_dma_addr_t ip_base = virt_to_phys((void *)jr->input_ring);
>         caam_dma_addr_t op_base = virt_to_phys((void *)jr->output_ring);
> 
> @@ -103,16 +109,16 @@ static void jr_initregs(uint8_t sec_idx)
>         sec_out32(&regs->irs, JR_SIZE);
> 
>         if (!jr->irq)
> -               jr_disable_irq(sec_idx);
> +               jr_disable_irq(regs);
>  }
> 
> -static int jr_init(uint8_t sec_idx)
> +static int jr_init(uint8_t sec_idx, struct caam_regs *caam)
>  {
> -       struct jobring *jr = &jr0[sec_idx];
> +       struct jobring *jr = &caam->jr[sec_idx];
> 
>         memset(jr, 0, sizeof(struct jobring));
> 
> -       jr->jq_id = DEFAULT_JR_ID;
> +       jr->jq_id = caam->jrid;
>         jr->irq = DEFAULT_IRQ;
> 
>  #ifdef CONFIG_FSL_CORENET
> @@ -134,53 +140,10 @@ static int jr_init(uint8_t sec_idx)
>         memset(jr->input_ring, 0, JR_SIZE * sizeof(caam_dma_addr_t));
>         memset(jr->output_ring, 0, jr->op_size);
> 
> -       start_jr0(sec_idx);
> -
> -       jr_initregs(sec_idx);
> -
> -       return 0;
> -}
> -
> -static int jr_sw_cleanup(uint8_t sec_idx)
> -{
> -       struct jobring *jr = &jr0[sec_idx];
> -
> -       jr->head = 0;
> -       jr->tail = 0;
> -       jr->read_idx = 0;
> -       jr->write_idx = 0;
> -       memset(jr->info, 0, sizeof(jr->info));
> -       memset(jr->input_ring, 0, jr->size * sizeof(caam_dma_addr_t));
> -       memset(jr->output_ring, 0, jr->size * sizeof(struct op_ring));
> -
> -       return 0;
> -}
> -
> -static int jr_hw_reset(uint8_t sec_idx)
> -{
> -       struct jr_regs *regs = (struct jr_regs *)SEC_JR0_ADDR(sec_idx);
> -       uint32_t timeout = 100000;
> -       uint32_t jrint, jrcr;
> -
> -       sec_out32(&regs->jrcr, JRCR_RESET);
> -       do {
> -               jrint = sec_in32(&regs->jrint);
> -       } while (((jrint & JRINT_ERR_HALT_MASK) ==
> -                 JRINT_ERR_HALT_INPROGRESS) && --timeout);
> -
> -       jrint = sec_in32(&regs->jrint);
> -       if (((jrint & JRINT_ERR_HALT_MASK) !=
> -            JRINT_ERR_HALT_INPROGRESS) && timeout == 0)
> -               return -1;
> -
> -       timeout = 100000;
> -       sec_out32(&regs->jrcr, JRCR_RESET);
> -       do {
> -               jrcr = sec_in32(&regs->jrcr);
> -       } while ((jrcr & JRCR_RESET) && --timeout);
> -
> -       if (timeout == 0)
> -               return -1;
> +#ifndef CONFIG_ARCH_IMX8
> +       start_jr(caam);
> +#endif
> +       jr_initregs(sec_idx, caam);
> 
>         return 0;
>  }
> @@ -188,10 +151,10 @@ static int jr_hw_reset(uint8_t sec_idx)
>  /* -1 --- error, can't enqueue -- no space available */
>  static int jr_enqueue(uint32_t *desc_addr,
>                void (*callback)(uint32_t status, void *arg),
> -              void *arg, uint8_t sec_idx)
> +              void *arg, uint8_t sec_idx, struct caam_regs *caam)
>  {
> -       struct jr_regs *regs = (struct jr_regs *)SEC_JR0_ADDR(sec_idx);
> -       struct jobring *jr = &jr0[sec_idx];
> +       struct jr_regs *regs = caam->regs;
> +       struct jobring *jr = &caam->jr[sec_idx];
>         int head = jr->head;
>         uint32_t desc_word;
>         int length = desc_len(desc_addr);
> @@ -263,10 +226,10 @@ static int jr_enqueue(uint32_t *desc_addr,
>         return 0;
>  }
> 
> -static int jr_dequeue(int sec_idx)
> +static int jr_dequeue(int sec_idx, struct caam_regs *caam)
>  {
> -       struct jr_regs *regs = (struct jr_regs *)SEC_JR0_ADDR(sec_idx);
> -       struct jobring *jr = &jr0[sec_idx];
> +       struct jr_regs *regs = caam->regs;
> +       struct jobring *jr = &caam->jr[sec_idx];
>         int head = jr->head;
>         int tail = jr->tail;
>         int idx, i, found;
> @@ -349,14 +312,18 @@ static void desc_done(uint32_t status, void *arg)
>  {
>         struct result *x = arg;
>         x->status = status;
> -#ifndef CONFIG_SPL_BUILD
>         caam_jr_strstatus(status);
> -#endif
>         x->done = 1;
>  }
> 
>  static inline int run_descriptor_jr_idx(uint32_t *desc, uint8_t sec_idx)
>  {
> +       struct caam_regs *caam;
> +#if CONFIG_IS_ENABLED(DM)
> +       caam = dev_get_priv(caam_dev);
> +#else
> +       caam = &caam_st;
> +#endif
>         unsigned long long timeval = 0;
>         unsigned long long timeout = CONFIG_USEC_DEQ_TIMEOUT;
>         struct result op;
> @@ -364,7 +331,7 @@ static inline int run_descriptor_jr_idx(uint32_t *desc,
> uint8_t sec_idx)
> 
>         memset(&op, 0, sizeof(op));
> 
> -       ret = jr_enqueue(desc, desc_done, &op, sec_idx);
> +       ret = jr_enqueue(desc, desc_done, &op, sec_idx, caam);
>         if (ret) {
>                 debug("Error in SEC enq\n");
>                 ret = JQ_ENQ_ERR;
> @@ -375,7 +342,7 @@ static inline int run_descriptor_jr_idx(uint32_t *desc,
> uint8_t sec_idx)
>                 udelay(1);
>                 timeval += 1;
> 
> -               ret = jr_dequeue(sec_idx);
> +               ret = jr_dequeue(sec_idx, caam);
>                 if (ret) {
>                         debug("Error in SEC deq\n");
>                         ret = JQ_DEQ_ERR;
> @@ -402,13 +369,63 @@ int run_descriptor_jr(uint32_t *desc)
>         return run_descriptor_jr_idx(desc, 0);
>  }
> 
> +#ifndef CONFIG_ARCH_IMX8
> +static int jr_sw_cleanup(uint8_t sec_idx, struct caam_regs *caam)
> +{
> +       struct jobring *jr = &caam->jr[sec_idx];
> +
> +       jr->head = 0;
> +       jr->tail = 0;
> +       jr->read_idx = 0;
> +       jr->write_idx = 0;
> +       memset(jr->info, 0, sizeof(jr->info));
> +       memset(jr->input_ring, 0, jr->size * sizeof(caam_dma_addr_t));
> +       memset(jr->output_ring, 0, jr->size * sizeof(struct op_ring));
> +
> +       return 0;
> +}
> +
> +static int jr_hw_reset(struct jr_regs *regs)
> +{
> +       uint32_t timeout = 100000;
> +       uint32_t jrint, jrcr;
> +
> +       sec_out32(&regs->jrcr, JRCR_RESET);
> +       do {
> +               jrint = sec_in32(&regs->jrint);
> +       } while (((jrint & JRINT_ERR_HALT_MASK) ==
> +                 JRINT_ERR_HALT_INPROGRESS) && --timeout);
> +
> +       jrint = sec_in32(&regs->jrint);
> +       if (((jrint & JRINT_ERR_HALT_MASK) !=
> +            JRINT_ERR_HALT_INPROGRESS) && timeout == 0)
> +               return -1;
> +
> +       timeout = 100000;
> +       sec_out32(&regs->jrcr, JRCR_RESET);
> +       do {
> +               jrcr = sec_in32(&regs->jrcr);
> +       } while ((jrcr & JRCR_RESET) && --timeout);
> +
> +       if (timeout == 0)
> +               return -1;
> +
> +       return 0;
> +}
> +
>  static inline int jr_reset_sec(uint8_t sec_idx)
>  {
> -       if (jr_hw_reset(sec_idx) < 0)
> +       struct caam_regs *caam;
> +#if CONFIG_IS_ENABLED(DM)
> +       caam = dev_get_priv(caam_dev);
> +#else
> +       caam = &caam_st;
> +#endif
> +       if (jr_hw_reset(caam->regs) < 0)
>                 return -1;
> 
>         /* Clean up the jobring structure maintained by software */
> -       jr_sw_cleanup(sec_idx);
> +       jr_sw_cleanup(sec_idx, caam);
> 
>         return 0;
>  }
> @@ -418,9 +435,15 @@ int jr_reset(void)
>         return jr_reset_sec(0);
>  }
> 
> -static inline int sec_reset_idx(uint8_t sec_idx)
> +int sec_reset(void)
>  {
> -       ccsr_sec_t *sec = (void *)SEC_ADDR(sec_idx);
> +       struct caam_regs *caam;
> +#if CONFIG_IS_ENABLED(DM)
> +       caam = dev_get_priv(caam_dev);
> +#else
> +       caam = &caam_st;
> +#endif
> +       ccsr_sec_t *sec = caam->sec;
>         uint32_t mcfgr = sec_in32(&sec->mcfgr);
>         uint32_t timeout = 100000;
> 
> @@ -446,11 +469,7 @@ static inline int sec_reset_idx(uint8_t sec_idx)
> 
>         return 0;
>  }
> -int sec_reset(void)
> -{
> -       return sec_reset_idx(0);
> -}
> -#ifndef CONFIG_SPL_BUILD
> +
>  static int deinstantiate_rng(u8 sec_idx, int state_handle_mask)
>  {
>         u32 *desc;
> @@ -496,12 +515,11 @@ static int deinstantiate_rng(u8 sec_idx, int
> state_handle_mask)
>         return ret;
>  }
> 
> -static int instantiate_rng(u8 sec_idx, int gen_sk)
> +static int instantiate_rng(uint8_t sec_idx, ccsr_sec_t *sec, int gen_sk)
>  {
>         u32 *desc;
>         u32 rdsta_val;
>         int ret = 0, sh_idx, size;
> -       ccsr_sec_t __iomem *sec = (ccsr_sec_t __iomem *)SEC_ADDR(sec_idx);
>         struct rng4tst __iomem *rng =
>                         (struct rng4tst __iomem *)&sec->rng;
> 
> @@ -554,9 +572,8 @@ static int instantiate_rng(u8 sec_idx, int gen_sk)
>         return ret;
>  }
> 
> -static u8 get_rng_vid(uint8_t sec_idx)
> +static u8 get_rng_vid(ccsr_sec_t *sec)
>  {
> -       ccsr_sec_t *sec = (void *)SEC_ADDR(sec_idx);
>         u8 vid;
> 
>         if (caam_get_era() < 10) {
> @@ -574,9 +591,8 @@ static u8 get_rng_vid(uint8_t sec_idx)
>   * By default, the TRNG runs for 200 clocks per sample;
>   * 1200 clocks per sample generates better entropy.
>   */
> -static void kick_trng(int ent_delay, uint8_t sec_idx)
> +static void kick_trng(int ent_delay, ccsr_sec_t *sec)
>  {
> -       ccsr_sec_t __iomem *sec = (ccsr_sec_t __iomem *)SEC_ADDR(sec_idx);
>         struct rng4tst __iomem *rng =
>                         (struct rng4tst __iomem *)&sec->rng;
>         u32 val;
> @@ -603,10 +619,9 @@ static void kick_trng(int ent_delay, uint8_t sec_idx)
>         sec_clrbits32(&rng->rtmctl, RTMCTL_PRGM);
>  }
> 
> -static int rng_init(uint8_t sec_idx)
> +static int rng_init(uint8_t sec_idx, ccsr_sec_t *sec)
>  {
>         int ret, gen_sk, ent_delay = RTSDCTL_ENT_DLY_MIN;
> -       ccsr_sec_t __iomem *sec = (ccsr_sec_t __iomem *)SEC_ADDR(sec_idx);
>         struct rng4tst __iomem *rng =
>                         (struct rng4tst __iomem *)&sec->rng;
>         u32 inst_handles;
> @@ -624,7 +639,7 @@ static int rng_init(uint8_t sec_idx)
>                  * the TRNG parameters.
>                  */
>                 if (!inst_handles) {
> -                       kick_trng(ent_delay, sec_idx);
> +                       kick_trng(ent_delay, sec);
>                         ent_delay += 400;
>                 }
>                 /*
> @@ -634,7 +649,7 @@ static int rng_init(uint8_t sec_idx)
>                  * interval, leading to a sucessful initialization of
>                  * the RNG.
>                  */
> -               ret = instantiate_rng(sec_idx, gen_sk);
> +               ret = instantiate_rng(sec_idx, sec, gen_sk);
>         } while ((ret == -1) && (ent_delay < RTSDCTL_ENT_DLY_MAX));
>         if (ret) {
>                 printf("SEC%u:  Failed to instantiate RNG\n", sec_idx);
> @@ -647,12 +662,29 @@ static int rng_init(uint8_t sec_idx)
>         return ret;
>  }
>  #endif
> +
>  int sec_init_idx(uint8_t sec_idx)
>  {
> -       ccsr_sec_t *sec = (void *)SEC_ADDR(sec_idx);
> -       uint32_t mcr = sec_in32(&sec->mcfgr);
>         int ret = 0;
> -
> +       struct caam_regs *caam;
> +#if CONFIG_IS_ENABLED(DM)
> +       if (caam_dev == NULL) {
> +               printf("caam_jr: caam not found\n");
> +               return -1;
> +       }
> +       caam = dev_get_priv(caam_dev);
> +#else
> +       caam_st.sec = (void *)SEC_ADDR(sec_idx);
> +       caam_st.regs = (struct jr_regs *)SEC_JR0_ADDR(sec_idx);
> +       caam_st.jrid = 0;
> +       caam = &caam_st;
> +#endif
> +#ifndef CONFIG_ARCH_IMX8
> +       ccsr_sec_t *sec = caam->sec;
> +       uint32_t mcr = sec_in32(&sec->mcfgr);
> +#if defined(CONFIG_SPL_BUILD) && defined(CONFIG_IMX8M)
> +       uint32_t jrdid_ms = 0;
> +#endif
>  #ifdef CONFIG_FSL_CORENET
>         uint32_t liodnr;
>         uint32_t liodn_ns;
> @@ -682,6 +714,11 @@ int sec_init_idx(uint8_t sec_idx)
>         mcr |= (1 << MCFGR_PS_SHIFT);
>  #endif
>         sec_out32(&sec->mcfgr, mcr);
> +#if defined(CONFIG_SPL_BUILD) && defined(CONFIG_IMX8M)

This would effectively reserve the JR0 on _all_ i.MX8M derivatives is S World.

Current implementation only has JR0 reserved in S World on imx8mm derivative,
but this new addition extends this to imx8mn, imx8mp and imx8mq.

I'm wondering about several points here:
1. Why does current implementation on have this reservation done on imx8mm and
   where does this happen? None of the code pieces suggests that it is done in
   U-Boot, is it performed in BootROM?
2. What is the intention of having JR0 reserved for all derivatives? Is this
   the part of a bigger change that stretches across different SW components
   (e.g. ATF, OP-TEE, etc.)? If that is the case - then a more detailed
   description would be appreciated here.

ATF code already accounts for this reservation in commit:
a83a7c65e ("TEE-639 plat: imx8m: Do not release JR0 to NS if HAB is using it") [1],
but there is no description on why is this required though.

If this is required for HAB feature, then the question is: should it be kept in
S World when U-Boot starts, or SPL can release it after the binary is verified
and crypto facilities are not in use anymore?

> +       jrdid_ms = JRDID_MS_TZ_OWN | JRDID_MS_PRIM_TZ | JRDID_MS_PRIM_DID;

What is the intention of setting JRDID_MS_PRIM_TZ? Isn't setting JRDID_MS_TZ_OWN
would be sufficient here?

> +       sec_out32(&sec->jrliodnr[caam->jrid].ms, jrdid_ms);
> +#endif
> +       jr_reset();
> 
>  #ifdef CONFIG_FSL_CORENET
>  #ifdef CONFIG_SPL_BUILD
> @@ -693,25 +730,26 @@ int sec_init_idx(uint8_t sec_idx)
>         liodn_ns = CONFIG_SPL_JR0_LIODN_NS & JRNSLIODN_MASK;
>         liodn_s = CONFIG_SPL_JR0_LIODN_S & JRSLIODN_MASK;
> 
> -       liodnr = sec_in32(&sec->jrliodnr[0].ls) &
> +       liodnr = sec_in32(&sec->jrliodnr[caam->jrid].ls) &
>                  ~(JRNSLIODN_MASK | JRSLIODN_MASK);
>         liodnr = liodnr |
>                  (liodn_ns << JRNSLIODN_SHIFT) |
>                  (liodn_s << JRSLIODN_SHIFT);
> -       sec_out32(&sec->jrliodnr[0].ls, liodnr);
> +       sec_out32(&sec->jrliodnr[caam->jrid].ls, liodnr);
>  #else
> -       liodnr = sec_in32(&sec->jrliodnr[0].ls);
> +       liodnr = sec_in32(&sec->jrliodnr[caam->jrid].ls);
>         liodn_ns = (liodnr & JRNSLIODN_MASK) >> JRNSLIODN_SHIFT;
>         liodn_s = (liodnr & JRSLIODN_MASK) >> JRSLIODN_SHIFT;
>  #endif
>  #endif
> -
> -       ret = jr_init(sec_idx);
> +#endif
> +       ret = jr_init(sec_idx, caam);
>         if (ret < 0) {
>                 printf("SEC%u:  initialization failed\n", sec_idx);
>                 return -1;
>         }
> 
> +#ifndef CONFIG_ARCH_IMX8
>  #ifdef CONFIG_FSL_CORENET
>         ret = sec_config_pamu_table(liodn_ns, liodn_s);
>         if (ret < 0)
> @@ -719,9 +757,9 @@ int sec_init_idx(uint8_t sec_idx)
> 
>         pamu_enable();
>  #endif
> -#ifndef CONFIG_SPL_BUILD
> -       if (get_rng_vid(sec_idx) >= 4) {
> -               if (rng_init(sec_idx) < 0) {
> +
> +       if (get_rng_vid(caam->sec) >= 4) {
> +               if (rng_init(sec_idx, caam->sec) < 0) {
>                         printf("SEC%u:  RNG instantiation failed\n", sec_idx);
>                         return -1;
>                 }
> @@ -743,3 +781,63 @@ int sec_init(void)
>  {
>         return sec_init_idx(0);
>  }
> +
> +#if CONFIG_IS_ENABLED(DM)
> +static int caam_jr_probe(struct udevice *dev)
> +{
> +       struct caam_regs *caam = dev_get_priv(dev);
> +       fdt_addr_t addr;
> +       ofnode node;
> +       unsigned int jr_node = 0;
> +
> +       caam_dev = dev;
> +
> +       addr = dev_read_addr(dev);
> +       if (addr == FDT_ADDR_T_NONE) {
> +               printf("caam_jr: crypto not found\n");
> +               return -EINVAL;
> +       }
> +       caam->sec = (ccsr_sec_t *)(uintptr_t)addr;
> +       caam->regs = (struct jr_regs *)caam->sec;
> +
> +       /* Check for enabled job ring node */
> +       ofnode_for_each_subnode(node, dev_ofnode(dev)) {
> +               if (!ofnode_is_available(node)) {
> +                       continue;
> +               }
> +               jr_node = ofnode_read_u32_default(node, "reg", -1);
> +               if (jr_node > 0) {
> +                       caam->regs = (struct jr_regs *)((ulong)caam->sec +
> jr_node);
> +                       while (!(jr_node & 0x0F)) {
> +                               jr_node = jr_node >> 4;
> +                       }
> +                       caam->jrid = jr_node - 1;
> +                       break;
> +               }
> +       }
> +
> +       if (sec_init())
> +               printf("\nsec_init failed!\n");
> +
> +       return 0;
> +}
> +
> +static int caam_jr_bind(struct udevice *dev)
> +{
> +       return 0;
> +}
> +
> +static const struct udevice_id caam_jr_match[] = {
> +       { .compatible = "fsl,sec-v4.0" },
> +       { }
> +};
> +
> +U_BOOT_DRIVER(caam_jr) = {
> +       .name           = "caam_jr",
> +       .id             = UCLASS_MISC,
> +       .of_match       = caam_jr_match,
> +       .bind           = caam_jr_bind,
> +       .probe          = caam_jr_probe,
> +       .priv_auto      = sizeof(struct caam_regs),
> +};
> +#endif
> diff --git a/drivers/crypto/fsl/jr.h b/drivers/crypto/fsl/jr.h
> index 1047aa772c..43cb5e0753 100644
> --- a/drivers/crypto/fsl/jr.h
> +++ b/drivers/crypto/fsl/jr.h
> @@ -1,6 +1,7 @@
>  /* SPDX-License-Identifier: GPL-2.0+ */
>  /*
>   * Copyright 2008-2014 Freescale Semiconductor, Inc.
> + * Copyright 2021 NXP
>   *
>   */
> 
> @@ -8,7 +9,9 @@
>  #define __JR_H
> 
>  #include <linux/compiler.h>
> +#include "fsl_sec.h"
>  #include "type.h"
> +#include <misc.h>
> 
>  #define JR_SIZE 4
>  /* Timeout currently defined as 10 sec */
> @@ -35,6 +38,10 @@
>  #define JRSLIODN_SHIFT         0
>  #define JRSLIODN_MASK          0x00000fff
> 
> +#define JRDID_MS_PRIM_DID      1
> +#define JRDID_MS_PRIM_TZ       (1 << 4)
> +#define JRDID_MS_TZ_OWN                (1 << 15)

Maybe use BIT() macro here?

> +
>  #define JQ_DEQ_ERR             -1
>  #define JQ_DEQ_TO_ERR          -2
>  #define JQ_ENQ_ERR             -3
> @@ -102,6 +109,13 @@ struct result {
>         uint32_t status;
>  };
> 
> +struct caam_regs {
> +       ccsr_sec_t *sec;
> +       struct jr_regs *regs;
> +       u8 jrid;
> +       struct jobring jr[CONFIG_SYS_FSL_MAX_NUM_OF_SEC];
> +};
> +
>  void caam_jr_strstatus(u32 status);
>  int run_descriptor_jr(uint32_t *desc);
> 
> --
> 2.17.1

-- andrey

Link: [1]: https://source.codeaurora.org/external/imx/imx-atf/commit/?id=a83a7c65ea4e7b41d5c8fb129bac9caa89053d5e

RE: [EXT] RE: [PATCH v5 01/16] crypto/fsl: Add support for CAAM Job ring driver model

[Gaurav Jain]

Hello Andrey

> -----Original Message-----
> From: ZHIZHIKIN Andrey <andrey.zhizhikin@leica-geosystems.com>
> Sent: Tuesday, November 16, 2021 9:24 PM
> To: Gaurav Jain <gaurav.jain@nxp.com>; u-boot@lists.denx.de
> Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam <festevam@gmail.com>;
> Peng Fan <peng.fan@nxp.com>; Simon Glass <sjg@chromium.org>; Priyanka
> Jain <priyanka.jain@nxp.com>; Ye Li <ye.li@nxp.com>; Horia Geanta
> <horia.geanta@nxp.com>; Ji Luo <ji.luo@nxp.com>; Franck Lenormand
> <franck.lenormand@nxp.com>; Silvano Di Ninno <silvano.dininno@nxp.com>;
> Sahil Malhotra <sahil.malhotra@nxp.com>; Pankaj Gupta
> <pankaj.gupta@nxp.com>; Varun Sethi <V.Sethi@nxp.com>; dl-uboot-imx
> <uboot-imx@nxp.com>; Shengzhou Liu <shengzhou.liu@nxp.com>; Mingkai Hu
> <mingkai.hu@nxp.com>; Rajesh Bhagat <rajesh.bhagat@nxp.com>; Meenakshi
> Aggarwal <meenakshi.aggarwal@nxp.com>; Wasim Khan
> <wasim.khan@nxp.com>; Alison Wang <alison.wang@nxp.com>; Pramod
> Kumar <pramod.kumar_1@nxp.com>; Andy Tang <andy.tang@nxp.com>;
> Adrian Alonso <adrian.alonso@nxp.com>; Vladimir Oltean <olteanv@gmail.com>
> Subject: [EXT] RE: [PATCH v5 01/16] crypto/fsl: Add support for CAAM Job ring
> driver model
> 
> Caution: EXT Email
> 
> Hello Gaurav,
> 
> > -----Original Message-----
> > From: U-Boot <u-boot-bounces@lists.denx.de> On Behalf Of Gaurav Jain
> > Sent: Monday, November 15, 2021 8:00 AM
> > To: u-boot@lists.denx.de
> > Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam
> > <festevam@gmail.com>; Peng Fan <peng.fan@nxp.com>; Simon Glass
> > <sjg@chromium.org>; Priyanka Jain <priyanka.jain@nxp.com>; Ye Li
> > <ye.li@nxp.com>; Horia Geanta <horia.geanta@nxp.com>; Ji Luo
> > <ji.luo@nxp.com>; Franck Lenormand <franck.lenormand@nxp.com>; Silvano
> > Di Ninno <silvano.dininno@nxp.com>; Sahil malhotra
> > <sahil.malhotra@nxp.com>; Pankaj Gupta <pankaj.gupta@nxp.com>; Varun
> > Sethi <V.Sethi@nxp.com>; NXP i . MX U-Boot Team <uboot-imx@nxp.com>;
> > Shengzhou Liu <Shengzhou.Liu@nxp.com>; Mingkai Hu
> > <mingkai.hu@nxp.com>; Rajesh Bhagat <rajesh.bhagat@nxp.com>;
> Meenakshi
> > Aggarwal <meenakshi.aggarwal@nxp.com>; Wasim Khan
> > <wasim.khan@nxp.com>; Alison Wang <alison.wang@nxp.com>; Pramod
> Kumar
> > <pramod.kumar_1@nxp.com>; Tang Yuantian <andy.tang@nxp.com>; Adrian
> > Alonso <adrian.alonso@nxp.com>; Vladimir Oltean <olteanv@gmail.com>;
> > Gaurav Jain <gaurav.jain@nxp.com>
> > Subject: [PATCH v5 01/16] crypto/fsl: Add support for CAAM Job ring
> > driver model
> >
> >
> > added device tree support for job ring driver.
> > sec is initialized based on job ring information processed from device
> > tree.
> >
> > Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
> > Reviewed-by: Ye Li <ye.li@nxp.com>
> > ---
> >  cmd/Kconfig                 |   1 +
> >  drivers/crypto/fsl/Kconfig  |   7 +
> >  drivers/crypto/fsl/Makefile |   4 +-
> >  drivers/crypto/fsl/jr.c     | 316 +++++++++++++++++++++++-------------
> >  drivers/crypto/fsl/jr.h     |  14 ++
> >  5 files changed, 232 insertions(+), 110 deletions(-)
> >
> > diff --git a/cmd/Kconfig b/cmd/Kconfig index 5b30b13e43..2b24672505
> > 100644
> > --- a/cmd/Kconfig
> > +++ b/cmd/Kconfig
> > @@ -2009,6 +2009,7 @@ config CMD_AES
> >
> >  config CMD_BLOB
> >         bool "Enable the 'blob' command"
> > +       select FSL_BLOB
> >         depends on !MX6ULL && !MX6SLL && !MX6SL
> >         select IMX_HAB if ARCH_MX6 || ARCH_MX7 || ARCH_MX7ULP ||
> ARCH_IMX8M
> >         help
> > diff --git a/drivers/crypto/fsl/Kconfig b/drivers/crypto/fsl/Kconfig
> > index 94ff540111..ab59d516f8 100644
> > --- a/drivers/crypto/fsl/Kconfig
> > +++ b/drivers/crypto/fsl/Kconfig
> > @@ -66,4 +66,11 @@ config FSL_CAAM_RNG
> >           using the prediction resistance flag which means the DRGB is
> >           reseeded from the TRNG every time random data is generated.
> >
> > +config FSL_BLOB
> > +        bool "Enable Blob Encap/Decap, Blob KEK support"
> > +       help
> > +         Enable support for the hardware based crytographic blob encap/decap
> > +         module of the CAAM. blobs can be safely placed into non-volatile
> > +         storage. blobs can only be decapsulated by the SoC that created it.
> > +         Enable support for blob key encryption key generation.
> >  endif
> > diff --git a/drivers/crypto/fsl/Makefile b/drivers/crypto/fsl/Makefile
> > index f9c3ccecfc..738535b8e4 100644
> > --- a/drivers/crypto/fsl/Makefile
> > +++ b/drivers/crypto/fsl/Makefile
> > @@ -1,10 +1,12 @@
> >  # SPDX-License-Identifier: GPL-2.0+
> >  #
> >  # Copyright 2014 Freescale Semiconductor, Inc.
> > +# Copyright 2021 NXP
> >
> >  obj-y += sec.o
> >  obj-$(CONFIG_FSL_CAAM) += jr.o fsl_hash.o jobdesc.o error.o
> > -obj-$(CONFIG_CMD_BLOB)$(CONFIG_IMX_CAAM_DEK_ENCAP) += fsl_blob.o
> > +obj-$(CONFIG_FSL_BLOB) += fsl_blob.o
> > +obj-$(CONFIG_IMX_CAAM_DEK_ENCAP) += fsl_blob.o
> >  obj-$(CONFIG_RSA_FREESCALE_EXP) += fsl_rsa.o
> >  obj-$(CONFIG_FSL_CAAM_RNG) += rng.o
> >  obj-$(CONFIG_FSL_MFGPROT) += fsl_mfgprot.o diff --git
> > a/drivers/crypto/fsl/jr.c b/drivers/crypto/fsl/jr.c index
> > 22b649219e..eea2225a1e 100644
> > --- a/drivers/crypto/fsl/jr.c
> > +++ b/drivers/crypto/fsl/jr.c
> > @@ -1,7 +1,7 @@
> >  // SPDX-License-Identifier: GPL-2.0+
> >  /*
> >   * Copyright 2008-2014 Freescale Semiconductor, Inc.
> > - * Copyright 2018 NXP
> > + * Copyright 2018, 2021 NXP
> >   *
> >   * Based on CAAM driver in drivers/crypto/caam in Linux
> >   */
> > @@ -11,7 +11,6 @@
> >  #include <linux/kernel.h>
> >  #include <log.h>
> >  #include <malloc.h>
> > -#include "fsl_sec.h"
> >  #include "jr.h"
> >  #include "jobdesc.h"
> >  #include "desc_constr.h"
> > @@ -21,8 +20,11 @@
> >  #include <asm/cache.h>
> >  #include <asm/fsl_pamu.h>
> >  #endif
> > +#include <dm.h>
> >  #include <dm/lists.h>
> >  #include <linux/delay.h>
> > +#include <dm/root.h>
> > +#include <dm/device-internal.h>
> >
> >  #define CIRC_CNT(head, tail, size)     (((head) - (tail)) & (size - 1))
> >  #define CIRC_SPACE(head, tail, size)   CIRC_CNT((tail), (head) + 1, (size))
> > @@ -35,20 +37,30 @@ uint32_t
> sec_offset[CONFIG_SYS_FSL_MAX_NUM_OF_SEC]
> > = {  #endif  };
> >
> > +#if CONFIG_IS_ENABLED(DM)
> > +struct udevice *caam_dev;
> > +#else
> >  #define SEC_ADDR(idx)  \
> >         (ulong)((CONFIG_SYS_FSL_SEC_ADDR + sec_offset[idx]))
> >
> >  #define SEC_JR0_ADDR(idx)      \
> >         (ulong)(SEC_ADDR(idx) + \
> >          (CONFIG_SYS_FSL_JR0_OFFSET - CONFIG_SYS_FSL_SEC_OFFSET))
> > +struct caam_regs caam_st;
> > +#endif
> >
> > -struct jobring jr0[CONFIG_SYS_FSL_MAX_NUM_OF_SEC];
> > +static inline u32 jr_start_reg(u8 jrid) {
> > +       return (1 << jrid);
> > +}
> >
> > -static inline void start_jr0(uint8_t sec_idx)
> > +#ifndef CONFIG_ARCH_IMX8
> > +static inline void start_jr(struct caam_regs *caam)
> >  {
> > -       ccsr_sec_t *sec = (void *)SEC_ADDR(sec_idx);
> > +       ccsr_sec_t *sec = caam->sec;
> >         u32 ctpr_ms = sec_in32(&sec->ctpr_ms);
> >         u32 scfgr = sec_in32(&sec->scfgr);
> > +       u32 jrstart = jr_start_reg(caam->jrid);
> >
> >         if (ctpr_ms & SEC_CTPR_MS_VIRT_EN_INCL) {
> >                 /* VIRT_EN_INCL = 1 & VIRT_EN_POR = 1 or @@ -56,23
> > +68,17 @@ static inline void start_jr0(uint8_t sec_idx)
> >                  */
> >                 if ((ctpr_ms & SEC_CTPR_MS_VIRT_EN_POR) ||
> >                     (scfgr & SEC_SCFGR_VIRT_EN))
> > -                       sec_out32(&sec->jrstartr, CONFIG_JRSTARTR_JR0);
> > +                       sec_out32(&sec->jrstartr, jrstart);
> >         } else {
> >                 /* VIRT_EN_INCL = 0 && VIRT_EN_POR_VALUE = 1 */
> >                 if (ctpr_ms & SEC_CTPR_MS_VIRT_EN_POR)
> > -                       sec_out32(&sec->jrstartr, CONFIG_JRSTARTR_JR0);
> > +                       sec_out32(&sec->jrstartr, jrstart);
> >         }
> >  }
> > +#endif
> >
> > -static inline void jr_reset_liodn(uint8_t sec_idx) -{
> > -       ccsr_sec_t *sec = (void *)SEC_ADDR(sec_idx);
> > -       sec_out32(&sec->jrliodnr[0].ls, 0);
> > -}
> > -
> > -static inline void jr_disable_irq(uint8_t sec_idx)
> > +static inline void jr_disable_irq(struct jr_regs *regs)
> >  {
> > -       struct jr_regs *regs = (struct jr_regs *)SEC_JR0_ADDR(sec_idx);
> >         uint32_t jrcfg = sec_in32(&regs->jrcfg1);
> >
> >         jrcfg = jrcfg | JR_INTMASK;
> > @@ -80,10 +86,10 @@ static inline void jr_disable_irq(uint8_t sec_idx)
> >         sec_out32(&regs->jrcfg1, jrcfg);  }
> >
> > -static void jr_initregs(uint8_t sec_idx)
> > +static void jr_initregs(uint8_t sec_idx, struct caam_regs *caam)
> >  {
> > -       struct jr_regs *regs = (struct jr_regs *)SEC_JR0_ADDR(sec_idx);
> > -       struct jobring *jr = &jr0[sec_idx];
> > +       struct jr_regs *regs = caam->regs;
> > +       struct jobring *jr = &caam->jr[sec_idx];
> >         caam_dma_addr_t ip_base = virt_to_phys((void *)jr->input_ring);
> >         caam_dma_addr_t op_base = virt_to_phys((void
> > *)jr->output_ring);
> >
> > @@ -103,16 +109,16 @@ static void jr_initregs(uint8_t sec_idx)
> >         sec_out32(&regs->irs, JR_SIZE);
> >
> >         if (!jr->irq)
> > -               jr_disable_irq(sec_idx);
> > +               jr_disable_irq(regs);
> >  }
> >
> > -static int jr_init(uint8_t sec_idx)
> > +static int jr_init(uint8_t sec_idx, struct caam_regs *caam)
> >  {
> > -       struct jobring *jr = &jr0[sec_idx];
> > +       struct jobring *jr = &caam->jr[sec_idx];
> >
> >         memset(jr, 0, sizeof(struct jobring));
> >
> > -       jr->jq_id = DEFAULT_JR_ID;
> > +       jr->jq_id = caam->jrid;
> >         jr->irq = DEFAULT_IRQ;
> >
> >  #ifdef CONFIG_FSL_CORENET
> > @@ -134,53 +140,10 @@ static int jr_init(uint8_t sec_idx)
> >         memset(jr->input_ring, 0, JR_SIZE * sizeof(caam_dma_addr_t));
> >         memset(jr->output_ring, 0, jr->op_size);
> >
> > -       start_jr0(sec_idx);
> > -
> > -       jr_initregs(sec_idx);
> > -
> > -       return 0;
> > -}
> > -
> > -static int jr_sw_cleanup(uint8_t sec_idx) -{
> > -       struct jobring *jr = &jr0[sec_idx];
> > -
> > -       jr->head = 0;
> > -       jr->tail = 0;
> > -       jr->read_idx = 0;
> > -       jr->write_idx = 0;
> > -       memset(jr->info, 0, sizeof(jr->info));
> > -       memset(jr->input_ring, 0, jr->size * sizeof(caam_dma_addr_t));
> > -       memset(jr->output_ring, 0, jr->size * sizeof(struct op_ring));
> > -
> > -       return 0;
> > -}
> > -
> > -static int jr_hw_reset(uint8_t sec_idx) -{
> > -       struct jr_regs *regs = (struct jr_regs *)SEC_JR0_ADDR(sec_idx);
> > -       uint32_t timeout = 100000;
> > -       uint32_t jrint, jrcr;
> > -
> > -       sec_out32(&regs->jrcr, JRCR_RESET);
> > -       do {
> > -               jrint = sec_in32(&regs->jrint);
> > -       } while (((jrint & JRINT_ERR_HALT_MASK) ==
> > -                 JRINT_ERR_HALT_INPROGRESS) && --timeout);
> > -
> > -       jrint = sec_in32(&regs->jrint);
> > -       if (((jrint & JRINT_ERR_HALT_MASK) !=
> > -            JRINT_ERR_HALT_INPROGRESS) && timeout == 0)
> > -               return -1;
> > -
> > -       timeout = 100000;
> > -       sec_out32(&regs->jrcr, JRCR_RESET);
> > -       do {
> > -               jrcr = sec_in32(&regs->jrcr);
> > -       } while ((jrcr & JRCR_RESET) && --timeout);
> > -
> > -       if (timeout == 0)
> > -               return -1;
> > +#ifndef CONFIG_ARCH_IMX8
> > +       start_jr(caam);
> > +#endif
> > +       jr_initregs(sec_idx, caam);
> >
> >         return 0;
> >  }
> > @@ -188,10 +151,10 @@ static int jr_hw_reset(uint8_t sec_idx)
> >  /* -1 --- error, can't enqueue -- no space available */  static int
> > jr_enqueue(uint32_t *desc_addr,
> >                void (*callback)(uint32_t status, void *arg),
> > -              void *arg, uint8_t sec_idx)
> > +              void *arg, uint8_t sec_idx, struct caam_regs *caam)
> >  {
> > -       struct jr_regs *regs = (struct jr_regs *)SEC_JR0_ADDR(sec_idx);
> > -       struct jobring *jr = &jr0[sec_idx];
> > +       struct jr_regs *regs = caam->regs;
> > +       struct jobring *jr = &caam->jr[sec_idx];
> >         int head = jr->head;
> >         uint32_t desc_word;
> >         int length = desc_len(desc_addr); @@ -263,10 +226,10 @@ static
> > int jr_enqueue(uint32_t *desc_addr,
> >         return 0;
> >  }
> >
> > -static int jr_dequeue(int sec_idx)
> > +static int jr_dequeue(int sec_idx, struct caam_regs *caam)
> >  {
> > -       struct jr_regs *regs = (struct jr_regs *)SEC_JR0_ADDR(sec_idx);
> > -       struct jobring *jr = &jr0[sec_idx];
> > +       struct jr_regs *regs = caam->regs;
> > +       struct jobring *jr = &caam->jr[sec_idx];
> >         int head = jr->head;
> >         int tail = jr->tail;
> >         int idx, i, found;
> > @@ -349,14 +312,18 @@ static void desc_done(uint32_t status, void
> > *arg)  {
> >         struct result *x = arg;
> >         x->status = status;
> > -#ifndef CONFIG_SPL_BUILD
> >         caam_jr_strstatus(status);
> > -#endif
> >         x->done = 1;
> >  }
> >
> >  static inline int run_descriptor_jr_idx(uint32_t *desc, uint8_t
> > sec_idx)  {
> > +       struct caam_regs *caam;
> > +#if CONFIG_IS_ENABLED(DM)
> > +       caam = dev_get_priv(caam_dev); #else
> > +       caam = &caam_st;
> > +#endif
> >         unsigned long long timeval = 0;
> >         unsigned long long timeout = CONFIG_USEC_DEQ_TIMEOUT;
> >         struct result op;
> > @@ -364,7 +331,7 @@ static inline int run_descriptor_jr_idx(uint32_t
> > *desc, uint8_t sec_idx)
> >
> >         memset(&op, 0, sizeof(op));
> >
> > -       ret = jr_enqueue(desc, desc_done, &op, sec_idx);
> > +       ret = jr_enqueue(desc, desc_done, &op, sec_idx, caam);
> >         if (ret) {
> >                 debug("Error in SEC enq\n");
> >                 ret = JQ_ENQ_ERR;
> > @@ -375,7 +342,7 @@ static inline int run_descriptor_jr_idx(uint32_t
> > *desc, uint8_t sec_idx)
> >                 udelay(1);
> >                 timeval += 1;
> >
> > -               ret = jr_dequeue(sec_idx);
> > +               ret = jr_dequeue(sec_idx, caam);
> >                 if (ret) {
> >                         debug("Error in SEC deq\n");
> >                         ret = JQ_DEQ_ERR; @@ -402,13 +369,63 @@ int
> > run_descriptor_jr(uint32_t *desc)
> >         return run_descriptor_jr_idx(desc, 0);  }
> >
> > +#ifndef CONFIG_ARCH_IMX8
> > +static int jr_sw_cleanup(uint8_t sec_idx, struct caam_regs *caam) {
> > +       struct jobring *jr = &caam->jr[sec_idx];
> > +
> > +       jr->head = 0;
> > +       jr->tail = 0;
> > +       jr->read_idx = 0;
> > +       jr->write_idx = 0;
> > +       memset(jr->info, 0, sizeof(jr->info));
> > +       memset(jr->input_ring, 0, jr->size * sizeof(caam_dma_addr_t));
> > +       memset(jr->output_ring, 0, jr->size * sizeof(struct op_ring));
> > +
> > +       return 0;
> > +}
> > +
> > +static int jr_hw_reset(struct jr_regs *regs) {
> > +       uint32_t timeout = 100000;
> > +       uint32_t jrint, jrcr;
> > +
> > +       sec_out32(&regs->jrcr, JRCR_RESET);
> > +       do {
> > +               jrint = sec_in32(&regs->jrint);
> > +       } while (((jrint & JRINT_ERR_HALT_MASK) ==
> > +                 JRINT_ERR_HALT_INPROGRESS) && --timeout);
> > +
> > +       jrint = sec_in32(&regs->jrint);
> > +       if (((jrint & JRINT_ERR_HALT_MASK) !=
> > +            JRINT_ERR_HALT_INPROGRESS) && timeout == 0)
> > +               return -1;
> > +
> > +       timeout = 100000;
> > +       sec_out32(&regs->jrcr, JRCR_RESET);
> > +       do {
> > +               jrcr = sec_in32(&regs->jrcr);
> > +       } while ((jrcr & JRCR_RESET) && --timeout);
> > +
> > +       if (timeout == 0)
> > +               return -1;
> > +
> > +       return 0;
> > +}
> > +
> >  static inline int jr_reset_sec(uint8_t sec_idx)  {
> > -       if (jr_hw_reset(sec_idx) < 0)
> > +       struct caam_regs *caam;
> > +#if CONFIG_IS_ENABLED(DM)
> > +       caam = dev_get_priv(caam_dev); #else
> > +       caam = &caam_st;
> > +#endif
> > +       if (jr_hw_reset(caam->regs) < 0)
> >                 return -1;
> >
> >         /* Clean up the jobring structure maintained by software */
> > -       jr_sw_cleanup(sec_idx);
> > +       jr_sw_cleanup(sec_idx, caam);
> >
> >         return 0;
> >  }
> > @@ -418,9 +435,15 @@ int jr_reset(void)
> >         return jr_reset_sec(0);
> >  }
> >
> > -static inline int sec_reset_idx(uint8_t sec_idx)
> > +int sec_reset(void)
> >  {
> > -       ccsr_sec_t *sec = (void *)SEC_ADDR(sec_idx);
> > +       struct caam_regs *caam;
> > +#if CONFIG_IS_ENABLED(DM)
> > +       caam = dev_get_priv(caam_dev); #else
> > +       caam = &caam_st;
> > +#endif
> > +       ccsr_sec_t *sec = caam->sec;
> >         uint32_t mcfgr = sec_in32(&sec->mcfgr);
> >         uint32_t timeout = 100000;
> >
> > @@ -446,11 +469,7 @@ static inline int sec_reset_idx(uint8_t sec_idx)
> >
> >         return 0;
> >  }
> > -int sec_reset(void)
> > -{
> > -       return sec_reset_idx(0);
> > -}
> > -#ifndef CONFIG_SPL_BUILD
> > +
> >  static int deinstantiate_rng(u8 sec_idx, int state_handle_mask)  {
> >         u32 *desc;
> > @@ -496,12 +515,11 @@ static int deinstantiate_rng(u8 sec_idx, int
> > state_handle_mask)
> >         return ret;
> >  }
> >
> > -static int instantiate_rng(u8 sec_idx, int gen_sk)
> > +static int instantiate_rng(uint8_t sec_idx, ccsr_sec_t *sec, int
> > +gen_sk)
> >  {
> >         u32 *desc;
> >         u32 rdsta_val;
> >         int ret = 0, sh_idx, size;
> > -       ccsr_sec_t __iomem *sec = (ccsr_sec_t __iomem *)SEC_ADDR(sec_idx);
> >         struct rng4tst __iomem *rng =
> >                         (struct rng4tst __iomem *)&sec->rng;
> >
> > @@ -554,9 +572,8 @@ static int instantiate_rng(u8 sec_idx, int gen_sk)
> >         return ret;
> >  }
> >
> > -static u8 get_rng_vid(uint8_t sec_idx)
> > +static u8 get_rng_vid(ccsr_sec_t *sec)
> >  {
> > -       ccsr_sec_t *sec = (void *)SEC_ADDR(sec_idx);
> >         u8 vid;
> >
> >         if (caam_get_era() < 10) {
> > @@ -574,9 +591,8 @@ static u8 get_rng_vid(uint8_t sec_idx)
> >   * By default, the TRNG runs for 200 clocks per sample;
> >   * 1200 clocks per sample generates better entropy.
> >   */
> > -static void kick_trng(int ent_delay, uint8_t sec_idx)
> > +static void kick_trng(int ent_delay, ccsr_sec_t *sec)
> >  {
> > -       ccsr_sec_t __iomem *sec = (ccsr_sec_t __iomem *)SEC_ADDR(sec_idx);
> >         struct rng4tst __iomem *rng =
> >                         (struct rng4tst __iomem *)&sec->rng;
> >         u32 val;
> > @@ -603,10 +619,9 @@ static void kick_trng(int ent_delay, uint8_t sec_idx)
> >         sec_clrbits32(&rng->rtmctl, RTMCTL_PRGM);  }
> >
> > -static int rng_init(uint8_t sec_idx)
> > +static int rng_init(uint8_t sec_idx, ccsr_sec_t *sec)
> >  {
> >         int ret, gen_sk, ent_delay = RTSDCTL_ENT_DLY_MIN;
> > -       ccsr_sec_t __iomem *sec = (ccsr_sec_t __iomem *)SEC_ADDR(sec_idx);
> >         struct rng4tst __iomem *rng =
> >                         (struct rng4tst __iomem *)&sec->rng;
> >         u32 inst_handles;
> > @@ -624,7 +639,7 @@ static int rng_init(uint8_t sec_idx)
> >                  * the TRNG parameters.
> >                  */
> >                 if (!inst_handles) {
> > -                       kick_trng(ent_delay, sec_idx);
> > +                       kick_trng(ent_delay, sec);
> >                         ent_delay += 400;
> >                 }
> >                 /*
> > @@ -634,7 +649,7 @@ static int rng_init(uint8_t sec_idx)
> >                  * interval, leading to a sucessful initialization of
> >                  * the RNG.
> >                  */
> > -               ret = instantiate_rng(sec_idx, gen_sk);
> > +               ret = instantiate_rng(sec_idx, sec, gen_sk);
> >         } while ((ret == -1) && (ent_delay < RTSDCTL_ENT_DLY_MAX));
> >         if (ret) {
> >                 printf("SEC%u:  Failed to instantiate RNG\n",
> > sec_idx); @@ -647,12 +662,29 @@ static int rng_init(uint8_t sec_idx)
> >         return ret;
> >  }
> >  #endif
> > +
> >  int sec_init_idx(uint8_t sec_idx)
> >  {
> > -       ccsr_sec_t *sec = (void *)SEC_ADDR(sec_idx);
> > -       uint32_t mcr = sec_in32(&sec->mcfgr);
> >         int ret = 0;
> > -
> > +       struct caam_regs *caam;
> > +#if CONFIG_IS_ENABLED(DM)
> > +       if (caam_dev == NULL) {
> > +               printf("caam_jr: caam not found\n");
> > +               return -1;
> > +       }
> > +       caam = dev_get_priv(caam_dev); #else
> > +       caam_st.sec = (void *)SEC_ADDR(sec_idx);
> > +       caam_st.regs = (struct jr_regs *)SEC_JR0_ADDR(sec_idx);
> > +       caam_st.jrid = 0;
> > +       caam = &caam_st;
> > +#endif
> > +#ifndef CONFIG_ARCH_IMX8
> > +       ccsr_sec_t *sec = caam->sec;
> > +       uint32_t mcr = sec_in32(&sec->mcfgr); #if
> > +defined(CONFIG_SPL_BUILD) && defined(CONFIG_IMX8M)
> > +       uint32_t jrdid_ms = 0;
> > +#endif
> >  #ifdef CONFIG_FSL_CORENET
> >         uint32_t liodnr;
> >         uint32_t liodn_ns;
> > @@ -682,6 +714,11 @@ int sec_init_idx(uint8_t sec_idx)
> >         mcr |= (1 << MCFGR_PS_SHIFT);
> >  #endif
> >         sec_out32(&sec->mcfgr, mcr);
> > +#if defined(CONFIG_SPL_BUILD) && defined(CONFIG_IMX8M)
> 
> This would effectively reserve the JR0 on _all_ i.MX8M derivatives is S World.
This code is to set any JR DID in SPL so that the job ring can be configured. 

> 
> Current implementation only has JR0 reserved in S World on imx8mm derivative,
> but this new addition extends this to imx8mn, imx8mp and imx8mq.
Current implementation do not initialize CAAM for i.MX8M derivatives. It is not based on driver model approach and only using JR0.
With New implementation CAAM is enabled for i.MX8M derivative. Any JR whose DID is written in ATF, can be used in Uboot.
JR0 is reserved for HAB so JR1 will be used for all i.MX8M derivatives.

> 
> I'm wondering about several points here:
> 1. Why does current implementation on have this reservation done on imx8mm
> and
>    where does this happen? None of the code pieces suggests that it is done in
>    U-Boot, is it performed in BootROM?

I cannot see if current implementation(SPL/Uboot) has reservation done for imx8mm.
In ATF, we are reserving the JR0.

> 2. What is the intention of having JR0 reserved for all derivatives? Is this
>    the part of a bigger change that stretches across different SW components
>    (e.g. ATF, OP-TEE, etc.)? If that is the case - then a more detailed
>    description would be appreciated here.
> 
> ATF code already accounts for this reservation in commit:
> a83a7c65e ("TEE-639 plat: imx8m: Do not release JR0 to NS if HAB is using it")
> [1], but there is no description on why is this required though.
> 
> If this is required for HAB feature, then the question is: should it be kept in S
> World when U-Boot starts, or SPL can release it after the binary is verified and
> crypto facilities are not in use anymore?

Commit: a83a7c65e reserves JR0 for HAB and not released to NS but JR1, JR2 are released to NS.
HAB uses JR0 for secure boot on all i.MX8M derivatives. Uboot calls HAB API for authenticating kernel.

> 
> > +       jrdid_ms = JRDID_MS_TZ_OWN | JRDID_MS_PRIM_TZ |
> > + JRDID_MS_PRIM_DID;
> 
> What is the intention of setting JRDID_MS_PRIM_TZ? Isn't setting
> JRDID_MS_TZ_OWN would be sufficient here?

PRIM_TZ bit is set to 1 to indicate that only SecureWorld can
access registers in that Job Ring's register page

> 
> > +       sec_out32(&sec->jrliodnr[caam->jrid].ms, jrdid_ms); #endif
> > +       jr_reset();
> >
> >  #ifdef CONFIG_FSL_CORENET
> >  #ifdef CONFIG_SPL_BUILD
> > @@ -693,25 +730,26 @@ int sec_init_idx(uint8_t sec_idx)
> >         liodn_ns = CONFIG_SPL_JR0_LIODN_NS & JRNSLIODN_MASK;
> >         liodn_s = CONFIG_SPL_JR0_LIODN_S & JRSLIODN_MASK;
> >
> > -       liodnr = sec_in32(&sec->jrliodnr[0].ls) &
> > +       liodnr = sec_in32(&sec->jrliodnr[caam->jrid].ls) &
> >                  ~(JRNSLIODN_MASK | JRSLIODN_MASK);
> >         liodnr = liodnr |
> >                  (liodn_ns << JRNSLIODN_SHIFT) |
> >                  (liodn_s << JRSLIODN_SHIFT);
> > -       sec_out32(&sec->jrliodnr[0].ls, liodnr);
> > +       sec_out32(&sec->jrliodnr[caam->jrid].ls, liodnr);
> >  #else
> > -       liodnr = sec_in32(&sec->jrliodnr[0].ls);
> > +       liodnr = sec_in32(&sec->jrliodnr[caam->jrid].ls);
> >         liodn_ns = (liodnr & JRNSLIODN_MASK) >> JRNSLIODN_SHIFT;
> >         liodn_s = (liodnr & JRSLIODN_MASK) >> JRSLIODN_SHIFT;  #endif
> > #endif
> > -
> > -       ret = jr_init(sec_idx);
> > +#endif
> > +       ret = jr_init(sec_idx, caam);
> >         if (ret < 0) {
> >                 printf("SEC%u:  initialization failed\n", sec_idx);
> >                 return -1;
> >         }
> >
> > +#ifndef CONFIG_ARCH_IMX8
> >  #ifdef CONFIG_FSL_CORENET
> >         ret = sec_config_pamu_table(liodn_ns, liodn_s);
> >         if (ret < 0)
> > @@ -719,9 +757,9 @@ int sec_init_idx(uint8_t sec_idx)
> >
> >         pamu_enable();
> >  #endif
> > -#ifndef CONFIG_SPL_BUILD
> > -       if (get_rng_vid(sec_idx) >= 4) {
> > -               if (rng_init(sec_idx) < 0) {
> > +
> > +       if (get_rng_vid(caam->sec) >= 4) {
> > +               if (rng_init(sec_idx, caam->sec) < 0) {
> >                         printf("SEC%u:  RNG instantiation failed\n", sec_idx);
> >                         return -1;
> >                 }
> > @@ -743,3 +781,63 @@ int sec_init(void)  {
> >         return sec_init_idx(0);
> >  }
> > +
> > +#if CONFIG_IS_ENABLED(DM)
> > +static int caam_jr_probe(struct udevice *dev) {
> > +       struct caam_regs *caam = dev_get_priv(dev);
> > +       fdt_addr_t addr;
> > +       ofnode node;
> > +       unsigned int jr_node = 0;
> > +
> > +       caam_dev = dev;
> > +
> > +       addr = dev_read_addr(dev);
> > +       if (addr == FDT_ADDR_T_NONE) {
> > +               printf("caam_jr: crypto not found\n");
> > +               return -EINVAL;
> > +       }
> > +       caam->sec = (ccsr_sec_t *)(uintptr_t)addr;
> > +       caam->regs = (struct jr_regs *)caam->sec;
> > +
> > +       /* Check for enabled job ring node */
> > +       ofnode_for_each_subnode(node, dev_ofnode(dev)) {
> > +               if (!ofnode_is_available(node)) {
> > +                       continue;
> > +               }
> > +               jr_node = ofnode_read_u32_default(node, "reg", -1);
> > +               if (jr_node > 0) {
> > +                       caam->regs = (struct jr_regs
> > + *)((ulong)caam->sec +
> > jr_node);
> > +                       while (!(jr_node & 0x0F)) {
> > +                               jr_node = jr_node >> 4;
> > +                       }
> > +                       caam->jrid = jr_node - 1;
> > +                       break;
> > +               }
> > +       }
> > +
> > +       if (sec_init())
> > +               printf("\nsec_init failed!\n");
> > +
> > +       return 0;
> > +}
> > +
> > +static int caam_jr_bind(struct udevice *dev) {
> > +       return 0;
> > +}
> > +
> > +static const struct udevice_id caam_jr_match[] = {
> > +       { .compatible = "fsl,sec-v4.0" },
> > +       { }
> > +};
> > +
> > +U_BOOT_DRIVER(caam_jr) = {
> > +       .name           = "caam_jr",
> > +       .id             = UCLASS_MISC,
> > +       .of_match       = caam_jr_match,
> > +       .bind           = caam_jr_bind,
> > +       .probe          = caam_jr_probe,
> > +       .priv_auto      = sizeof(struct caam_regs),
> > +};
> > +#endif
> > diff --git a/drivers/crypto/fsl/jr.h b/drivers/crypto/fsl/jr.h index
> > 1047aa772c..43cb5e0753 100644
> > --- a/drivers/crypto/fsl/jr.h
> > +++ b/drivers/crypto/fsl/jr.h
> > @@ -1,6 +1,7 @@
> >  /* SPDX-License-Identifier: GPL-2.0+ */
> >  /*
> >   * Copyright 2008-2014 Freescale Semiconductor, Inc.
> > + * Copyright 2021 NXP
> >   *
> >   */
> >
> > @@ -8,7 +9,9 @@
> >  #define __JR_H
> >
> >  #include <linux/compiler.h>
> > +#include "fsl_sec.h"
> >  #include "type.h"
> > +#include <misc.h>
> >
> >  #define JR_SIZE 4
> >  /* Timeout currently defined as 10 sec */ @@ -35,6 +38,10 @@
> >  #define JRSLIODN_SHIFT         0
> >  #define JRSLIODN_MASK          0x00000fff
> >
> > +#define JRDID_MS_PRIM_DID      1
> > +#define JRDID_MS_PRIM_TZ       (1 << 4)
> > +#define JRDID_MS_TZ_OWN                (1 << 15)
> 
> Maybe use BIT() macro here?
Will do the change in next version of this patch series.

Regards
Gaurav Jain
> 
> > +
> >  #define JQ_DEQ_ERR             -1
> >  #define JQ_DEQ_TO_ERR          -2
> >  #define JQ_ENQ_ERR             -3
> > @@ -102,6 +109,13 @@ struct result {
> >         uint32_t status;
> >  };
> >
> > +struct caam_regs {
> > +       ccsr_sec_t *sec;
> > +       struct jr_regs *regs;
> > +       u8 jrid;
> > +       struct jobring jr[CONFIG_SYS_FSL_MAX_NUM_OF_SEC];
> > +};
> > +
> >  void caam_jr_strstatus(u32 status);
> >  int run_descriptor_jr(uint32_t *desc);
> >
> > --
> > 2.17.1
> 
> -- andrey
> 
> Link: [1]:
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsource.c
> odeaurora.org%2Fexternal%2Fimx%2Fimx-
> atf%2Fcommit%2F%3Fid%3Da83a7c65ea4e7b41d5c8fb129bac9caa89053d5e&a
> mp;data=04%7C01%7Cgaurav.jain%40nxp.com%7C1b6edcabe31e4b9cae3d08d
> 9a9195296%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C637726748
> 521538374%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV
> 2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=ANasYQwEH
> %2BEFyBbbWn8dBk2HcvwYdFr3QHXUAu74SIg%3D&amp;reserved=0

RE: [EXT] RE: [PATCH v5 01/16] crypto/fsl: Add support for CAAM Job ring driver model

[ZHIZHIKIN Andrey]

Hello Gaurav,

> -----Original Message-----
> From: Gaurav Jain <gaurav.jain@nxp.com>
> Sent: Wednesday, November 17, 2021 12:26 PM
> To: ZHIZHIKIN Andrey <andrey.zhizhikin@leica-geosystems.com>; u-
> boot@lists.denx.de
> Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam <festevam@gmail.com>; Peng Fan
> <peng.fan@nxp.com>; Simon Glass <sjg@chromium.org>; Priyanka Jain
> <priyanka.jain@nxp.com>; Ye Li <ye.li@nxp.com>; Horia Geanta
> <horia.geanta@nxp.com>; Ji Luo <ji.luo@nxp.com>; Franck Lenormand
> <franck.lenormand@nxp.com>; Silvano Di Ninno <silvano.dininno@nxp.com>; Sahil
> Malhotra <sahil.malhotra@nxp.com>; Pankaj Gupta <pankaj.gupta@nxp.com>; Varun
> Sethi <V.Sethi@nxp.com>; dl-uboot-imx <uboot-imx@nxp.com>; Shengzhou Liu
> <shengzhou.liu@nxp.com>; Mingkai Hu <mingkai.hu@nxp.com>; Rajesh Bhagat
> <rajesh.bhagat@nxp.com>; Meenakshi Aggarwal <meenakshi.aggarwal@nxp.com>; Wasim
> Khan <wasim.khan@nxp.com>; Alison Wang <alison.wang@nxp.com>; Pramod Kumar
> <pramod.kumar_1@nxp.com>; Andy Tang <andy.tang@nxp.com>; Adrian Alonso
> <adrian.alonso@nxp.com>; Vladimir Oltean <olteanv@gmail.com>
> Subject: RE: [EXT] RE: [PATCH v5 01/16] crypto/fsl: Add support for CAAM Job ring
> driver model
> 
> 
> Hello Andrey
> 
> > -----Original Message-----
> > From: ZHIZHIKIN Andrey <andrey.zhizhikin@leica-geosystems.com>
> > Sent: Tuesday, November 16, 2021 9:24 PM
> > To: Gaurav Jain <gaurav.jain@nxp.com>; u-boot@lists.denx.de
> > Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam <festevam@gmail.com>;
> > Peng Fan <peng.fan@nxp.com>; Simon Glass <sjg@chromium.org>; Priyanka
> > Jain <priyanka.jain@nxp.com>; Ye Li <ye.li@nxp.com>; Horia Geanta
> > <horia.geanta@nxp.com>; Ji Luo <ji.luo@nxp.com>; Franck Lenormand
> > <franck.lenormand@nxp.com>; Silvano Di Ninno <silvano.dininno@nxp.com>;
> > Sahil Malhotra <sahil.malhotra@nxp.com>; Pankaj Gupta
> > <pankaj.gupta@nxp.com>; Varun Sethi <V.Sethi@nxp.com>; dl-uboot-imx
> > <uboot-imx@nxp.com>; Shengzhou Liu <shengzhou.liu@nxp.com>; Mingkai Hu
> > <mingkai.hu@nxp.com>; Rajesh Bhagat <rajesh.bhagat@nxp.com>; Meenakshi
> > Aggarwal <meenakshi.aggarwal@nxp.com>; Wasim Khan
> > <wasim.khan@nxp.com>; Alison Wang <alison.wang@nxp.com>; Pramod
> > Kumar <pramod.kumar_1@nxp.com>; Andy Tang <andy.tang@nxp.com>;
> > Adrian Alonso <adrian.alonso@nxp.com>; Vladimir Oltean <olteanv@gmail.com>
> > Subject: [EXT] RE: [PATCH v5 01/16] crypto/fsl: Add support for CAAM Job ring
> > driver model
> >
> > Caution: EXT Email
> >
> > Hello Gaurav,
> >
> > > -----Original Message-----
> > > From: U-Boot <u-boot-bounces@lists.denx.de> On Behalf Of Gaurav Jain
> > > Sent: Monday, November 15, 2021 8:00 AM
> > > To: u-boot@lists.denx.de
> > > Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam
> > > <festevam@gmail.com>; Peng Fan <peng.fan@nxp.com>; Simon Glass
> > > <sjg@chromium.org>; Priyanka Jain <priyanka.jain@nxp.com>; Ye Li
> > > <ye.li@nxp.com>; Horia Geanta <horia.geanta@nxp.com>; Ji Luo
> > > <ji.luo@nxp.com>; Franck Lenormand <franck.lenormand@nxp.com>; Silvano
> > > Di Ninno <silvano.dininno@nxp.com>; Sahil malhotra
> > > <sahil.malhotra@nxp.com>; Pankaj Gupta <pankaj.gupta@nxp.com>; Varun
> > > Sethi <V.Sethi@nxp.com>; NXP i . MX U-Boot Team <uboot-imx@nxp.com>;
> > > Shengzhou Liu <Shengzhou.Liu@nxp.com>; Mingkai Hu
> > > <mingkai.hu@nxp.com>; Rajesh Bhagat <rajesh.bhagat@nxp.com>;
> > Meenakshi
> > > Aggarwal <meenakshi.aggarwal@nxp.com>; Wasim Khan
> > > <wasim.khan@nxp.com>; Alison Wang <alison.wang@nxp.com>; Pramod
> > Kumar
> > > <pramod.kumar_1@nxp.com>; Tang Yuantian <andy.tang@nxp.com>; Adrian
> > > Alonso <adrian.alonso@nxp.com>; Vladimir Oltean <olteanv@gmail.com>;
> > > Gaurav Jain <gaurav.jain@nxp.com>
> > > Subject: [PATCH v5 01/16] crypto/fsl: Add support for CAAM Job ring
> > > driver model
> > >
> > >
> > > added device tree support for job ring driver.
> > > sec is initialized based on job ring information processed from device
> > > tree.
> > >
> > > Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
> > > Reviewed-by: Ye Li <ye.li@nxp.com>
> > > ---
> > >  cmd/Kconfig                 |   1 +
> > >  drivers/crypto/fsl/Kconfig  |   7 +
> > >  drivers/crypto/fsl/Makefile |   4 +-
> > >  drivers/crypto/fsl/jr.c     | 316 +++++++++++++++++++++++-------------
> > >  drivers/crypto/fsl/jr.h     |  14 ++
> > >  5 files changed, 232 insertions(+), 110 deletions(-)
> > >

[snip]

> > >         sec_out32(&sec->mcfgr, mcr);
> > > +#if defined(CONFIG_SPL_BUILD) && defined(CONFIG_IMX8M)
> >
> > This would effectively reserve the JR0 on _all_ i.MX8M derivatives is S World.
> This code is to set any JR DID in SPL so that the job ring can be configured.
> 
> >
> > Current implementation only has JR0 reserved in S World on imx8mm derivative,
> > but this new addition extends this to imx8mn, imx8mp and imx8mq.
> Current implementation do not initialize CAAM for i.MX8M derivatives. It is not
> based on driver model approach and only using JR0.

OK, but then I do not have on explanation on why do I see following results from
reading JRaDID_MS registers on imx8m derivatives:
- imx8mm:
	JR0DID_MS = 0x8011
	JR1DID_MS = 0x0
	JR2DID_MS = 0x0
- imx8mn:
	JR0DID_MS = 0x0
	JR1DID_MS = 0x0
	JR2DID_MS = 0x0
- imx8mp:
	JR0DID_MS = 0x0
	JR1DID_MS = 0x0
	JR2DID_MS = 0x0

This readout is taken at Kernel boot, and it clearly shows that only JR0 has
TZ_OWN, PRIM_TZ and PRIM_DID bits set, and it is only done on imx8mm.

> With New implementation CAAM is enabled for i.MX8M derivative. Any JR whose DID
> is written in ATF, can be used in Uboot.
> JR0 is reserved for HAB so JR1 will be used for all i.MX8M derivatives.
> 
> >
> > I'm wondering about several points here:
> > 1. Why does current implementation on have this reservation done on imx8mm
> > and
> >    where does this happen? None of the code pieces suggests that it is done in
> >    U-Boot, is it performed in BootROM?
> 
> I cannot see if current implementation(SPL/Uboot) has reservation done for
> imx8mm.
> In ATF, we are reserving the JR0.

I was not able to identify which part of ATF code is responsible to program
JR0DID_MS on imx8mm, the only thing I saw was the part where the JR0 is held
in S World *if* the JR0DID_MS is set to 0x8011. Can you point out where is this
performed in ATF code?

If it is not in the ATF, then my question above still stands: which component
(HW or SW) programs JR0DID_MS, and why is it only done on imx8mm derivative?

> 
> > 2. What is the intention of having JR0 reserved for all derivatives? Is this
> >    the part of a bigger change that stretches across different SW components
> >    (e.g. ATF, OP-TEE, etc.)? If that is the case - then a more detailed
> >    description would be appreciated here.
> >
> > ATF code already accounts for this reservation in commit:
> > a83a7c65e ("TEE-639 plat: imx8m: Do not release JR0 to NS if HAB is using it")
> > [1], but there is no description on why is this required though.
> >
> > If this is required for HAB feature, then the question is: should it be kept in
> S
> > World when U-Boot starts, or SPL can release it after the binary is verified
> and
> > crypto facilities are not in use anymore?
> 
> Commit: a83a7c65e reserves JR0 for HAB and not released to NS but JR1, JR2 are
> released to NS.

Then I believe this change should be in-sync with ATF implementation, because of
the fact that your change can have any arbitrary JR to be held in S World.

What would happen if for example JR1 is programmed with TZ_OWN, but ATF releases
it to NS world? Can it be used by Kernel afterwards? Or should the node be
disabled here so that Kernel does not even see JR1 during boot?

So far, ATF only examines the JR0DID_MS content, and not all the others...

> HAB uses JR0 for secure boot on all i.MX8M derivatives. Uboot calls HAB API for
> authenticating kernel.

This implies then that the JR0 is permanently held in S World and stays there for
entire device powercycle and cannot be reclaimed in NS World? In this case, the
DT node should be completely removed from DTB file so no SW entity can even see
it (as it is in a total possession of HW mechanisms). 

> 
> >
> > > +       jrdid_ms = JRDID_MS_TZ_OWN | JRDID_MS_PRIM_TZ |
> > > + JRDID_MS_PRIM_DID;
> >
> > What is the intention of setting JRDID_MS_PRIM_TZ? Isn't setting
> > JRDID_MS_TZ_OWN would be sufficient here?
> 
> PRIM_TZ bit is set to 1 to indicate that only SecureWorld can
> access registers in that Job Ring's register page

But would it not be enough just to set TZ_OWN? If I read SRM correct: only
TZ_OWN is enough to hold the JR in S World.

> 

[snip]

> >

-- andrey

RE: [EXT] RE: [PATCH v5 01/16] crypto/fsl: Add support for CAAM Job ring driver model

[ZHIZHIKIN Andrey]

Hello Gaurav,

> -----Original Message-----
> From: ZHIZHIKIN Andrey
> Sent: Wednesday, November 17, 2021 2:03 PM
> To: Gaurav Jain <gaurav.jain@nxp.com>; u-boot@lists.denx.de
> Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam <festevam@gmail.com>; Peng Fan
> <peng.fan@nxp.com>; Simon Glass <sjg@chromium.org>; Priyanka Jain
> <priyanka.jain@nxp.com>; Ye Li <ye.li@nxp.com>; Horia Geanta
> <horia.geanta@nxp.com>; Ji Luo <ji.luo@nxp.com>; Franck Lenormand
> <franck.lenormand@nxp.com>; Silvano Di Ninno <silvano.dininno@nxp.com>; Sahil
> Malhotra <sahil.malhotra@nxp.com>; Pankaj Gupta <pankaj.gupta@nxp.com>; Varun
> Sethi <V.Sethi@nxp.com>; dl-uboot-imx <uboot-imx@nxp.com>; Shengzhou Liu
> <shengzhou.liu@nxp.com>; Mingkai Hu <mingkai.hu@nxp.com>; Rajesh Bhagat
> <rajesh.bhagat@nxp.com>; Meenakshi Aggarwal <meenakshi.aggarwal@nxp.com>; Wasim
> Khan <wasim.khan@nxp.com>; Alison Wang <alison.wang@nxp.com>; Pramod Kumar
> <pramod.kumar_1@nxp.com>; Andy Tang <andy.tang@nxp.com>; Adrian Alonso
> <adrian.alonso@nxp.com>; Vladimir Oltean <olteanv@gmail.com>
> Subject: RE: [EXT] RE: [PATCH v5 01/16] crypto/fsl: Add support for CAAM Job ring
> driver model
> 
> Hello Gaurav,
> 
> > -----Original Message-----
> > From: Gaurav Jain <gaurav.jain@nxp.com>
> > Sent: Wednesday, November 17, 2021 12:26 PM
> > To: ZHIZHIKIN Andrey <andrey.zhizhikin@leica-geosystems.com>; u-
> > boot@lists.denx.de
> > Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam <festevam@gmail.com>; Peng
> Fan
> > <peng.fan@nxp.com>; Simon Glass <sjg@chromium.org>; Priyanka Jain
> > <priyanka.jain@nxp.com>; Ye Li <ye.li@nxp.com>; Horia Geanta
> > <horia.geanta@nxp.com>; Ji Luo <ji.luo@nxp.com>; Franck Lenormand
> > <franck.lenormand@nxp.com>; Silvano Di Ninno <silvano.dininno@nxp.com>; Sahil
> > Malhotra <sahil.malhotra@nxp.com>; Pankaj Gupta <pankaj.gupta@nxp.com>; Varun
> > Sethi <V.Sethi@nxp.com>; dl-uboot-imx <uboot-imx@nxp.com>; Shengzhou Liu
> > <shengzhou.liu@nxp.com>; Mingkai Hu <mingkai.hu@nxp.com>; Rajesh Bhagat
> > <rajesh.bhagat@nxp.com>; Meenakshi Aggarwal <meenakshi.aggarwal@nxp.com>; Wasim
> > Khan <wasim.khan@nxp.com>; Alison Wang <alison.wang@nxp.com>; Pramod Kumar
> > <pramod.kumar_1@nxp.com>; Andy Tang <andy.tang@nxp.com>; Adrian Alonso
> > <adrian.alonso@nxp.com>; Vladimir Oltean <olteanv@gmail.com>
> > Subject: RE: [EXT] RE: [PATCH v5 01/16] crypto/fsl: Add support for CAAM Job
> ring
> > driver model
> >
> >
> > Hello Andrey
> >
> > > -----Original Message-----
> > > From: ZHIZHIKIN Andrey <andrey.zhizhikin@leica-geosystems.com>
> > > Sent: Tuesday, November 16, 2021 9:24 PM
> > > To: Gaurav Jain <gaurav.jain@nxp.com>; u-boot@lists.denx.de
> > > Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam <festevam@gmail.com>;
> > > Peng Fan <peng.fan@nxp.com>; Simon Glass <sjg@chromium.org>; Priyanka
> > > Jain <priyanka.jain@nxp.com>; Ye Li <ye.li@nxp.com>; Horia Geanta
> > > <horia.geanta@nxp.com>; Ji Luo <ji.luo@nxp.com>; Franck Lenormand
> > > <franck.lenormand@nxp.com>; Silvano Di Ninno <silvano.dininno@nxp.com>;
> > > Sahil Malhotra <sahil.malhotra@nxp.com>; Pankaj Gupta
> > > <pankaj.gupta@nxp.com>; Varun Sethi <V.Sethi@nxp.com>; dl-uboot-imx
> > > <uboot-imx@nxp.com>; Shengzhou Liu <shengzhou.liu@nxp.com>; Mingkai Hu
> > > <mingkai.hu@nxp.com>; Rajesh Bhagat <rajesh.bhagat@nxp.com>; Meenakshi
> > > Aggarwal <meenakshi.aggarwal@nxp.com>; Wasim Khan
> > > <wasim.khan@nxp.com>; Alison Wang <alison.wang@nxp.com>; Pramod
> > > Kumar <pramod.kumar_1@nxp.com>; Andy Tang <andy.tang@nxp.com>;
> > > Adrian Alonso <adrian.alonso@nxp.com>; Vladimir Oltean <olteanv@gmail.com>
> > > Subject: [EXT] RE: [PATCH v5 01/16] crypto/fsl: Add support for CAAM Job ring
> > > driver model
> > >
> > > Caution: EXT Email
> > >
> > > Hello Gaurav,
> > >
> > > > -----Original Message-----
> > > > From: U-Boot <u-boot-bounces@lists.denx.de> On Behalf Of Gaurav Jain
> > > > Sent: Monday, November 15, 2021 8:00 AM
> > > > To: u-boot@lists.denx.de
> > > > Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam
> > > > <festevam@gmail.com>; Peng Fan <peng.fan@nxp.com>; Simon Glass
> > > > <sjg@chromium.org>; Priyanka Jain <priyanka.jain@nxp.com>; Ye Li
> > > > <ye.li@nxp.com>; Horia Geanta <horia.geanta@nxp.com>; Ji Luo
> > > > <ji.luo@nxp.com>; Franck Lenormand <franck.lenormand@nxp.com>; Silvano
> > > > Di Ninno <silvano.dininno@nxp.com>; Sahil malhotra
> > > > <sahil.malhotra@nxp.com>; Pankaj Gupta <pankaj.gupta@nxp.com>; Varun
> > > > Sethi <V.Sethi@nxp.com>; NXP i . MX U-Boot Team <uboot-imx@nxp.com>;
> > > > Shengzhou Liu <Shengzhou.Liu@nxp.com>; Mingkai Hu
> > > > <mingkai.hu@nxp.com>; Rajesh Bhagat <rajesh.bhagat@nxp.com>;
> > > Meenakshi
> > > > Aggarwal <meenakshi.aggarwal@nxp.com>; Wasim Khan
> > > > <wasim.khan@nxp.com>; Alison Wang <alison.wang@nxp.com>; Pramod
> > > Kumar
> > > > <pramod.kumar_1@nxp.com>; Tang Yuantian <andy.tang@nxp.com>; Adrian
> > > > Alonso <adrian.alonso@nxp.com>; Vladimir Oltean <olteanv@gmail.com>;
> > > > Gaurav Jain <gaurav.jain@nxp.com>
> > > > Subject: [PATCH v5 01/16] crypto/fsl: Add support for CAAM Job ring
> > > > driver model
> > > >
> > > >
> > > > added device tree support for job ring driver.
> > > > sec is initialized based on job ring information processed from device
> > > > tree.
> > > >
> > > > Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
> > > > Reviewed-by: Ye Li <ye.li@nxp.com>
> > > > ---
> > > >  cmd/Kconfig                 |   1 +
> > > >  drivers/crypto/fsl/Kconfig  |   7 +
> > > >  drivers/crypto/fsl/Makefile |   4 +-
> > > >  drivers/crypto/fsl/jr.c     | 316 +++++++++++++++++++++++-------------
> > > >  drivers/crypto/fsl/jr.h     |  14 ++
> > > >  5 files changed, 232 insertions(+), 110 deletions(-)
> > > >
> 
> [snip]
> 
> > > >         sec_out32(&sec->mcfgr, mcr);
> > > > +#if defined(CONFIG_SPL_BUILD) && defined(CONFIG_IMX8M)
> > >
> > > This would effectively reserve the JR0 on _all_ i.MX8M derivatives is S
> World.
> > This code is to set any JR DID in SPL so that the job ring can be configured.
> >
> > >
> > > Current implementation only has JR0 reserved in S World on imx8mm derivative,
> > > but this new addition extends this to imx8mn, imx8mp and imx8mq.
> > Current implementation do not initialize CAAM for i.MX8M derivatives. It is not
> > based on driver model approach and only using JR0.
> 
> OK, but then I do not have on explanation on why do I see following results from
> reading JRaDID_MS registers on imx8m derivatives:
> - imx8mm:
> 	JR0DID_MS = 0x8011
> 	JR1DID_MS = 0x0
> 	JR2DID_MS = 0x0
> - imx8mn:
> 	JR0DID_MS = 0x0
> 	JR1DID_MS = 0x0
> 	JR2DID_MS = 0x0
> - imx8mp:
> 	JR0DID_MS = 0x0
> 	JR1DID_MS = 0x0
> 	JR2DID_MS = 0x0

I'd have to correct the readout above, I've posted the data which was not 100% accurate.

Here is the actual one:
- imx8mm:
	JR0DID_MS = 0x8011
	JR1DID_MS = 0x1
	JR2DID_MS = 0x1
- imx8mn:
	JR0DID_MS = 0x1
	JR1DID_MS = 0x1
	JR2DID_MS = 0x1
- imx8mp:
	JR0DID_MS = 0x0
	JR1DID_MS = 0x0
	JR2DID_MS = 0x0

It does suggests the following:
- Mini does have JR0 reserved in S World, JR1 and JR2 are released
  to NS World with DID programmed. According to the new logic in
  the patch - this should allow Mini to utilize HAB feature.
- Nano does have all JR released in NS World, which suggests that
  HAB is not available for it, correct?
- Plus does not have DID programmed in *any* JR devices, which
  fails the RNG initialization during Kernel start since DEC0
  cannot be initialized, but it is required to prime RNG via
  direct descriptor execution in DEC0. This means that all Crypto
  facilities are currently unavailable on Plus, correct? Does
  any of patches in this series suggests the fix for this? Is there
  simply power missing?

I would appreciate if you can comment on the rest of my points as they are still opened. 

> 
> This readout is taken at Kernel boot, and it clearly shows that only JR0 has
> TZ_OWN, PRIM_TZ and PRIM_DID bits set, and it is only done on imx8mm.
> 
> > With New implementation CAAM is enabled for i.MX8M derivative. Any JR whose DID
> > is written in ATF, can be used in Uboot.
> > JR0 is reserved for HAB so JR1 will be used for all i.MX8M derivatives.
> >
> > >
> > > I'm wondering about several points here:
> > > 1. Why does current implementation on have this reservation done on imx8mm
> > > and
> > >    where does this happen? None of the code pieces suggests that it is done
> in
> > >    U-Boot, is it performed in BootROM?
> >
> > I cannot see if current implementation(SPL/Uboot) has reservation done for
> > imx8mm.
> > In ATF, we are reserving the JR0.
> 
> I was not able to identify which part of ATF code is responsible to program
> JR0DID_MS on imx8mm, the only thing I saw was the part where the JR0 is held
> in S World *if* the JR0DID_MS is set to 0x8011. Can you point out where is this
> performed in ATF code?
> 
> If it is not in the ATF, then my question above still stands: which component
> (HW or SW) programs JR0DID_MS, and why is it only done on imx8mm derivative?
> 
> >
> > > 2. What is the intention of having JR0 reserved for all derivatives? Is this
> > >    the part of a bigger change that stretches across different SW components
> > >    (e.g. ATF, OP-TEE, etc.)? If that is the case - then a more detailed
> > >    description would be appreciated here.
> > >
> > > ATF code already accounts for this reservation in commit:
> > > a83a7c65e ("TEE-639 plat: imx8m: Do not release JR0 to NS if HAB is using
> it")
> > > [1], but there is no description on why is this required though.
> > >
> > > If this is required for HAB feature, then the question is: should it be kept
> in
> > S
> > > World when U-Boot starts, or SPL can release it after the binary is verified
> > and
> > > crypto facilities are not in use anymore?
> >
> > Commit: a83a7c65e reserves JR0 for HAB and not released to NS but JR1, JR2 are
> > released to NS.
> 
> Then I believe this change should be in-sync with ATF implementation, because of
> the fact that your change can have any arbitrary JR to be held in S World.
> 
> What would happen if for example JR1 is programmed with TZ_OWN, but ATF releases
> it to NS world? Can it be used by Kernel afterwards? Or should the node be
> disabled here so that Kernel does not even see JR1 during boot?
> 
> So far, ATF only examines the JR0DID_MS content, and not all the others...
> 
> > HAB uses JR0 for secure boot on all i.MX8M derivatives. Uboot calls HAB API for
> > authenticating kernel.
> 
> This implies then that the JR0 is permanently held in S World and stays there for
> entire device powercycle and cannot be reclaimed in NS World? In this case, the
> DT node should be completely removed from DTB file so no SW entity can even see
> it (as it is in a total possession of HW mechanisms).
> 
> >
> > >
> > > > +       jrdid_ms = JRDID_MS_TZ_OWN | JRDID_MS_PRIM_TZ |
> > > > + JRDID_MS_PRIM_DID;
> > >
> > > What is the intention of setting JRDID_MS_PRIM_TZ? Isn't setting
> > > JRDID_MS_TZ_OWN would be sufficient here?
> >
> > PRIM_TZ bit is set to 1 to indicate that only SecureWorld can
> > access registers in that Job Ring's register page
> 
> But would it not be enough just to set TZ_OWN? If I read SRM correct: only
> TZ_OWN is enough to hold the JR in S World.
> 
> >
> 
> [snip]
> 
> > >
> 
> -- andrey

Cc: Michael Walle

-- andrey

RE: [EXT] RE: [PATCH v5 01/16] crypto/fsl: Add support for CAAM Job ring driver model

[Gaurav Jain]

Hello Andrey

> -----Original Message-----
> From: ZHIZHIKIN Andrey <andrey.zhizhikin@leica-geosystems.com>
> Sent: Wednesday, November 17, 2021 6:33 PM
> To: Gaurav Jain <gaurav.jain@nxp.com>; u-boot@lists.denx.de
> Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam <festevam@gmail.com>;
> Peng Fan <peng.fan@nxp.com>; Simon Glass <sjg@chromium.org>; Priyanka
> Jain <priyanka.jain@nxp.com>; Ye Li <ye.li@nxp.com>; Horia Geanta
> <horia.geanta@nxp.com>; Ji Luo <ji.luo@nxp.com>; Franck Lenormand
> <franck.lenormand@nxp.com>; Silvano Di Ninno
> <silvano.dininno@nxp.com>; Sahil Malhotra <sahil.malhotra@nxp.com>;
> Pankaj Gupta <pankaj.gupta@nxp.com>; Varun Sethi <V.Sethi@nxp.com>;
> dl-uboot-imx <uboot-imx@nxp.com>; Shengzhou Liu
> <shengzhou.liu@nxp.com>; Mingkai Hu <mingkai.hu@nxp.com>; Rajesh
> Bhagat <rajesh.bhagat@nxp.com>; Meenakshi Aggarwal
> <meenakshi.aggarwal@nxp.com>; Wasim Khan <wasim.khan@nxp.com>;
> Alison Wang <alison.wang@nxp.com>; Pramod Kumar
> <pramod.kumar_1@nxp.com>; Andy Tang <andy.tang@nxp.com>; Adrian
> Alonso <adrian.alonso@nxp.com>; Vladimir Oltean <olteanv@gmail.com>
> Subject: RE: [EXT] RE: [PATCH v5 01/16] crypto/fsl: Add support for CAAM Job
> ring driver model
> 
> Caution: EXT Email
> 
> Hello Gaurav,
> 
> > -----Original Message-----
> > From: Gaurav Jain <gaurav.jain@nxp.com>
> > Sent: Wednesday, November 17, 2021 12:26 PM
> > To: ZHIZHIKIN Andrey <andrey.zhizhikin@leica-geosystems.com>; u-
> > boot@lists.denx.de
> > Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam
> > <festevam@gmail.com>; Peng Fan <peng.fan@nxp.com>; Simon Glass
> > <sjg@chromium.org>; Priyanka Jain <priyanka.jain@nxp.com>; Ye Li
> > <ye.li@nxp.com>; Horia Geanta <horia.geanta@nxp.com>; Ji Luo
> > <ji.luo@nxp.com>; Franck Lenormand <franck.lenormand@nxp.com>;
> Silvano
> > Di Ninno <silvano.dininno@nxp.com>; Sahil Malhotra
> > <sahil.malhotra@nxp.com>; Pankaj Gupta <pankaj.gupta@nxp.com>;
> Varun
> > Sethi <V.Sethi@nxp.com>; dl-uboot-imx <uboot-imx@nxp.com>;
> Shengzhou
> > Liu <shengzhou.liu@nxp.com>; Mingkai Hu <mingkai.hu@nxp.com>;
> Rajesh
> > Bhagat <rajesh.bhagat@nxp.com>; Meenakshi Aggarwal
> > <meenakshi.aggarwal@nxp.com>; Wasim Khan <wasim.khan@nxp.com>;
> Alison
> > Wang <alison.wang@nxp.com>; Pramod Kumar
> <pramod.kumar_1@nxp.com>;
> > Andy Tang <andy.tang@nxp.com>; Adrian Alonso
> <adrian.alonso@nxp.com>;
> > Vladimir Oltean <olteanv@gmail.com>
> > Subject: RE: [EXT] RE: [PATCH v5 01/16] crypto/fsl: Add support for
> > CAAM Job ring driver model
> >
> >
> > Hello Andrey
> >
> > > -----Original Message-----
> > > From: ZHIZHIKIN Andrey <andrey.zhizhikin@leica-geosystems.com>
> > > Sent: Tuesday, November 16, 2021 9:24 PM
> > > To: Gaurav Jain <gaurav.jain@nxp.com>; u-boot@lists.denx.de
> > > Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam
> > > <festevam@gmail.com>; Peng Fan <peng.fan@nxp.com>; Simon Glass
> > > <sjg@chromium.org>; Priyanka Jain <priyanka.jain@nxp.com>; Ye Li
> > > <ye.li@nxp.com>; Horia Geanta <horia.geanta@nxp.com>; Ji Luo
> > > <ji.luo@nxp.com>; Franck Lenormand <franck.lenormand@nxp.com>;
> > > Silvano Di Ninno <silvano.dininno@nxp.com>; Sahil Malhotra
> > > <sahil.malhotra@nxp.com>; Pankaj Gupta <pankaj.gupta@nxp.com>;
> Varun
> > > Sethi <V.Sethi@nxp.com>; dl-uboot-imx <uboot-imx@nxp.com>;
> Shengzhou
> > > Liu <shengzhou.liu@nxp.com>; Mingkai Hu <mingkai.hu@nxp.com>;
> Rajesh
> > > Bhagat <rajesh.bhagat@nxp.com>; Meenakshi Aggarwal
> > > <meenakshi.aggarwal@nxp.com>; Wasim Khan <wasim.khan@nxp.com>;
> > > Alison Wang <alison.wang@nxp.com>; Pramod Kumar
> > > <pramod.kumar_1@nxp.com>; Andy Tang <andy.tang@nxp.com>;
> Adrian
> > > Alonso <adrian.alonso@nxp.com>; Vladimir Oltean <olteanv@gmail.com>
> > > Subject: [EXT] RE: [PATCH v5 01/16] crypto/fsl: Add support for CAAM
> > > Job ring driver model
> > >
> > > Caution: EXT Email
> > >
> > > Hello Gaurav,
> > >
> > > > -----Original Message-----
> > > > From: U-Boot <u-boot-bounces@lists.denx.de> On Behalf Of Gaurav
> > > > Jain
> > > > Sent: Monday, November 15, 2021 8:00 AM
> > > > To: u-boot@lists.denx.de
> > > > Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam
> > > > <festevam@gmail.com>; Peng Fan <peng.fan@nxp.com>; Simon Glass
> > > > <sjg@chromium.org>; Priyanka Jain <priyanka.jain@nxp.com>; Ye Li
> > > > <ye.li@nxp.com>; Horia Geanta <horia.geanta@nxp.com>; Ji Luo
> > > > <ji.luo@nxp.com>; Franck Lenormand <franck.lenormand@nxp.com>;
> > > > Silvano Di Ninno <silvano.dininno@nxp.com>; Sahil malhotra
> > > > <sahil.malhotra@nxp.com>; Pankaj Gupta <pankaj.gupta@nxp.com>;
> > > > Varun Sethi <V.Sethi@nxp.com>; NXP i . MX U-Boot Team
> > > > <uboot-imx@nxp.com>; Shengzhou Liu <Shengzhou.Liu@nxp.com>;
> > > > Mingkai Hu <mingkai.hu@nxp.com>; Rajesh Bhagat
> > > > <rajesh.bhagat@nxp.com>;
> > > Meenakshi
> > > > Aggarwal <meenakshi.aggarwal@nxp.com>; Wasim Khan
> > > > <wasim.khan@nxp.com>; Alison Wang <alison.wang@nxp.com>;
> Pramod
> > > Kumar
> > > > <pramod.kumar_1@nxp.com>; Tang Yuantian <andy.tang@nxp.com>;
> > > > Adrian Alonso <adrian.alonso@nxp.com>; Vladimir Oltean
> > > > <olteanv@gmail.com>; Gaurav Jain <gaurav.jain@nxp.com>
> > > > Subject: [PATCH v5 01/16] crypto/fsl: Add support for CAAM Job
> > > > ring driver model
> > > >
> > > >
> > > > added device tree support for job ring driver.
> > > > sec is initialized based on job ring information processed from
> > > > device tree.
> > > >
> > > > Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
> > > > Reviewed-by: Ye Li <ye.li@nxp.com>
> > > > ---
> > > >  cmd/Kconfig                 |   1 +
> > > >  drivers/crypto/fsl/Kconfig  |   7 +
> > > >  drivers/crypto/fsl/Makefile |   4 +-
> > > >  drivers/crypto/fsl/jr.c     | 316 +++++++++++++++++++++++-------------
> > > >  drivers/crypto/fsl/jr.h     |  14 ++
> > > >  5 files changed, 232 insertions(+), 110 deletions(-)
> > > >
> 
> [snip]
> 
> > > >         sec_out32(&sec->mcfgr, mcr);
> > > > +#if defined(CONFIG_SPL_BUILD) && defined(CONFIG_IMX8M)
> > >
> > > This would effectively reserve the JR0 on _all_ i.MX8M derivatives is S
> World.
> > This code is to set any JR DID in SPL so that the job ring can be configured.
> >
> > >
> > > Current implementation only has JR0 reserved in S World on imx8mm
> > > derivative, but this new addition extends this to imx8mn, imx8mp and
> imx8mq.
> > Current implementation do not initialize CAAM for i.MX8M derivatives.
> > It is not based on driver model approach and only using JR0.
> 
> OK, but then I do not have on explanation on why do I see following results
> from reading JRaDID_MS registers on imx8m derivatives:
> - imx8mm:
>         JR0DID_MS = 0x8011
>         JR1DID_MS = 0x0
>         JR2DID_MS = 0x0
> - imx8mn:
>         JR0DID_MS = 0x0
>         JR1DID_MS = 0x0
>         JR2DID_MS = 0x0
> - imx8mp:
>         JR0DID_MS = 0x0
>         JR1DID_MS = 0x0
>         JR2DID_MS = 0x0
> 
> This readout is taken at Kernel boot, and it clearly shows that only JR0 has
> TZ_OWN, PRIM_TZ and PRIM_DID bits set, and it is only done on imx8mm.

HAB is a code that is part of the ROM code which set the JR DID for all i.mx8M.
I took the dumps on SPL boot which actually shows the JR DID set by HAB.
Dump taken by you on kernel boot does not show the values set by ROM.
IMX8MM
JR0DID_MS = 0x8011
JR1DID_MS = 0x8011
JR2DID_MS = 0x0

IMX8MN
JR0DID_MS = 0x8011
JR1DID_MS = 0x8011
JR2DID_MS = 0x0

IMX8MP
JR0DID_MS = 0x8011
JR1DID_MS = 0x8011
JR2DID_MS = 0x0
> 
> > With New implementation CAAM is enabled for i.MX8M derivative. Any JR
> > whose DID is written in ATF, can be used in Uboot.
> > JR0 is reserved for HAB so JR1 will be used for all i.MX8M derivatives.
> >
> > >
> > > I'm wondering about several points here:
> > > 1. Why does current implementation on have this reservation done on
> > > imx8mm and
> > >    where does this happen? None of the code pieces suggests that it is
> done in
> > >    U-Boot, is it performed in BootROM?
> >
> > I cannot see if current implementation(SPL/Uboot) has reservation done
> > for imx8mm.
> > In ATF, we are reserving the JR0.
> 
> I was not able to identify which part of ATF code is responsible to program
> JR0DID_MS on imx8mm, the only thing I saw was the part where the JR0 is
> held in S World *if* the JR0DID_MS is set to 0x8011. Can you point out where
> is this performed in ATF code?
> 
> If it is not in the ATF, then my question above still stands: which component
> (HW or SW) programs JR0DID_MS, and why is it only done on imx8mm
> derivative?
HAB which is part of the ROM code sets the JR DID for all i.mx8M.
> 
> >
> > > 2. What is the intention of having JR0 reserved for all derivatives? Is this
> > >    the part of a bigger change that stretches across different SW
> components
> > >    (e.g. ATF, OP-TEE, etc.)? If that is the case - then a more detailed
> > >    description would be appreciated here.
> > >
> > > ATF code already accounts for this reservation in commit:
> > > a83a7c65e ("TEE-639 plat: imx8m: Do not release JR0 to NS if HAB is
> > > using it") [1], but there is no description on why is this required though.
> > >
> > > If this is required for HAB feature, then the question is: should it
> > > be kept in
> > S
> > > World when U-Boot starts, or SPL can release it after the binary is
> > > verified
> > and
> > > crypto facilities are not in use anymore?
> >
> > Commit: a83a7c65e reserves JR0 for HAB and not released to NS but JR1,
> > JR2 are released to NS.
> 
> Then I believe this change should be in-sync with ATF implementation,
> because of the fact that your change can have any arbitrary JR to be held in S
> World.
> 
> What would happen if for example JR1 is programmed with TZ_OWN, but
> ATF releases it to NS world? Can it be used by Kernel afterwards? Or should
> the node be disabled here so that Kernel does not even see JR1 during boot?
>
Since JR0 is marked as disabled in DT, so SPL is only accessing single job ring and setting the JR1 DID as 0x8011.
After SPL boots successfully, ATF is releasing JR1 and JR2 to NS by modifying the JRDID_MS as 0x1.
Uboot is also accessing single jobring which is JR1.
JR0 is only reserved for secure boot.

> So far, ATF only examines the JR0DID_MS content, and not all the others...
> 
> > HAB uses JR0 for secure boot on all i.MX8M derivatives. Uboot calls
> > HAB API for authenticating kernel.
> 
> This implies then that the JR0 is permanently held in S World and stays there
> for entire device powercycle and cannot be reclaimed in NS World?
Yes JR0 is held in S world.

 In this
> case, the DT node should be completely removed from DTB file so no SW
> entity can even see it (as it is in a total possession of HW mechanisms).
> 
We can consider this change after this patch series is merged.
Currently I have disabled the JR0 in device tree.

> >
> > >
> > > > +       jrdid_ms = JRDID_MS_TZ_OWN | JRDID_MS_PRIM_TZ |
> > > > + JRDID_MS_PRIM_DID;
> > >
> > > What is the intention of setting JRDID_MS_PRIM_TZ? Isn't setting
> > > JRDID_MS_TZ_OWN would be sufficient here?
> >
> > PRIM_TZ bit is set to 1 to indicate that only SecureWorld can access
> > registers in that Job Ring's register page
> 
> But would it not be enough just to set TZ_OWN? If I read SRM correct: only
> TZ_OWN is enough to hold the JR in S World.
> 
HAB is also setting 0x8011 as JR DID. It is better to be in sync with HAB.

Regards
Gaurav Jain

> >
> 
> [snip]
> 
> > >
> 
> -- andrey

RE: [EXT] RE: [PATCH v5 01/16] crypto/fsl: Add support for CAAM Job ring driver model

[ZHIZHIKIN Andrey]

Hello Gaurav,

> -----Original Message-----
> From: Gaurav Jain <gaurav.jain@nxp.com>
> Sent: Monday, November 22, 2021 8:29 AM
> To: ZHIZHIKIN Andrey <andrey.zhizhikin@leica-geosystems.com>; u-
> boot@lists.denx.de
> Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam <festevam@gmail.com>; Peng Fan
> <peng.fan@nxp.com>; Simon Glass <sjg@chromium.org>; Priyanka Jain
> <priyanka.jain@nxp.com>; Ye Li <ye.li@nxp.com>; Horia Geanta
> <horia.geanta@nxp.com>; Ji Luo <ji.luo@nxp.com>; Franck Lenormand
> <franck.lenormand@nxp.com>; Silvano Di Ninno <silvano.dininno@nxp.com>; Sahil
> Malhotra <sahil.malhotra@nxp.com>; Pankaj Gupta <pankaj.gupta@nxp.com>; Varun
> Sethi <V.Sethi@nxp.com>; dl-uboot-imx <uboot-imx@nxp.com>; Shengzhou Liu
> <shengzhou.liu@nxp.com>; Mingkai Hu <mingkai.hu@nxp.com>; Rajesh Bhagat
> <rajesh.bhagat@nxp.com>; Meenakshi Aggarwal <meenakshi.aggarwal@nxp.com>; Wasim
> Khan <wasim.khan@nxp.com>; Alison Wang <alison.wang@nxp.com>; Pramod Kumar
> <pramod.kumar_1@nxp.com>; Andy Tang <andy.tang@nxp.com>; Adrian Alonso
> <adrian.alonso@nxp.com>; Vladimir Oltean <olteanv@gmail.com>
> Subject: RE: [EXT] RE: [PATCH v5 01/16] crypto/fsl: Add support for CAAM Job ring
> driver model
> 
> 
> Hello Andrey
> 
> > -----Original Message-----
> > From: ZHIZHIKIN Andrey <andrey.zhizhikin@leica-geosystems.com>
> > Sent: Wednesday, November 17, 2021 6:33 PM
> > To: Gaurav Jain <gaurav.jain@nxp.com>; u-boot@lists.denx.de
> > Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam <festevam@gmail.com>;
> > Peng Fan <peng.fan@nxp.com>; Simon Glass <sjg@chromium.org>; Priyanka
> > Jain <priyanka.jain@nxp.com>; Ye Li <ye.li@nxp.com>; Horia Geanta
> > <horia.geanta@nxp.com>; Ji Luo <ji.luo@nxp.com>; Franck Lenormand
> > <franck.lenormand@nxp.com>; Silvano Di Ninno
> > <silvano.dininno@nxp.com>; Sahil Malhotra <sahil.malhotra@nxp.com>;
> > Pankaj Gupta <pankaj.gupta@nxp.com>; Varun Sethi <V.Sethi@nxp.com>;
> > dl-uboot-imx <uboot-imx@nxp.com>; Shengzhou Liu
> > <shengzhou.liu@nxp.com>; Mingkai Hu <mingkai.hu@nxp.com>; Rajesh
> > Bhagat <rajesh.bhagat@nxp.com>; Meenakshi Aggarwal
> > <meenakshi.aggarwal@nxp.com>; Wasim Khan <wasim.khan@nxp.com>;
> > Alison Wang <alison.wang@nxp.com>; Pramod Kumar
> > <pramod.kumar_1@nxp.com>; Andy Tang <andy.tang@nxp.com>; Adrian
> > Alonso <adrian.alonso@nxp.com>; Vladimir Oltean <olteanv@gmail.com>
> > Subject: RE: [EXT] RE: [PATCH v5 01/16] crypto/fsl: Add support for CAAM Job
> > ring driver model
> >
> > Caution: EXT Email
> >
> > Hello Gaurav,
> >
> > > -----Original Message-----
> > > From: Gaurav Jain <gaurav.jain@nxp.com>
> > > Sent: Wednesday, November 17, 2021 12:26 PM
> > > To: ZHIZHIKIN Andrey <andrey.zhizhikin@leica-geosystems.com>; u-
> > > boot@lists.denx.de
> > > Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam
> > > <festevam@gmail.com>; Peng Fan <peng.fan@nxp.com>; Simon Glass
> > > <sjg@chromium.org>; Priyanka Jain <priyanka.jain@nxp.com>; Ye Li
> > > <ye.li@nxp.com>; Horia Geanta <horia.geanta@nxp.com>; Ji Luo
> > > <ji.luo@nxp.com>; Franck Lenormand <franck.lenormand@nxp.com>;
> > Silvano
> > > Di Ninno <silvano.dininno@nxp.com>; Sahil Malhotra
> > > <sahil.malhotra@nxp.com>; Pankaj Gupta <pankaj.gupta@nxp.com>;
> > Varun
> > > Sethi <V.Sethi@nxp.com>; dl-uboot-imx <uboot-imx@nxp.com>;
> > Shengzhou
> > > Liu <shengzhou.liu@nxp.com>; Mingkai Hu <mingkai.hu@nxp.com>;
> > Rajesh
> > > Bhagat <rajesh.bhagat@nxp.com>; Meenakshi Aggarwal
> > > <meenakshi.aggarwal@nxp.com>; Wasim Khan <wasim.khan@nxp.com>;
> > Alison
> > > Wang <alison.wang@nxp.com>; Pramod Kumar
> > <pramod.kumar_1@nxp.com>;
> > > Andy Tang <andy.tang@nxp.com>; Adrian Alonso
> > <adrian.alonso@nxp.com>;
> > > Vladimir Oltean <olteanv@gmail.com>
> > > Subject: RE: [EXT] RE: [PATCH v5 01/16] crypto/fsl: Add support for
> > > CAAM Job ring driver model
> > >
> > >
> > > Hello Andrey
> > >
> > > > -----Original Message-----
> > > > From: ZHIZHIKIN Andrey <andrey.zhizhikin@leica-geosystems.com>
> > > > Sent: Tuesday, November 16, 2021 9:24 PM
> > > > To: Gaurav Jain <gaurav.jain@nxp.com>; u-boot@lists.denx.de
> > > > Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam
> > > > <festevam@gmail.com>; Peng Fan <peng.fan@nxp.com>; Simon Glass
> > > > <sjg@chromium.org>; Priyanka Jain <priyanka.jain@nxp.com>; Ye Li
> > > > <ye.li@nxp.com>; Horia Geanta <horia.geanta@nxp.com>; Ji Luo
> > > > <ji.luo@nxp.com>; Franck Lenormand <franck.lenormand@nxp.com>;
> > > > Silvano Di Ninno <silvano.dininno@nxp.com>; Sahil Malhotra
> > > > <sahil.malhotra@nxp.com>; Pankaj Gupta <pankaj.gupta@nxp.com>;
> > Varun
> > > > Sethi <V.Sethi@nxp.com>; dl-uboot-imx <uboot-imx@nxp.com>;
> > Shengzhou
> > > > Liu <shengzhou.liu@nxp.com>; Mingkai Hu <mingkai.hu@nxp.com>;
> > Rajesh
> > > > Bhagat <rajesh.bhagat@nxp.com>; Meenakshi Aggarwal
> > > > <meenakshi.aggarwal@nxp.com>; Wasim Khan <wasim.khan@nxp.com>;
> > > > Alison Wang <alison.wang@nxp.com>; Pramod Kumar
> > > > <pramod.kumar_1@nxp.com>; Andy Tang <andy.tang@nxp.com>;
> > Adrian
> > > > Alonso <adrian.alonso@nxp.com>; Vladimir Oltean <olteanv@gmail.com>
> > > > Subject: [EXT] RE: [PATCH v5 01/16] crypto/fsl: Add support for CAAM
> > > > Job ring driver model
> > > >
> > > > Caution: EXT Email
> > > >
> > > > Hello Gaurav,
> > > >
> > > > > -----Original Message-----
> > > > > From: U-Boot <u-boot-bounces@lists.denx.de> On Behalf Of Gaurav
> > > > > Jain
> > > > > Sent: Monday, November 15, 2021 8:00 AM
> > > > > To: u-boot@lists.denx.de
> > > > > Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam
> > > > > <festevam@gmail.com>; Peng Fan <peng.fan@nxp.com>; Simon Glass
> > > > > <sjg@chromium.org>; Priyanka Jain <priyanka.jain@nxp.com>; Ye Li
> > > > > <ye.li@nxp.com>; Horia Geanta <horia.geanta@nxp.com>; Ji Luo
> > > > > <ji.luo@nxp.com>; Franck Lenormand <franck.lenormand@nxp.com>;
> > > > > Silvano Di Ninno <silvano.dininno@nxp.com>; Sahil malhotra
> > > > > <sahil.malhotra@nxp.com>; Pankaj Gupta <pankaj.gupta@nxp.com>;
> > > > > Varun Sethi <V.Sethi@nxp.com>; NXP i . MX U-Boot Team
> > > > > <uboot-imx@nxp.com>; Shengzhou Liu <Shengzhou.Liu@nxp.com>;
> > > > > Mingkai Hu <mingkai.hu@nxp.com>; Rajesh Bhagat
> > > > > <rajesh.bhagat@nxp.com>;
> > > > Meenakshi
> > > > > Aggarwal <meenakshi.aggarwal@nxp.com>; Wasim Khan
> > > > > <wasim.khan@nxp.com>; Alison Wang <alison.wang@nxp.com>;
> > Pramod
> > > > Kumar
> > > > > <pramod.kumar_1@nxp.com>; Tang Yuantian <andy.tang@nxp.com>;
> > > > > Adrian Alonso <adrian.alonso@nxp.com>; Vladimir Oltean
> > > > > <olteanv@gmail.com>; Gaurav Jain <gaurav.jain@nxp.com>
> > > > > Subject: [PATCH v5 01/16] crypto/fsl: Add support for CAAM Job
> > > > > ring driver model
> > > > >
> > > > >
> > > > > added device tree support for job ring driver.
> > > > > sec is initialized based on job ring information processed from
> > > > > device tree.
> > > > >
> > > > > Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
> > > > > Reviewed-by: Ye Li <ye.li@nxp.com>
> > > > > ---
> > > > >  cmd/Kconfig                 |   1 +
> > > > >  drivers/crypto/fsl/Kconfig  |   7 +
> > > > >  drivers/crypto/fsl/Makefile |   4 +-
> > > > >  drivers/crypto/fsl/jr.c     | 316 +++++++++++++++++++++++-------------
> > > > >  drivers/crypto/fsl/jr.h     |  14 ++
> > > > >  5 files changed, 232 insertions(+), 110 deletions(-)
> > > > >
> >
> > [snip]
> >
> > > > >         sec_out32(&sec->mcfgr, mcr);
> > > > > +#if defined(CONFIG_SPL_BUILD) && defined(CONFIG_IMX8M)
> > > >
> > > > This would effectively reserve the JR0 on _all_ i.MX8M derivatives is S
> > World.
> > > This code is to set any JR DID in SPL so that the job ring can be configured.
> > >
> > > >
> > > > Current implementation only has JR0 reserved in S World on imx8mm
> > > > derivative, but this new addition extends this to imx8mn, imx8mp and
> > imx8mq.
> > > Current implementation do not initialize CAAM for i.MX8M derivatives.
> > > It is not based on driver model approach and only using JR0.
> >
> > OK, but then I do not have on explanation on why do I see following results
> > from reading JRaDID_MS registers on imx8m derivatives:
> > - imx8mm:
> >         JR0DID_MS = 0x8011
> >         JR1DID_MS = 0x0
> >         JR2DID_MS = 0x0
> > - imx8mn:
> >         JR0DID_MS = 0x0
> >         JR1DID_MS = 0x0
> >         JR2DID_MS = 0x0
> > - imx8mp:
> >         JR0DID_MS = 0x0
> >         JR1DID_MS = 0x0
> >         JR2DID_MS = 0x0
> >
> > This readout is taken at Kernel boot, and it clearly shows that only JR0 has
> > TZ_OWN, PRIM_TZ and PRIM_DID bits set, and it is only done on imx8mm.
> 
> HAB is a code that is part of the ROM code which set the JR DID for all i.mx8M.
> I took the dumps on SPL boot which actually shows the JR DID set by HAB.
> Dump taken by you on kernel boot does not show the values set by ROM.
> IMX8MM
> JR0DID_MS = 0x8011
> JR1DID_MS = 0x8011
> JR2DID_MS = 0x0
> 
> IMX8MN
> JR0DID_MS = 0x8011
> JR1DID_MS = 0x8011
> JR2DID_MS = 0x0
> 
> IMX8MP
> JR0DID_MS = 0x8011
> JR1DID_MS = 0x8011
> JR2DID_MS = 0x0

This is an interesting piece of information, thanks a lot for the readout! So
it does look like that BootROM on all derivatives reserves JR0 and JR1 at the
beginning, letting the ATF to release only JR1 to NS world...

Does IMX8MQ have the same reservation as well?

> >
> > > With New implementation CAAM is enabled for i.MX8M derivative. Any JR
> > > whose DID is written in ATF, can be used in Uboot.
> > > JR0 is reserved for HAB so JR1 will be used for all i.MX8M derivatives.
> > >
> > > >
> > > > I'm wondering about several points here:
> > > > 1. Why does current implementation on have this reservation done on
> > > > imx8mm and
> > > >    where does this happen? None of the code pieces suggests that it is
> > done in
> > > >    U-Boot, is it performed in BootROM?
> > >
> > > I cannot see if current implementation(SPL/Uboot) has reservation done
> > > for imx8mm.
> > > In ATF, we are reserving the JR0.
> >
> > I was not able to identify which part of ATF code is responsible to program
> > JR0DID_MS on imx8mm, the only thing I saw was the part where the JR0 is
> > held in S World *if* the JR0DID_MS is set to 0x8011. Can you point out where
> > is this performed in ATF code?
> >
> > If it is not in the ATF, then my question above still stands: which component
> > (HW or SW) programs JR0DID_MS, and why is it only done on imx8mm
> > derivative?
> HAB which is part of the ROM code sets the JR DID for all i.mx8M.
> >
> > >
> > > > 2. What is the intention of having JR0 reserved for all derivatives? Is
> this
> > > >    the part of a bigger change that stretches across different SW
> > components
> > > >    (e.g. ATF, OP-TEE, etc.)? If that is the case - then a more detailed
> > > >    description would be appreciated here.
> > > >
> > > > ATF code already accounts for this reservation in commit:
> > > > a83a7c65e ("TEE-639 plat: imx8m: Do not release JR0 to NS if HAB is
> > > > using it") [1], but there is no description on why is this required though.
> > > >
> > > > If this is required for HAB feature, then the question is: should it
> > > > be kept in
> > > S
> > > > World when U-Boot starts, or SPL can release it after the binary is
> > > > verified
> > > and
> > > > crypto facilities are not in use anymore?
> > >
> > > Commit: a83a7c65e reserves JR0 for HAB and not released to NS but JR1,
> > > JR2 are released to NS.
> >
> > Then I believe this change should be in-sync with ATF implementation,
> > because of the fact that your change can have any arbitrary JR to be held in S
> > World.
> >
> > What would happen if for example JR1 is programmed with TZ_OWN, but
> > ATF releases it to NS world? Can it be used by Kernel afterwards? Or should
> > the node be disabled here so that Kernel does not even see JR1 during boot?
> >
> Since JR0 is marked as disabled in DT, so SPL is only accessing single job ring
> and setting the JR1 DID as 0x8011.
> After SPL boots successfully, ATF is releasing JR1 and JR2 to NS by modifying the
> JRDID_MS as 0x1.
> Uboot is also accessing single jobring which is JR1.
> JR0 is only reserved for secure boot.

Is it safe to assume that JR1 is then accessible from both S and NS Worlds?

If that is the case, then that would actually mean that JRx status on DT should
be set as following:

&sec_jr0 {
	status = "disabled";
	secure-status = "okay";
};

&sec_jr1 {
	secure-status = "okay";
};

&sec_jr2 {
	secure-status = "disabled";
};

This would effectively mean:
JR0 - S-only,
JR1 - visible in both
JR2 - NS-only

Please note, that as this configuration is applicable to both Kernel and U-Boot -
the above block should be defined in Kernel DT for all i.MX8M derivatives, and
picked up with the next U-Boot DTB re-sync.

As I'm working on V3 for CAAM clean-up in the Kernel [1] - I can submit those
configuration changes, but I would need a confirmation from you if this is an
expected JR configuration, and whether IMX8MQ have the same setup.

> 
> > So far, ATF only examines the JR0DID_MS content, and not all the others...
> >
> > > HAB uses JR0 for secure boot on all i.MX8M derivatives. Uboot calls
> > > HAB API for authenticating kernel.
> >
> > This implies then that the JR0 is permanently held in S World and stays there
> > for entire device powercycle and cannot be reclaimed in NS World?
> Yes JR0 is held in S world.
> 
>  In this
> > case, the DT node should be completely removed from DTB file so no SW
> > entity can even see it (as it is in a total possession of HW mechanisms).
> >
> We can consider this change after this patch series is merged.
> Currently I have disabled the JR0 in device tree.

I guess with the proposed DT configuration this point would be covered as
well, isn't it? There would be no need to remove the node, as it would be
marked disabled in NS and enabled in S Worlds. I believe it is better to
set the status as I proposed, because that information in DT is transparent
for everyone (removing node raises questions regarding HW availability to me).

> 
> > >
> > > >
> > > > > +       jrdid_ms = JRDID_MS_TZ_OWN | JRDID_MS_PRIM_TZ |
> > > > > + JRDID_MS_PRIM_DID;
> > > >
> > > > What is the intention of setting JRDID_MS_PRIM_TZ? Isn't setting
> > > > JRDID_MS_TZ_OWN would be sufficient here?
> > >
> > > PRIM_TZ bit is set to 1 to indicate that only SecureWorld can access
> > > registers in that Job Ring's register page
> >
> > But would it not be enough just to set TZ_OWN? If I read SRM correct: only
> > TZ_OWN is enough to hold the JR in S World.
> >
> HAB is also setting 0x8011 as JR DID. It is better to be in sync with HAB.

Do you know what is the reason for HAB to set PRIM_TZ bit? Is there any
specific reason for this?

> 
> Regards
> Gaurav Jain
> 
> > >
> >
> > [snip]
> >
> > > >
> >
> > -- andrey

-- andrey

Link: [1]: https://lore.kernel.org/lkml/20211111164601.13135-1-andrey.zhizhikin@leica-geosystems.com/

RE: [PATCH v5 11/16] crypto/fsl: Fix kick_trng

[ZHIZHIKIN Andrey]

Hello Gaurav,

> -----Original Message-----
> From: U-Boot <u-boot-bounces@lists.denx.de> On Behalf Of Gaurav Jain
> Sent: Monday, November 15, 2021 8:00 AM
> To: u-boot@lists.denx.de
> Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam <festevam@gmail.com>; Peng Fan
> <peng.fan@nxp.com>; Simon Glass <sjg@chromium.org>; Priyanka Jain
> <priyanka.jain@nxp.com>; Ye Li <ye.li@nxp.com>; Horia Geanta
> <horia.geanta@nxp.com>; Ji Luo <ji.luo@nxp.com>; Franck Lenormand
> <franck.lenormand@nxp.com>; Silvano Di Ninno <silvano.dininno@nxp.com>; Sahil
> malhotra <sahil.malhotra@nxp.com>; Pankaj Gupta <pankaj.gupta@nxp.com>; Varun
> Sethi <V.Sethi@nxp.com>; NXP i . MX U-Boot Team <uboot-imx@nxp.com>; Shengzhou
> Liu <Shengzhou.Liu@nxp.com>; Mingkai Hu <mingkai.hu@nxp.com>; Rajesh Bhagat
> <rajesh.bhagat@nxp.com>; Meenakshi Aggarwal <meenakshi.aggarwal@nxp.com>; Wasim
> Khan <wasim.khan@nxp.com>; Alison Wang <alison.wang@nxp.com>; Pramod Kumar
> <pramod.kumar_1@nxp.com>; Tang Yuantian <andy.tang@nxp.com>; Adrian Alonso
> <adrian.alonso@nxp.com>; Vladimir Oltean <olteanv@gmail.com>
> Subject: [PATCH v5 11/16] crypto/fsl: Fix kick_trng
> 
> 
> From: Ye Li <ye.li@nxp.com>
> 
> fix hwrng performance issue in kernel.

This patch is missing some context information, specifically which performance
issue does exist in the Kernel (with some quantification), and how is it addressed
here.

This function introduced with this patch already exist in the Kernel [1], and the
implementation does differ from Kernel one. Specifically, this patch lowers the
number of test samples that are run to decide whether the entropy generated by
TRNG is sufficiently random: it reduces the monobit count range, poker test limits,
and number or runs for consecutive 0's and 1's.

Considering the fact that after TRNG is initialized - JDKEK, TDKEK and TDSK are
preloaded from the RNG and are locked until the next PoR, Kernel will not
re-initialize the TRNG (in fact, there is a check that is done in the Kernel not to
touch RNG if it is already initialized [2]), and this would leave the Crypto facilities
running in the Kernel to use entropy model that is defined here. In this case, at
least a justification of this change should be made clear - e.g. significant speed
improvement over reduced entropy (with quantifiable numbers).

In addition, with those new parameter set, would the RNG pass FIPS 140-2 test?

> 
> Signed-off-by: Ye Li <ye.li@nxp.com>
> Acked-by: Gaurav Jain <gaurav.jain@nxp.com>>
> ---
>  drivers/crypto/fsl/jr.c | 109 ++++++++++++++++++++++++++++++++++------
>  include/fsl_sec.h       |   1 +
>  2 files changed, 94 insertions(+), 16 deletions(-)
> 
> diff --git a/drivers/crypto/fsl/jr.c b/drivers/crypto/fsl/jr.c
> index 9b751aca9b..ef136988b6 100644
> --- a/drivers/crypto/fsl/jr.c
> +++ b/drivers/crypto/fsl/jr.c
> @@ -602,30 +602,107 @@ static u8 get_rng_vid(ccsr_sec_t *sec)
>   */
>  static void kick_trng(int ent_delay, ccsr_sec_t *sec)
>  {
> +       u32 samples  = 512; /* number of bits to generate and test */
> +       u32 mono_min = 195;
> +       u32 mono_max = 317;
> +       u32 mono_range  = mono_max - mono_min;
> +       u32 poker_min = 1031;
> +       u32 poker_max = 1600;
> +       u32 poker_range = poker_max - poker_min + 1;
> +       u32 retries    = 2;
> +       u32 lrun_max   = 32;
> +       s32 run_1_min   = 27;
> +       s32 run_1_max   = 107;
> +       s32 run_1_range = run_1_max - run_1_min;
> +       s32 run_2_min   = 7;
> +       s32 run_2_max   = 62;
> +       s32 run_2_range = run_2_max - run_2_min;
> +       s32 run_3_min   = 0;
> +       s32 run_3_max   = 39;
> +       s32 run_3_range = run_3_max - run_3_min;
> +       s32 run_4_min   = -1;
> +       s32 run_4_max   = 26;
> +       s32 run_4_range = run_4_max - run_4_min;
> +       s32 run_5_min   = -1;
> +       s32 run_5_max   = 18;
> +       s32 run_5_range = run_5_max - run_5_min;
> +       s32 run_6_min   = -1;
> +       s32 run_6_max   = 17;
> +       s32 run_6_range = run_6_max - run_6_min;
> +       u32 val;

Why does those values are lowered with respect to what is provided by
default? A bit more explanation on why those primes are chosen here
would be good to have, together with documenting default values (so
people can compare).

> +
>         struct rng4tst __iomem *rng =
>                         (struct rng4tst __iomem *)&sec->rng;
> -       u32 val;
> 
> -       /* put RNG4 into program mode */
> -       sec_setbits32(&rng->rtmctl, RTMCTL_PRGM);
> -       /* rtsdctl bits 0-15 contain "Entropy Delay, which defines the
> -        * length (in system clocks) of each Entropy sample taken
> -        * */
> +       /* Put RNG in program mode */
> +       /* Setting both RTMCTL:PRGM and RTMCTL:TRNG_ACC causes TRNG to
> +        * properly invalidate the entropy in the entropy register and
> +        * force re-generation.
> +        */
> +       sec_setbits32(&rng->rtmctl, RTMCTL_PRGM | RTMCTL_ACC);
> +
> +       /* Configure the RNG Entropy Delay
> +        * Performance-wise, it does not make sense to
> +        * set the delay to a value that is lower
> +        * than the last one that worked (i.e. the state handles
> +        * were instantiated properly. Thus, instead of wasting
> +        * time trying to set the values controlling the sample
> +        * frequency, the function simply returns.
> +        */
>         val = sec_in32(&rng->rtsdctl);
> -       val = (val & ~RTSDCTL_ENT_DLY_MASK) |
> -             (ent_delay << RTSDCTL_ENT_DLY_SHIFT);
> +       val &= RTSDCTL_ENT_DLY_MASK;
> +       val >>= RTSDCTL_ENT_DLY_SHIFT;
> +       if (ent_delay < val) {
> +               /* Put RNG4 into run mode */
> +               sec_clrbits32(&rng->rtmctl, RTMCTL_PRGM | RTMCTL_ACC);
> +               return;
> +       }
> +
> +       val = (ent_delay << RTSDCTL_ENT_DLY_SHIFT) | samples;
>         sec_out32(&rng->rtsdctl, val);
> -       /* min. freq. count, equal to 1/4 of the entropy sample length */
> -       sec_out32(&rng->rtfreqmin, ent_delay >> 2);
> -       /* disable maximum frequency count */
> -       sec_out32(&rng->rtfreqmax, RTFRQMAX_DISABLE);
> +
>         /*
> -        * select raw sampling in both entropy shifter
> +        * Recommended margins (min,max) for freq. count:
> +        *   freq_mul = RO_freq / TRNG_clk_freq
> +        *   rtfrqmin = (ent_delay x freq_mul) >> 1;
> +        *   rtfrqmax = (ent_delay x freq_mul) << 3;
> +        * Given current deployments of CAAM in i.MX SoCs, and to simplify
> +        * the configuration, we consider [1,16] to be a safe interval
> +        * for the freq_mul and the limits of the interval are used to compute
> +        * rtfrqmin, rtfrqmax
> +        */
> +       sec_out32(&rng->rtfreqmin, ent_delay >> 1);
> +       sec_out32(&rng->rtfreqmax, ent_delay << 7);
> +
> +       sec_out32(&rng->rtscmisc, (retries << 16) | lrun_max);
> +       sec_out32(&rng->rtpkrmax, poker_max);
> +       sec_out32(&rng->rtpkrrng, poker_range);
> +       sec_out32(&rng->rsvd1[0], (mono_range << 16) | mono_max);
> +       sec_out32(&rng->rsvd1[1], (run_1_range << 16) | run_1_max);
> +       sec_out32(&rng->rsvd1[2], (run_2_range << 16) | run_2_max);
> +       sec_out32(&rng->rsvd1[3], (run_3_range << 16) | run_3_max);
> +       sec_out32(&rng->rsvd1[4], (run_4_range << 16) | run_4_max);
> +       sec_out32(&rng->rsvd1[5], (run_5_range << 16) | run_5_max);
> +       sec_out32(&rng->rsvd1[6], (run_6_range << 16) | run_6_max);
> +
> +       val = sec_in32(&rng->rtmctl);
> +       /*
> +        * Select raw sampling in both entropy shifter
>          * and statistical checker
>          */
> -       sec_setbits32(&rng->rtmctl, RTMCTL_SAMP_MODE_RAW_ES_SC);
> -       /* put RNG4 into run mode */
> -       sec_clrbits32(&rng->rtmctl, RTMCTL_PRGM);
> +       val &= ~RTMCTL_SAMP_MODE_INVALID;
> +       val |= RTMCTL_SAMP_MODE_RAW_ES_SC;
> +       /* Put RNG4 into run mode */
> +       val &= ~(RTMCTL_PRGM | RTMCTL_ACC);
> +       /*test with sample mode only */
> +       sec_out32(&rng->rtmctl, val);
> +
> +       /* Clear the ERR bit in RTMCTL if set. The TRNG error can occur when the
> +        * RNG clock is not within 1/2x to 8x the system clock.
> +        * This error is possible if ROM code does not initialize the system PLLs
> +        * immediately after PoR.
> +        */
> +       /* setbits_le32(CAAM_RTMCTL, RTMCTL_ERR); */

Unused code?

>  }
> 
>  static int rng_init(uint8_t sec_idx, ccsr_sec_t *sec)
> diff --git a/include/fsl_sec.h b/include/fsl_sec.h
> index 7b6e3e2c20..2b3239414a 100644
> --- a/include/fsl_sec.h
> +++ b/include/fsl_sec.h
> @@ -34,6 +34,7 @@
>  #if CONFIG_SYS_FSL_SEC_COMPAT >= 4
>  /* RNG4 TRNG test registers */
>  struct rng4tst {
> +#define RTMCTL_ACC  0x20
>  #define RTMCTL_PRGM 0x00010000 /* 1 -> program mode, 0 -> run mode */
>  #define RTMCTL_SAMP_MODE_VON_NEUMANN_ES_SC     0 /* use von Neumann data in
>                                                     both entropy shifter and
> --
> 2.17.1

-- andrey

Link: [1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/crypto/caam/ctrl.c?#n348
Link: [2]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/crypto/caam/ctrl.c?#n287

RE: [EXT] RE: [PATCH v5 01/16] crypto/fsl: Add support for CAAM Job ring driver model

[Gaurav Jain]

Hello Andrey

> -----Original Message-----
> From: ZHIZHIKIN Andrey <andrey.zhizhikin@leica-geosystems.com>
> Sent: Monday, November 22, 2021 10:51 PM
> To: Gaurav Jain <gaurav.jain@nxp.com>; u-boot@lists.denx.de
> Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam <festevam@gmail.com>;
> Peng Fan <peng.fan@nxp.com>; Simon Glass <sjg@chromium.org>; Priyanka
> Jain <priyanka.jain@nxp.com>; Ye Li <ye.li@nxp.com>; Horia Geanta
> <horia.geanta@nxp.com>; Ji Luo <ji.luo@nxp.com>; Franck Lenormand
> <franck.lenormand@nxp.com>; Silvano Di Ninno <silvano.dininno@nxp.com>;
> Sahil Malhotra <sahil.malhotra@nxp.com>; Pankaj Gupta
> <pankaj.gupta@nxp.com>; Varun Sethi <V.Sethi@nxp.com>; dl-uboot-imx
> <uboot-imx@nxp.com>; Shengzhou Liu <shengzhou.liu@nxp.com>; Mingkai Hu
> <mingkai.hu@nxp.com>; Rajesh Bhagat <rajesh.bhagat@nxp.com>; Meenakshi
> Aggarwal <meenakshi.aggarwal@nxp.com>; Wasim Khan
> <wasim.khan@nxp.com>; Alison Wang <alison.wang@nxp.com>; Pramod
> Kumar <pramod.kumar_1@nxp.com>; Andy Tang <andy.tang@nxp.com>;
> Adrian Alonso <adrian.alonso@nxp.com>; Vladimir Oltean
> <olteanv@gmail.com>; Michael Walle <michael@walle.cc>
> Subject: RE: [EXT] RE: [PATCH v5 01/16] crypto/fsl: Add support for CAAM Job
> ring driver model
> 
> Caution: EXT Email
> 
> Hello Gaurav,
> 
> > -----Original Message-----
> > From: Gaurav Jain <gaurav.jain@nxp.com>
> > Sent: Monday, November 22, 2021 8:29 AM
> > To: ZHIZHIKIN Andrey <andrey.zhizhikin@leica-geosystems.com>; u-
> > boot@lists.denx.de
> > Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam
> > <festevam@gmail.com>; Peng Fan <peng.fan@nxp.com>; Simon Glass
> > <sjg@chromium.org>; Priyanka Jain <priyanka.jain@nxp.com>; Ye Li
> > <ye.li@nxp.com>; Horia Geanta <horia.geanta@nxp.com>; Ji Luo
> > <ji.luo@nxp.com>; Franck Lenormand <franck.lenormand@nxp.com>; Silvano
> > Di Ninno <silvano.dininno@nxp.com>; Sahil Malhotra
> > <sahil.malhotra@nxp.com>; Pankaj Gupta <pankaj.gupta@nxp.com>; Varun
> > Sethi <V.Sethi@nxp.com>; dl-uboot-imx <uboot-imx@nxp.com>; Shengzhou
> > Liu <shengzhou.liu@nxp.com>; Mingkai Hu <mingkai.hu@nxp.com>; Rajesh
> > Bhagat <rajesh.bhagat@nxp.com>; Meenakshi Aggarwal
> > <meenakshi.aggarwal@nxp.com>; Wasim Khan <wasim.khan@nxp.com>;
> Alison
> > Wang <alison.wang@nxp.com>; Pramod Kumar
> <pramod.kumar_1@nxp.com>;
> > Andy Tang <andy.tang@nxp.com>; Adrian Alonso <adrian.alonso@nxp.com>;
> > Vladimir Oltean <olteanv@gmail.com>
> > Subject: RE: [EXT] RE: [PATCH v5 01/16] crypto/fsl: Add support for
> > CAAM Job ring driver model
> >
> >
> > Hello Andrey
> >
> > > -----Original Message-----
> > > From: ZHIZHIKIN Andrey <andrey.zhizhikin@leica-geosystems.com>
> > > Sent: Wednesday, November 17, 2021 6:33 PM
> > > To: Gaurav Jain <gaurav.jain@nxp.com>; u-boot@lists.denx.de
> > > Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam
> > > <festevam@gmail.com>; Peng Fan <peng.fan@nxp.com>; Simon Glass
> > > <sjg@chromium.org>; Priyanka Jain <priyanka.jain@nxp.com>; Ye Li
> > > <ye.li@nxp.com>; Horia Geanta <horia.geanta@nxp.com>; Ji Luo
> > > <ji.luo@nxp.com>; Franck Lenormand <franck.lenormand@nxp.com>;
> > > Silvano Di Ninno <silvano.dininno@nxp.com>; Sahil Malhotra
> > > <sahil.malhotra@nxp.com>; Pankaj Gupta <pankaj.gupta@nxp.com>; Varun
> > > Sethi <V.Sethi@nxp.com>; dl-uboot-imx <uboot-imx@nxp.com>; Shengzhou
> > > Liu <shengzhou.liu@nxp.com>; Mingkai Hu <mingkai.hu@nxp.com>; Rajesh
> > > Bhagat <rajesh.bhagat@nxp.com>; Meenakshi Aggarwal
> > > <meenakshi.aggarwal@nxp.com>; Wasim Khan <wasim.khan@nxp.com>;
> > > Alison Wang <alison.wang@nxp.com>; Pramod Kumar
> > > <pramod.kumar_1@nxp.com>; Andy Tang <andy.tang@nxp.com>; Adrian
> > > Alonso <adrian.alonso@nxp.com>; Vladimir Oltean <olteanv@gmail.com>
> > > Subject: RE: [EXT] RE: [PATCH v5 01/16] crypto/fsl: Add support for
> > > CAAM Job ring driver model
> > >
> > > Caution: EXT Email
> > >
> > > Hello Gaurav,
> > >
> > > > -----Original Message-----
> > > > From: Gaurav Jain <gaurav.jain@nxp.com>
> > > > Sent: Wednesday, November 17, 2021 12:26 PM
> > > > To: ZHIZHIKIN Andrey <andrey.zhizhikin@leica-geosystems.com>; u-
> > > > boot@lists.denx.de
> > > > Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam
> > > > <festevam@gmail.com>; Peng Fan <peng.fan@nxp.com>; Simon Glass
> > > > <sjg@chromium.org>; Priyanka Jain <priyanka.jain@nxp.com>; Ye Li
> > > > <ye.li@nxp.com>; Horia Geanta <horia.geanta@nxp.com>; Ji Luo
> > > > <ji.luo@nxp.com>; Franck Lenormand <franck.lenormand@nxp.com>;
> > > Silvano
> > > > Di Ninno <silvano.dininno@nxp.com>; Sahil Malhotra
> > > > <sahil.malhotra@nxp.com>; Pankaj Gupta <pankaj.gupta@nxp.com>;
> > > Varun
> > > > Sethi <V.Sethi@nxp.com>; dl-uboot-imx <uboot-imx@nxp.com>;
> > > Shengzhou
> > > > Liu <shengzhou.liu@nxp.com>; Mingkai Hu <mingkai.hu@nxp.com>;
> > > Rajesh
> > > > Bhagat <rajesh.bhagat@nxp.com>; Meenakshi Aggarwal
> > > > <meenakshi.aggarwal@nxp.com>; Wasim Khan <wasim.khan@nxp.com>;
> > > Alison
> > > > Wang <alison.wang@nxp.com>; Pramod Kumar
> > > <pramod.kumar_1@nxp.com>;
> > > > Andy Tang <andy.tang@nxp.com>; Adrian Alonso
> > > <adrian.alonso@nxp.com>;
> > > > Vladimir Oltean <olteanv@gmail.com>
> > > > Subject: RE: [EXT] RE: [PATCH v5 01/16] crypto/fsl: Add support
> > > > for CAAM Job ring driver model
> > > >
> > > >
> > > > Hello Andrey
> > > >
> > > > > -----Original Message-----
> > > > > From: ZHIZHIKIN Andrey <andrey.zhizhikin@leica-geosystems.com>
> > > > > Sent: Tuesday, November 16, 2021 9:24 PM
> > > > > To: Gaurav Jain <gaurav.jain@nxp.com>; u-boot@lists.denx.de
> > > > > Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam
> > > > > <festevam@gmail.com>; Peng Fan <peng.fan@nxp.com>; Simon Glass
> > > > > <sjg@chromium.org>; Priyanka Jain <priyanka.jain@nxp.com>; Ye Li
> > > > > <ye.li@nxp.com>; Horia Geanta <horia.geanta@nxp.com>; Ji Luo
> > > > > <ji.luo@nxp.com>; Franck Lenormand <franck.lenormand@nxp.com>;
> > > > > Silvano Di Ninno <silvano.dininno@nxp.com>; Sahil Malhotra
> > > > > <sahil.malhotra@nxp.com>; Pankaj Gupta <pankaj.gupta@nxp.com>;
> > > Varun
> > > > > Sethi <V.Sethi@nxp.com>; dl-uboot-imx <uboot-imx@nxp.com>;
> > > Shengzhou
> > > > > Liu <shengzhou.liu@nxp.com>; Mingkai Hu <mingkai.hu@nxp.com>;
> > > Rajesh
> > > > > Bhagat <rajesh.bhagat@nxp.com>; Meenakshi Aggarwal
> > > > > <meenakshi.aggarwal@nxp.com>; Wasim Khan <wasim.khan@nxp.com>;
> > > > > Alison Wang <alison.wang@nxp.com>; Pramod Kumar
> > > > > <pramod.kumar_1@nxp.com>; Andy Tang <andy.tang@nxp.com>;
> > > Adrian
> > > > > Alonso <adrian.alonso@nxp.com>; Vladimir Oltean
> > > > > <olteanv@gmail.com>
> > > > > Subject: [EXT] RE: [PATCH v5 01/16] crypto/fsl: Add support for
> > > > > CAAM Job ring driver model
> > > > >
> > > > > Caution: EXT Email
> > > > >
> > > > > Hello Gaurav,
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: U-Boot <u-boot-bounces@lists.denx.de> On Behalf Of
> > > > > > Gaurav Jain
> > > > > > Sent: Monday, November 15, 2021 8:00 AM
> > > > > > To: u-boot@lists.denx.de
> > > > > > Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam
> > > > > > <festevam@gmail.com>; Peng Fan <peng.fan@nxp.com>; Simon Glass
> > > > > > <sjg@chromium.org>; Priyanka Jain <priyanka.jain@nxp.com>; Ye
> > > > > > Li <ye.li@nxp.com>; Horia Geanta <horia.geanta@nxp.com>; Ji
> > > > > > Luo <ji.luo@nxp.com>; Franck Lenormand
> > > > > > <franck.lenormand@nxp.com>; Silvano Di Ninno
> > > > > > <silvano.dininno@nxp.com>; Sahil malhotra
> > > > > > <sahil.malhotra@nxp.com>; Pankaj Gupta <pankaj.gupta@nxp.com>;
> > > > > > Varun Sethi <V.Sethi@nxp.com>; NXP i . MX U-Boot Team
> > > > > > <uboot-imx@nxp.com>; Shengzhou Liu <Shengzhou.Liu@nxp.com>;
> > > > > > Mingkai Hu <mingkai.hu@nxp.com>; Rajesh Bhagat
> > > > > > <rajesh.bhagat@nxp.com>;
> > > > > Meenakshi
> > > > > > Aggarwal <meenakshi.aggarwal@nxp.com>; Wasim Khan
> > > > > > <wasim.khan@nxp.com>; Alison Wang <alison.wang@nxp.com>;
> > > Pramod
> > > > > Kumar
> > > > > > <pramod.kumar_1@nxp.com>; Tang Yuantian <andy.tang@nxp.com>;
> > > > > > Adrian Alonso <adrian.alonso@nxp.com>; Vladimir Oltean
> > > > > > <olteanv@gmail.com>; Gaurav Jain <gaurav.jain@nxp.com>
> > > > > > Subject: [PATCH v5 01/16] crypto/fsl: Add support for CAAM Job
> > > > > > ring driver model
> > > > > >
> > > > > >
> > > > > > added device tree support for job ring driver.
> > > > > > sec is initialized based on job ring information processed
> > > > > > from device tree.
> > > > > >
> > > > > > Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
> > > > > > Reviewed-by: Ye Li <ye.li@nxp.com>
> > > > > > ---
> > > > > >  cmd/Kconfig                 |   1 +
> > > > > >  drivers/crypto/fsl/Kconfig  |   7 +
> > > > > >  drivers/crypto/fsl/Makefile |   4 +-
> > > > > >  drivers/crypto/fsl/jr.c     | 316 +++++++++++++++++++++++-------------
> > > > > >  drivers/crypto/fsl/jr.h     |  14 ++
> > > > > >  5 files changed, 232 insertions(+), 110 deletions(-)
> > > > > >
> > >
> > > [snip]
> > >
> > > > > >         sec_out32(&sec->mcfgr, mcr);
> > > > > > +#if defined(CONFIG_SPL_BUILD) && defined(CONFIG_IMX8M)
> > > > >
> > > > > This would effectively reserve the JR0 on _all_ i.MX8M
> > > > > derivatives is S
> > > World.
> > > > This code is to set any JR DID in SPL so that the job ring can be configured.
> > > >
> > > > >
> > > > > Current implementation only has JR0 reserved in S World on
> > > > > imx8mm derivative, but this new addition extends this to imx8mn,
> > > > > imx8mp and
> > > imx8mq.
> > > > Current implementation do not initialize CAAM for i.MX8M derivatives.
> > > > It is not based on driver model approach and only using JR0.
> > >
> > > OK, but then I do not have on explanation on why do I see following
> > > results from reading JRaDID_MS registers on imx8m derivatives:
> > > - imx8mm:
> > >         JR0DID_MS = 0x8011
> > >         JR1DID_MS = 0x0
> > >         JR2DID_MS = 0x0
> > > - imx8mn:
> > >         JR0DID_MS = 0x0
> > >         JR1DID_MS = 0x0
> > >         JR2DID_MS = 0x0
> > > - imx8mp:
> > >         JR0DID_MS = 0x0
> > >         JR1DID_MS = 0x0
> > >         JR2DID_MS = 0x0
> > >
> > > This readout is taken at Kernel boot, and it clearly shows that only
> > > JR0 has TZ_OWN, PRIM_TZ and PRIM_DID bits set, and it is only done on
> imx8mm.
> >
> > HAB is a code that is part of the ROM code which set the JR DID for all i.mx8M.
> > I took the dumps on SPL boot which actually shows the JR DID set by HAB.
> > Dump taken by you on kernel boot does not show the values set by ROM.
> > IMX8MM
> > JR0DID_MS = 0x8011
> > JR1DID_MS = 0x8011
> > JR2DID_MS = 0x0
> >
> > IMX8MN
> > JR0DID_MS = 0x8011
> > JR1DID_MS = 0x8011
> > JR2DID_MS = 0x0
> >
> > IMX8MP
> > JR0DID_MS = 0x8011
> > JR1DID_MS = 0x8011
> > JR2DID_MS = 0x0
> 
> This is an interesting piece of information, thanks a lot for the readout! So it
> does look like that BootROM on all derivatives reserves JR0 and JR1 at the
> beginning, letting the ATF to release only JR1 to NS world...
> 
> Does IMX8MQ have the same reservation as well?
> 
> > >
> > > > With New implementation CAAM is enabled for i.MX8M derivative. Any
> > > > JR whose DID is written in ATF, can be used in Uboot.
> > > > JR0 is reserved for HAB so JR1 will be used for all i.MX8M derivatives.
> > > >
> > > > >
> > > > > I'm wondering about several points here:
> > > > > 1. Why does current implementation on have this reservation done
> > > > > on imx8mm and
> > > > >    where does this happen? None of the code pieces suggests that
> > > > > it is
> > > done in
> > > > >    U-Boot, is it performed in BootROM?
> > > >
> > > > I cannot see if current implementation(SPL/Uboot) has reservation
> > > > done for imx8mm.
> > > > In ATF, we are reserving the JR0.
> > >
> > > I was not able to identify which part of ATF code is responsible to
> > > program JR0DID_MS on imx8mm, the only thing I saw was the part where
> > > the JR0 is held in S World *if* the JR0DID_MS is set to 0x8011. Can
> > > you point out where is this performed in ATF code?
> > >
> > > If it is not in the ATF, then my question above still stands: which
> > > component (HW or SW) programs JR0DID_MS, and why is it only done on
> > > imx8mm derivative?
> > HAB which is part of the ROM code sets the JR DID for all i.mx8M.
> > >
> > > >
> > > > > 2. What is the intention of having JR0 reserved for all
> > > > > derivatives? Is
> > this
> > > > >    the part of a bigger change that stretches across different
> > > > > SW
> > > components
> > > > >    (e.g. ATF, OP-TEE, etc.)? If that is the case - then a more detailed
> > > > >    description would be appreciated here.
> > > > >
> > > > > ATF code already accounts for this reservation in commit:
> > > > > a83a7c65e ("TEE-639 plat: imx8m: Do not release JR0 to NS if HAB
> > > > > is using it") [1], but there is no description on why is this required though.
> > > > >
> > > > > If this is required for HAB feature, then the question is:
> > > > > should it be kept in
> > > > S
> > > > > World when U-Boot starts, or SPL can release it after the binary
> > > > > is verified
> > > > and
> > > > > crypto facilities are not in use anymore?
> > > >
> > > > Commit: a83a7c65e reserves JR0 for HAB and not released to NS but
> > > > JR1,
> > > > JR2 are released to NS.
> > >
> > > Then I believe this change should be in-sync with ATF
> > > implementation, because of the fact that your change can have any
> > > arbitrary JR to be held in S World.
> > >
> > > What would happen if for example JR1 is programmed with TZ_OWN, but
> > > ATF releases it to NS world? Can it be used by Kernel afterwards? Or
> > > should the node be disabled here so that Kernel does not even see JR1 during
> boot?
> > >
> > Since JR0 is marked as disabled in DT, so SPL is only accessing single
> > job ring and setting the JR1 DID as 0x8011.
> > After SPL boots successfully, ATF is releasing JR1 and JR2 to NS by
> > modifying the JRDID_MS as 0x1.
> > Uboot is also accessing single jobring which is JR1.
> > JR0 is only reserved for secure boot.
> 
> Is it safe to assume that JR1 is then accessible from both S and NS Worlds?
> 
> If that is the case, then that would actually mean that JRx status on DT should be
> set as following:
> 
> &sec_jr0 {
>         status = "disabled";
>         secure-status = "okay";
> };
> 
> &sec_jr1 {
>         secure-status = "okay";
> };
> 
> &sec_jr2 {
>         secure-status = "disabled";
> };
> 
> This would effectively mean:
> JR0 - S-only,
> JR1 - visible in both
> JR2 - NS-only
> 
> Please note, that as this configuration is applicable to both Kernel and U-Boot -
> the above block should be defined in Kernel DT for all i.MX8M derivatives, and
> picked up with the next U-Boot DTB re-sync.
> 
> As I'm working on V3 for CAAM clean-up in the Kernel [1] - I can submit those
> configuration changes, but I would need a confirmation from you if this is an
> expected JR configuration, and whether IMX8MQ have the same setup.
> 
IMX8MQ has same values.
JR0DID_MS = 0x8011
JR1DID_MS = 0x8011
JR2DID_MS = 0x0

For now we are only reserving JR0 for secure boot. JR1 DID is later modified in ATF to 0x1. JR2 can be used by OPTEE which is secure and can set the DID before accessing the JR2.
Setting secure-status as disabled for JR2 could break OPTEE.
"secure-status" property is not used in uboot CAAM driver code so how this is going to affect the caam driver working in SPL/Uboot?
I am not sure about the kernel caam driver how secure-status is processed. For kernel JR configuration I cannot confirm.
I would suggest to take the opinion from kernel caam maintainers as well.

> >
> > > So far, ATF only examines the JR0DID_MS content, and not all the others...
> > >
> > > > HAB uses JR0 for secure boot on all i.MX8M derivatives. Uboot
> > > > calls HAB API for authenticating kernel.
> > >
> > > This implies then that the JR0 is permanently held in S World and
> > > stays there for entire device powercycle and cannot be reclaimed in NS
> World?
> > Yes JR0 is held in S world.
> >
> >  In this
> > > case, the DT node should be completely removed from DTB file so no
> > > SW entity can even see it (as it is in a total possession of HW mechanisms).
> > >
> > We can consider this change after this patch series is merged.
> > Currently I have disabled the JR0 in device tree.
> 
> I guess with the proposed DT configuration this point would be covered as well,
> isn't it? There would be no need to remove the node, as it would be marked
> disabled in NS and enabled in S Worlds. I believe it is better to set the status as I
> proposed, because that information in DT is transparent for everyone (removing
> node raises questions regarding HW availability to me).

CAAM driver is used in spl, atf, optee, uboot, kernel.
Spl and uboot can work with JR1 only. For other components it will be good to have their opinion.

> 
> >
> > > >
> > > > >
> > > > > > +       jrdid_ms = JRDID_MS_TZ_OWN | JRDID_MS_PRIM_TZ |
> > > > > > + JRDID_MS_PRIM_DID;
> > > > >
> > > > > What is the intention of setting JRDID_MS_PRIM_TZ? Isn't setting
> > > > > JRDID_MS_TZ_OWN would be sufficient here?
> > > >
> > > > PRIM_TZ bit is set to 1 to indicate that only SecureWorld can
> > > > access registers in that Job Ring's register page
> > >
> > > But would it not be enough just to set TZ_OWN? If I read SRM
> > > correct: only TZ_OWN is enough to hold the JR in S World.
> > >
> > HAB is also setting 0x8011 as JR DID. It is better to be in sync with HAB.
> 
> Do you know what is the reason for HAB to set PRIM_TZ bit? Is there any
> specific reason for this?

To restrict JR register page access to Secure World, PRIM_TZ bit is set.
So later in ATF we can decide which JobRing to release to NS.

Regards
Gaurav Jain
> 
> >
> > Regards
> > Gaurav Jain
> >
> > > >
> > >
> > > [snip]
> > >
> > > > >
> > >
> > > -- andrey
> 
> -- andrey
> 
> Link: [1]:
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flore.kern
> el.org%2Flkml%2F20211111164601.13135-1-andrey.zhizhikin%40leica-
> geosystems.com%2F&amp;data=04%7C01%7Cgaurav.jain%40nxp.com%7C2266
> 10fc0dd44d2324b408d9addc6523%7C686ea1d3bc2b4c6fa92cd99c5c301635%7
> C0%7C0%7C637731984370210324%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC
> 4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&a
> mp;sdata=SMTu0Nn0SCYFQ0H6IxLo%2F9p4AkbG%2FS1E%2BD7ojMx52WQ%3D
> &amp;reserved=0

RE: [EXT] RE: [PATCH v5 01/16] crypto/fsl: Add support for CAAM Job ring driver model

[ZHIZHIKIN Andrey]

Hello Gaurav,

> -----Original Message-----
> From: Gaurav Jain <gaurav.jain@nxp.com>
> Sent: Tuesday, November 23, 2021 8:22 AM
> To: ZHIZHIKIN Andrey <andrey.zhizhikin@leica-geosystems.com>; u-
> boot@lists.denx.de
> Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam <festevam@gmail.com>; Peng Fan
> <peng.fan@nxp.com>; Simon Glass <sjg@chromium.org>; Priyanka Jain
> <priyanka.jain@nxp.com>; Ye Li <ye.li@nxp.com>; Horia Geanta
> <horia.geanta@nxp.com>; Ji Luo <ji.luo@nxp.com>; Franck Lenormand
> <franck.lenormand@nxp.com>; Silvano Di Ninno <silvano.dininno@nxp.com>; Sahil
> Malhotra <sahil.malhotra@nxp.com>; Pankaj Gupta <pankaj.gupta@nxp.com>; Varun
> Sethi <V.Sethi@nxp.com>; dl-uboot-imx <uboot-imx@nxp.com>; Shengzhou Liu
> <shengzhou.liu@nxp.com>; Mingkai Hu <mingkai.hu@nxp.com>; Rajesh Bhagat
> <rajesh.bhagat@nxp.com>; Meenakshi Aggarwal <meenakshi.aggarwal@nxp.com>; Wasim
> Khan <wasim.khan@nxp.com>; Alison Wang <alison.wang@nxp.com>; Pramod Kumar
> <pramod.kumar_1@nxp.com>; Andy Tang <andy.tang@nxp.com>; Adrian Alonso
> <adrian.alonso@nxp.com>; Vladimir Oltean <olteanv@gmail.com>; Michael Walle
> <michael@walle.cc>
> Subject: RE: [EXT] RE: [PATCH v5 01/16] crypto/fsl: Add support for CAAM Job ring
> driver model
> 
> 
> Hello Andrey
> 

[snip]

> > >
> > > HAB is a code that is part of the ROM code which set the JR DID for all
> i.mx8M.
> > > I took the dumps on SPL boot which actually shows the JR DID set by HAB.
> > > Dump taken by you on kernel boot does not show the values set by ROM.
> > > IMX8MM
> > > JR0DID_MS = 0x8011
> > > JR1DID_MS = 0x8011
> > > JR2DID_MS = 0x0
> > >
> > > IMX8MN
> > > JR0DID_MS = 0x8011
> > > JR1DID_MS = 0x8011
> > > JR2DID_MS = 0x0
> > >
> > > IMX8MP
> > > JR0DID_MS = 0x8011
> > > JR1DID_MS = 0x8011
> > > JR2DID_MS = 0x0
> >
> > This is an interesting piece of information, thanks a lot for the readout! So
> it
> > does look like that BootROM on all derivatives reserves JR0 and JR1 at the
> > beginning, letting the ATF to release only JR1 to NS world...
> >
> > Does IMX8MQ have the same reservation as well?
> >
> > > >
> > > > > With New implementation CAAM is enabled for i.MX8M derivative. Any
> > > > > JR whose DID is written in ATF, can be used in Uboot.
> > > > > JR0 is reserved for HAB so JR1 will be used for all i.MX8M derivatives.
> > > > >
> > > > > >
> > > > > > I'm wondering about several points here:
> > > > > > 1. Why does current implementation on have this reservation done
> > > > > > on imx8mm and
> > > > > >    where does this happen? None of the code pieces suggests that
> > > > > > it is
> > > > done in
> > > > > >    U-Boot, is it performed in BootROM?
> > > > >
> > > > > I cannot see if current implementation(SPL/Uboot) has reservation
> > > > > done for imx8mm.
> > > > > In ATF, we are reserving the JR0.
> > > >
> > > > I was not able to identify which part of ATF code is responsible to
> > > > program JR0DID_MS on imx8mm, the only thing I saw was the part where
> > > > the JR0 is held in S World *if* the JR0DID_MS is set to 0x8011. Can
> > > > you point out where is this performed in ATF code?
> > > >
> > > > If it is not in the ATF, then my question above still stands: which
> > > > component (HW or SW) programs JR0DID_MS, and why is it only done on
> > > > imx8mm derivative?
> > > HAB which is part of the ROM code sets the JR DID for all i.mx8M.
> > > >
> > > > >
> > > > > > 2. What is the intention of having JR0 reserved for all
> > > > > > derivatives? Is
> > > this
> > > > > >    the part of a bigger change that stretches across different
> > > > > > SW
> > > > components
> > > > > >    (e.g. ATF, OP-TEE, etc.)? If that is the case - then a more detailed
> > > > > >    description would be appreciated here.
> > > > > >
> > > > > > ATF code already accounts for this reservation in commit:
> > > > > > a83a7c65e ("TEE-639 plat: imx8m: Do not release JR0 to NS if HAB
> > > > > > is using it") [1], but there is no description on why is this required
> though.
> > > > > >
> > > > > > If this is required for HAB feature, then the question is:
> > > > > > should it be kept in
> > > > > S
> > > > > > World when U-Boot starts, or SPL can release it after the binary
> > > > > > is verified
> > > > > and
> > > > > > crypto facilities are not in use anymore?
> > > > >
> > > > > Commit: a83a7c65e reserves JR0 for HAB and not released to NS but
> > > > > JR1,
> > > > > JR2 are released to NS.
> > > >
> > > > Then I believe this change should be in-sync with ATF
> > > > implementation, because of the fact that your change can have any
> > > > arbitrary JR to be held in S World.
> > > >
> > > > What would happen if for example JR1 is programmed with TZ_OWN, but
> > > > ATF releases it to NS world? Can it be used by Kernel afterwards? Or
> > > > should the node be disabled here so that Kernel does not even see JR1
> during
> > boot?
> > > >
> > > Since JR0 is marked as disabled in DT, so SPL is only accessing single
> > > job ring and setting the JR1 DID as 0x8011.
> > > After SPL boots successfully, ATF is releasing JR1 and JR2 to NS by
> > > modifying the JRDID_MS as 0x1.
> > > Uboot is also accessing single jobring which is JR1.
> > > JR0 is only reserved for secure boot.
> >
> > Is it safe to assume that JR1 is then accessible from both S and NS Worlds?
> >
> > If that is the case, then that would actually mean that JRx status on DT should
> be
> > set as following:
> >
> > &sec_jr0 {
> >         status = "disabled";
> >         secure-status = "okay";
> > };
> >
> > &sec_jr1 {
> >         secure-status = "okay";
> > };
> >
> > &sec_jr2 {
> >         secure-status = "disabled";
> > };
> >
> > This would effectively mean:
> > JR0 - S-only,
> > JR1 - visible in both
> > JR2 - NS-only
> >
> > Please note, that as this configuration is applicable to both Kernel and U-Boot
> -
> > the above block should be defined in Kernel DT for all i.MX8M derivatives, and
> > picked up with the next U-Boot DTB re-sync.
> >
> > As I'm working on V3 for CAAM clean-up in the Kernel [1] - I can submit those
> > configuration changes, but I would need a confirmation from you if this is an
> > expected JR configuration, and whether IMX8MQ have the same setup.
> >
> IMX8MQ has same values.
> JR0DID_MS = 0x8011
> JR1DID_MS = 0x8011
> JR2DID_MS = 0x0
> 
> For now we are only reserving JR0 for secure boot. JR1 DID is later modified in
> ATF to 0x1. JR2 can be used by OPTEE which is secure and can set the DID before
> accessing the JR2.
> Setting secure-status as disabled for JR2 could break OPTEE.

I see no trouble here, as OPTEE does set the "secure-status" by itself if the
resource should be exclusively reserved in S World via dt_enable_secure_status()
call. What OPTEE does check is the "status" binding to identify which JR is
available, and setting secure-status = "disabled" does not imply status = "disabled".
JR device inquiry and reservation is done in caam_hal_cfg_get_jobring_dt() call,
see [1]. 

> "secure-status" property is not used in uboot CAAM driver code so how this is
> going to affect the caam driver working in SPL/Uboot?

The above snippet I proposed should be introduced in the Kernel DT, and then picked
up by U-Boot a the re-sync. It would not affect the U-Boot in any way, since the
"secure-status" property is not processed in it.

ATF uses register readout to identify which JR is held in S World, there is no impact
there as well.

OPTEE uses internal functions to set the proper secure-status, so it is beneficial to
Introduce DT bindings that it sets.

Kernel currently does not look at "secure-status" as well as U-Boot, and I'm not sure
if it is relevant for the moment.

Moreover, above snippet does reflect how the SW entities are seeing HW configurations
which comes out of the reset, isn't it?

> I am not sure about the kernel caam driver how secure-status is processed. For
> kernel JR configuration I cannot confirm.
> I would suggest to take the opinion from kernel caam maintainers as well.

I guess Horia can comment here regarding the above proposed status.

> 
> > >
> > > > So far, ATF only examines the JR0DID_MS content, and not all the others...
> > > >
> > > > > HAB uses JR0 for secure boot on all i.MX8M derivatives. Uboot
> > > > > calls HAB API for authenticating kernel.
> > > >
> > > > This implies then that the JR0 is permanently held in S World and
> > > > stays there for entire device powercycle and cannot be reclaimed in NS
> > World?
> > > Yes JR0 is held in S world.
> > >
> > >  In this
> > > > case, the DT node should be completely removed from DTB file so no
> > > > SW entity can even see it (as it is in a total possession of HW
> mechanisms).
> > > >
> > > We can consider this change after this patch series is merged.
> > > Currently I have disabled the JR0 in device tree.
> >
> > I guess with the proposed DT configuration this point would be covered as well,
> > isn't it? There would be no need to remove the node, as it would be marked
> > disabled in NS and enabled in S Worlds. I believe it is better to set the
> status as I
> > proposed, because that information in DT is transparent for everyone (removing
> > node raises questions regarding HW availability to me).
> 
> CAAM driver is used in spl, atf, optee, uboot, kernel.
> Spl and uboot can work with JR1 only. For other components it will be good to
> have their opinion.
> 
> >
> > >
> > > > >
> > > > > >
> > > > > > > +       jrdid_ms = JRDID_MS_TZ_OWN | JRDID_MS_PRIM_TZ |
> > > > > > > + JRDID_MS_PRIM_DID;
> > > > > >
> > > > > > What is the intention of setting JRDID_MS_PRIM_TZ? Isn't setting
> > > > > > JRDID_MS_TZ_OWN would be sufficient here?
> > > > >
> > > > > PRIM_TZ bit is set to 1 to indicate that only SecureWorld can
> > > > > access registers in that Job Ring's register page
> > > >
> > > > But would it not be enough just to set TZ_OWN? If I read SRM
> > > > correct: only TZ_OWN is enough to hold the JR in S World.
> > > >
> > > HAB is also setting 0x8011 as JR DID. It is better to be in sync with HAB.
> >
> > Do you know what is the reason for HAB to set PRIM_TZ bit? Is there any
> > specific reason for this?
> 
> To restrict JR register page access to Secure World, PRIM_TZ bit is set.
> So later in ATF we can decide which JobRing to release to NS.
> 
> Regards
> Gaurav Jain
> >
> > >
> > > Regards
> > > Gaurav Jain
> > >
> > > > >
> > > >
> > > > [snip]
> > > >
> > > > > >
> > > >
> > > > -- andrey
> >
> > -- andrey
> >

-- andrey

Link: [1]: https://github.com/OP-TEE/optee_os/blob/fd140f7eebbbee0c80f681b8bc1aad4b81f60194/core/drivers/crypto/caam/hal/common/hal_cfg_dt.c#L93

RE: [EXT] RE: [PATCH v5 11/16] crypto/fsl: Fix kick_trng

[Gaurav Jain]

Hello Andrey

> -----Original Message-----
> From: ZHIZHIKIN Andrey <andrey.zhizhikin@leica-geosystems.com>
> Sent: Tuesday, November 23, 2021 1:15 AM
> To: Gaurav Jain <gaurav.jain@nxp.com>; u-boot@lists.denx.de
> Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam <festevam@gmail.com>;
> Peng Fan <peng.fan@nxp.com>; Simon Glass <sjg@chromium.org>; Priyanka
> Jain <priyanka.jain@nxp.com>; Ye Li <ye.li@nxp.com>; Horia Geanta
> <horia.geanta@nxp.com>; Ji Luo <ji.luo@nxp.com>; Franck Lenormand
> <franck.lenormand@nxp.com>; Silvano Di Ninno <silvano.dininno@nxp.com>;
> Sahil Malhotra <sahil.malhotra@nxp.com>; Pankaj Gupta
> <pankaj.gupta@nxp.com>; Varun Sethi <V.Sethi@nxp.com>; dl-uboot-imx
> <uboot-imx@nxp.com>; Shengzhou Liu <shengzhou.liu@nxp.com>; Mingkai Hu
> <mingkai.hu@nxp.com>; Rajesh Bhagat <rajesh.bhagat@nxp.com>; Meenakshi
> Aggarwal <meenakshi.aggarwal@nxp.com>; Wasim Khan
> <wasim.khan@nxp.com>; Alison Wang <alison.wang@nxp.com>; Pramod
> Kumar <pramod.kumar_1@nxp.com>; Andy Tang <andy.tang@nxp.com>;
> Adrian Alonso <adrian.alonso@nxp.com>; Vladimir Oltean
> <olteanv@gmail.com>; Michael Walle <michael@walle.cc>
> Subject: [EXT] RE: [PATCH v5 11/16] crypto/fsl: Fix kick_trng
> 
> Caution: EXT Email
> 
> Hello Gaurav,
> 
> > -----Original Message-----
> > From: U-Boot <u-boot-bounces@lists.denx.de> On Behalf Of Gaurav Jain
> > Sent: Monday, November 15, 2021 8:00 AM
> > To: u-boot@lists.denx.de
> > Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam
> > <festevam@gmail.com>; Peng Fan <peng.fan@nxp.com>; Simon Glass
> > <sjg@chromium.org>; Priyanka Jain <priyanka.jain@nxp.com>; Ye Li
> > <ye.li@nxp.com>; Horia Geanta <horia.geanta@nxp.com>; Ji Luo
> > <ji.luo@nxp.com>; Franck Lenormand <franck.lenormand@nxp.com>; Silvano
> > Di Ninno <silvano.dininno@nxp.com>; Sahil malhotra
> > <sahil.malhotra@nxp.com>; Pankaj Gupta <pankaj.gupta@nxp.com>; Varun
> > Sethi <V.Sethi@nxp.com>; NXP i . MX U-Boot Team <uboot-imx@nxp.com>;
> > Shengzhou Liu <Shengzhou.Liu@nxp.com>; Mingkai Hu
> > <mingkai.hu@nxp.com>; Rajesh Bhagat <rajesh.bhagat@nxp.com>;
> Meenakshi
> > Aggarwal <meenakshi.aggarwal@nxp.com>; Wasim Khan
> > <wasim.khan@nxp.com>; Alison Wang <alison.wang@nxp.com>; Pramod
> Kumar
> > <pramod.kumar_1@nxp.com>; Tang Yuantian <andy.tang@nxp.com>; Adrian
> > Alonso <adrian.alonso@nxp.com>; Vladimir Oltean <olteanv@gmail.com>
> > Subject: [PATCH v5 11/16] crypto/fsl: Fix kick_trng
> >
> >
> > From: Ye Li <ye.li@nxp.com>
> >
> > fix hwrng performance issue in kernel.
> 
> This patch is missing some context information, specifically which performance
> issue does exist in the Kernel (with some quantification), and how is it addressed
> here.
> 
> This function introduced with this patch already exist in the Kernel [1], and the
> implementation does differ from Kernel one. Specifically, this patch lowers the
> number of test samples that are run to decide whether the entropy generated by
> TRNG is sufficiently random: it reduces the monobit count range, poker test
> limits, and number or runs for consecutive 0's and 1's.
> 
> Considering the fact that after TRNG is initialized - JDKEK, TDKEK and TDSK are
> preloaded from the RNG and are locked until the next PoR, Kernel will not re-
> initialize the TRNG (in fact, there is a check that is done in the Kernel not to
> touch RNG if it is already initialized [2]), and this would leave the Crypto facilities
> running in the Kernel to use entropy model that is defined here. In this case, at
> least a justification of this change should be made clear - e.g. significant speed
> improvement over reduced entropy (with quantifiable numbers).
> 
> In addition, with those new parameter set, would the RNG pass FIPS 140-2 test?
TRNG is configured to pass FIPS certification, but will double check and confirm you. 

You are correct if RNG is instantiated in Uboot then kernel will not reinitialize.
77% performance drop was observed on IMX6/7/8 platforms (0.3 kB/s) compared to 1.3kB/s.
With this change hwrng performance improved to 1.3 kB/s.

> 
> >
> > Signed-off-by: Ye Li <ye.li@nxp.com>
> > Acked-by: Gaurav Jain <gaurav.jain@nxp.com>>
> > ---
> >  drivers/crypto/fsl/jr.c | 109 ++++++++++++++++++++++++++++++++++------
> >  include/fsl_sec.h       |   1 +
> >  2 files changed, 94 insertions(+), 16 deletions(-)
> >
> > diff --git a/drivers/crypto/fsl/jr.c b/drivers/crypto/fsl/jr.c index
> > 9b751aca9b..ef136988b6 100644
> > --- a/drivers/crypto/fsl/jr.c
> > +++ b/drivers/crypto/fsl/jr.c
> > @@ -602,30 +602,107 @@ static u8 get_rng_vid(ccsr_sec_t *sec)
> >   */
> >  static void kick_trng(int ent_delay, ccsr_sec_t *sec)  {
> > +       u32 samples  = 512; /* number of bits to generate and test */
> > +       u32 mono_min = 195;
> > +       u32 mono_max = 317;
> > +       u32 mono_range  = mono_max - mono_min;
> > +       u32 poker_min = 1031;
> > +       u32 poker_max = 1600;
> > +       u32 poker_range = poker_max - poker_min + 1;
> > +       u32 retries    = 2;
> > +       u32 lrun_max   = 32;
> > +       s32 run_1_min   = 27;
> > +       s32 run_1_max   = 107;
> > +       s32 run_1_range = run_1_max - run_1_min;
> > +       s32 run_2_min   = 7;
> > +       s32 run_2_max   = 62;
> > +       s32 run_2_range = run_2_max - run_2_min;
> > +       s32 run_3_min   = 0;
> > +       s32 run_3_max   = 39;
> > +       s32 run_3_range = run_3_max - run_3_min;
> > +       s32 run_4_min   = -1;
> > +       s32 run_4_max   = 26;
> > +       s32 run_4_range = run_4_max - run_4_min;
> > +       s32 run_5_min   = -1;
> > +       s32 run_5_max   = 18;
> > +       s32 run_5_range = run_5_max - run_5_min;
> > +       s32 run_6_min   = -1;
> > +       s32 run_6_max   = 17;
> > +       s32 run_6_range = run_6_max - run_6_min;
> > +       u32 val;
> 
> Why does those values are lowered with respect to what is provided by default?
> A bit more explanation on why those primes are chosen here would be good to
> have, together with documenting default values (so people can compare).

For TRNG to generate 256 bits of entropy, recommended RTSDCTL[SAMP_SIZE] is 512.
RTSDCTL[SAMP_SIZE] is changed from default POR value 2500 to 512. So does self-test  values are lowered.
modeling of these values is not public.
Lower sample size results in increased hwrng performance.

> 
> > +
> >         struct rng4tst __iomem *rng =
> >                         (struct rng4tst __iomem *)&sec->rng;
> > -       u32 val;
> >
> > -       /* put RNG4 into program mode */
> > -       sec_setbits32(&rng->rtmctl, RTMCTL_PRGM);
> > -       /* rtsdctl bits 0-15 contain "Entropy Delay, which defines the
> > -        * length (in system clocks) of each Entropy sample taken
> > -        * */
> > +       /* Put RNG in program mode */
> > +       /* Setting both RTMCTL:PRGM and RTMCTL:TRNG_ACC causes TRNG to
> > +        * properly invalidate the entropy in the entropy register and
> > +        * force re-generation.
> > +        */
> > +       sec_setbits32(&rng->rtmctl, RTMCTL_PRGM | RTMCTL_ACC);
> > +
> > +       /* Configure the RNG Entropy Delay
> > +        * Performance-wise, it does not make sense to
> > +        * set the delay to a value that is lower
> > +        * than the last one that worked (i.e. the state handles
> > +        * were instantiated properly. Thus, instead of wasting
> > +        * time trying to set the values controlling the sample
> > +        * frequency, the function simply returns.
> > +        */
> >         val = sec_in32(&rng->rtsdctl);
> > -       val = (val & ~RTSDCTL_ENT_DLY_MASK) |
> > -             (ent_delay << RTSDCTL_ENT_DLY_SHIFT);
> > +       val &= RTSDCTL_ENT_DLY_MASK;
> > +       val >>= RTSDCTL_ENT_DLY_SHIFT;
> > +       if (ent_delay < val) {
> > +               /* Put RNG4 into run mode */
> > +               sec_clrbits32(&rng->rtmctl, RTMCTL_PRGM | RTMCTL_ACC);
> > +               return;
> > +       }
> > +
> > +       val = (ent_delay << RTSDCTL_ENT_DLY_SHIFT) | samples;
> >         sec_out32(&rng->rtsdctl, val);
> > -       /* min. freq. count, equal to 1/4 of the entropy sample length */
> > -       sec_out32(&rng->rtfreqmin, ent_delay >> 2);
> > -       /* disable maximum frequency count */
> > -       sec_out32(&rng->rtfreqmax, RTFRQMAX_DISABLE);
> > +
> >         /*
> > -        * select raw sampling in both entropy shifter
> > +        * Recommended margins (min,max) for freq. count:
> > +        *   freq_mul = RO_freq / TRNG_clk_freq
> > +        *   rtfrqmin = (ent_delay x freq_mul) >> 1;
> > +        *   rtfrqmax = (ent_delay x freq_mul) << 3;
> > +        * Given current deployments of CAAM in i.MX SoCs, and to simplify
> > +        * the configuration, we consider [1,16] to be a safe interval
> > +        * for the freq_mul and the limits of the interval are used to compute
> > +        * rtfrqmin, rtfrqmax
> > +        */
> > +       sec_out32(&rng->rtfreqmin, ent_delay >> 1);
> > +       sec_out32(&rng->rtfreqmax, ent_delay << 7);
> > +
> > +       sec_out32(&rng->rtscmisc, (retries << 16) | lrun_max);
> > +       sec_out32(&rng->rtpkrmax, poker_max);
> > +       sec_out32(&rng->rtpkrrng, poker_range);
> > +       sec_out32(&rng->rsvd1[0], (mono_range << 16) | mono_max);
> > +       sec_out32(&rng->rsvd1[1], (run_1_range << 16) | run_1_max);
> > +       sec_out32(&rng->rsvd1[2], (run_2_range << 16) | run_2_max);
> > +       sec_out32(&rng->rsvd1[3], (run_3_range << 16) | run_3_max);
> > +       sec_out32(&rng->rsvd1[4], (run_4_range << 16) | run_4_max);
> > +       sec_out32(&rng->rsvd1[5], (run_5_range << 16) | run_5_max);
> > +       sec_out32(&rng->rsvd1[6], (run_6_range << 16) | run_6_max);
> > +
> > +       val = sec_in32(&rng->rtmctl);
> > +       /*
> > +        * Select raw sampling in both entropy shifter
> >          * and statistical checker
> >          */
> > -       sec_setbits32(&rng->rtmctl, RTMCTL_SAMP_MODE_RAW_ES_SC);
> > -       /* put RNG4 into run mode */
> > -       sec_clrbits32(&rng->rtmctl, RTMCTL_PRGM);
> > +       val &= ~RTMCTL_SAMP_MODE_INVALID;
> > +       val |= RTMCTL_SAMP_MODE_RAW_ES_SC;
> > +       /* Put RNG4 into run mode */
> > +       val &= ~(RTMCTL_PRGM | RTMCTL_ACC);
> > +       /*test with sample mode only */
> > +       sec_out32(&rng->rtmctl, val);
> > +
> > +       /* Clear the ERR bit in RTMCTL if set. The TRNG error can occur when the
> > +        * RNG clock is not within 1/2x to 8x the system clock.
> > +        * This error is possible if ROM code does not initialize the system PLLs
> > +        * immediately after PoR.
> > +        */
> > +       /* setbits_le32(CAAM_RTMCTL, RTMCTL_ERR); */
> 
> Unused code?
Will remove in next version.

Regards
Gaurav Jain
> 
> >  }
> >
> >  static int rng_init(uint8_t sec_idx, ccsr_sec_t *sec) diff --git
> > a/include/fsl_sec.h b/include/fsl_sec.h index 7b6e3e2c20..2b3239414a
> > 100644
> > --- a/include/fsl_sec.h
> > +++ b/include/fsl_sec.h
> > @@ -34,6 +34,7 @@
> >  #if CONFIG_SYS_FSL_SEC_COMPAT >= 4
> >  /* RNG4 TRNG test registers */
> >  struct rng4tst {
> > +#define RTMCTL_ACC  0x20
> >  #define RTMCTL_PRGM 0x00010000 /* 1 -> program mode, 0 -> run mode */
> >  #define RTMCTL_SAMP_MODE_VON_NEUMANN_ES_SC     0 /* use von
> Neumann data in
> >                                                     both entropy
> > shifter and
> > --
> > 2.17.1
> 
> -- andrey
> 
> Link: [1]:
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.kernel
> .org%2Fpub%2Fscm%2Flinux%2Fkernel%2Fgit%2Ftorvalds%2Flinux.git%2Ftree%
> 2Fdrivers%2Fcrypto%2Fcaam%2Fctrl.c%3F%23n348&amp;data=04%7C01%7Cga
> urav.jain%40nxp.com%7Cbbe2039b156e48bb150f08d9adf09df7%7C686ea1d3b
> c2b4c6fa92cd99c5c301635%7C0%7C0%7C637732071238628119%7CUnknown
> %7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwi
> LCJXVCI6Mn0%3D%7C3000&amp;sdata=8mj6vKPdCZv%2FMYwbiH9Ooug6Eb8x
> 2tzuLskS3onp4Ks%3D&amp;reserved=0
> Link: [2]:
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.kernel
> .org%2Fpub%2Fscm%2Flinux%2Fkernel%2Fgit%2Ftorvalds%2Flinux.git%2Ftree%
> 2Fdrivers%2Fcrypto%2Fcaam%2Fctrl.c%3F%23n287&amp;data=04%7C01%7Cga
> urav.jain%40nxp.com%7Cbbe2039b156e48bb150f08d9adf09df7%7C686ea1d3b
> c2b4c6fa92cd99c5c301635%7C0%7C0%7C637732071238638112%7CUnknown
> %7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwi
> LCJXVCI6Mn0%3D%7C3000&amp;sdata=hx3Xc%2FXnbFJfHdbfFRsFN51oY7Iu64
> OvSzQTmQgJ3Bw%3D&amp;reserved=0

Re: [EXT] RE: [PATCH v5 11/16] crypto/fsl: Fix kick_trng

[Michael Walle]

Hi Gaurav,

Am 2021-11-23 11:44, schrieb Gaurav Jain:
>> > fix hwrng performance issue in kernel.
>> 
>> This patch is missing some context information, specifically which 
>> performance
>> issue does exist in the Kernel (with some quantification), and how is 
>> it addressed
>> here.
>> 
>> This function introduced with this patch already exist in the Kernel 
>> [1], and the
>> implementation does differ from Kernel one. Specifically, this patch 
>> lowers the
>> number of test samples that are run to decide whether the entropy 
>> generated by
>> TRNG is sufficiently random: it reduces the monobit count range, poker 
>> test
>> limits, and number or runs for consecutive 0's and 1's.
>> 
>> Considering the fact that after TRNG is initialized - JDKEK, TDKEK and 
>> TDSK are
>> preloaded from the RNG and are locked until the next PoR, Kernel will 
>> not re-
>> initialize the TRNG (in fact, there is a check that is done in the 
>> Kernel not to
>> touch RNG if it is already initialized [2]), and this would leave the 
>> Crypto facilities
>> running in the Kernel to use entropy model that is defined here. In 
>> this case, at
>> least a justification of this change should be made clear - e.g. 
>> significant speed
>> improvement over reduced entropy (with quantifiable numbers).
>> 
>> In addition, with those new parameter set, would the RNG pass FIPS 
>> 140-2 test?
> TRNG is configured to pass FIPS certification, but will double check
> and confirm you.
> 
> You are correct if RNG is instantiated in Uboot then kernel will not
> reinitialize.
> 77% performance drop was observed on IMX6/7/8 platforms (0.3 kB/s)
> compared to 1.3kB/s.
> With this change hwrng performance improved to 1.3 kB/s.

Did you test on other platforms like layerscape, too? Can we be sure
there will no impact with this change on other platforms which uses the
CAAM TRNG?

I have to agree with Andrey, there is little information *why* this is
done in exactly this way. I'd love to see a proper commit description
and comments here. I just see a bunch of magic numbers in the code.

-michael

RE: [EXT] RE: [PATCH v5 11/16] crypto/fsl: Fix kick_trng

[Gaurav Jain]

Hello Michael

> -----Original Message-----
> From: Michael Walle <michael@walle.cc>
> Sent: Tuesday, November 23, 2021 4:22 PM
> To: Gaurav Jain <gaurav.jain@nxp.com>
> Cc: ZHIZHIKIN Andrey <andrey.zhizhikin@leica-geosystems.com>; u-
> boot@lists.denx.de; Stefano Babic <sbabic@denx.de>; Fabio Estevam
> <festevam@gmail.com>; Peng Fan <peng.fan@nxp.com>; Simon Glass
> <sjg@chromium.org>; Priyanka Jain <priyanka.jain@nxp.com>; Ye Li
> <ye.li@nxp.com>; Horia Geanta <horia.geanta@nxp.com>; Ji Luo
> <ji.luo@nxp.com>; Franck Lenormand <franck.lenormand@nxp.com>;
> Silvano Di Ninno <silvano.dininno@nxp.com>; Sahil Malhotra
> <sahil.malhotra@nxp.com>; Pankaj Gupta <pankaj.gupta@nxp.com>; Varun
> Sethi <V.Sethi@nxp.com>; dl-uboot-imx <uboot-imx@nxp.com>; Shengzhou
> Liu <shengzhou.liu@nxp.com>; Mingkai Hu <mingkai.hu@nxp.com>; Rajesh
> Bhagat <rajesh.bhagat@nxp.com>; Meenakshi Aggarwal
> <meenakshi.aggarwal@nxp.com>; Wasim Khan <wasim.khan@nxp.com>;
> Alison Wang <alison.wang@nxp.com>; Pramod Kumar
> <pramod.kumar_1@nxp.com>; Andy Tang <andy.tang@nxp.com>; Adrian
> Alonso <adrian.alonso@nxp.com>; Vladimir Oltean <olteanv@gmail.com>
> Subject: Re: [EXT] RE: [PATCH v5 11/16] crypto/fsl: Fix kick_trng
> 
> Caution: EXT Email
> 
> Hi Gaurav,
> 
> Am 2021-11-23 11:44, schrieb Gaurav Jain:
> >> > fix hwrng performance issue in kernel.
> >>
> >> This patch is missing some context information, specifically which
> >> performance issue does exist in the Kernel (with some
> >> quantification), and how is it addressed here.
> >>
> >> This function introduced with this patch already exist in the Kernel
> >> [1], and the implementation does differ from Kernel one.
> >> Specifically, this patch lowers the number of test samples that are
> >> run to decide whether the entropy generated by TRNG is sufficiently
> >> random: it reduces the monobit count range, poker test limits, and
> >> number or runs for consecutive 0's and 1's.
> >>
> >> Considering the fact that after TRNG is initialized - JDKEK, TDKEK
> >> and TDSK are preloaded from the RNG and are locked until the next
> >> PoR, Kernel will not re- initialize the TRNG (in fact, there is a
> >> check that is done in the Kernel not to touch RNG if it is already
> >> initialized [2]), and this would leave the Crypto facilities running
> >> in the Kernel to use entropy model that is defined here. In this
> >> case, at least a justification of this change should be made clear -
> >> e.g.
> >> significant speed
> >> improvement over reduced entropy (with quantifiable numbers).
> >>
> >> In addition, with those new parameter set, would the RNG pass FIPS
> >> 140-2 test?
> > TRNG is configured to pass FIPS certification, but will double check
> > and confirm you.
> >
> > You are correct if RNG is instantiated in Uboot then kernel will not
> > reinitialize.
> > 77% performance drop was observed on IMX6/7/8 platforms (0.3 kB/s)
> > compared to 1.3kB/s.
> > With this change hwrng performance improved to 1.3 kB/s.
> 
> Did you test on other platforms like layerscape, too? Can we be sure there
> will no impact with this change on other platforms which uses the CAAM
> TRNG?
> 
Yes I tested Layerscape as well. I tested hwrng, blob encap/decap which works good.

> I have to agree with Andrey, there is little information *why* this is done in
> exactly this way. I'd love to see a proper commit description and comments
> here. I just see a bunch of magic numbers in the code.
> 
Will update the commit description in next version of this patch series.

Regards
Gaurav Jain
> -michael

RE: [EXT] Re: [PATCH v5 01/16] crypto/fsl: Add support for CAAM Job ring driver model

[Gaurav Jain]

Hello Michael

> -----Original Message-----
> From: Michael Walle <michael@walle.cc>
> Sent: Tuesday, November 16, 2021 4:32 PM
> To: Gaurav Jain <gaurav.jain@nxp.com>
> Cc: Shengzhou Liu <shengzhou.liu@nxp.com>; Varun Sethi
> <V.Sethi@nxp.com>; Adrian Alonso <adrian.alonso@nxp.com>; Alison Wang
> <alison.wang@nxp.com>; Andy Tang <andy.tang@nxp.com>;
> festevam@gmail.com; Franck Lenormand <franck.lenormand@nxp.com>;
> Horia Geanta <horia.geanta@nxp.com>; Ji Luo <ji.luo@nxp.com>;
> Meenakshi Aggarwal <meenakshi.aggarwal@nxp.com>; Mingkai Hu
> <mingkai.hu@nxp.com>; olteanv@gmail.com; Pankaj Gupta
> <pankaj.gupta@nxp.com>; Peng Fan <peng.fan@nxp.com>; Pramod Kumar
> <pramod.kumar_1@nxp.com>; Priyanka Jain <priyanka.jain@nxp.com>;
> Rajesh Bhagat <rajesh.bhagat@nxp.com>; Sahil Malhotra
> <sahil.malhotra@nxp.com>; sbabic@denx.de; Silvano Di Ninno
> <silvano.dininno@nxp.com>; sjg@chromium.org; u-boot@lists.denx.de; dl-
> uboot-imx <uboot-imx@nxp.com>; Wasim Khan <wasim.khan@nxp.com>;
> Ye Li <ye.li@nxp.com>; Michael Walle <michael@walle.cc>
> Subject: [EXT] Re: [PATCH v5 01/16] crypto/fsl: Add support for CAAM Job
> ring driver model
> 
> Caution: EXT Email
> 
> > diff --git a/cmd/Kconfig b/cmd/Kconfig index 5b30b13e43..2b24672505
> > 100644
> > --- a/cmd/Kconfig
> > +++ b/cmd/Kconfig
> > @@ -2009,6 +2009,7 @@ config CMD_AES
> >
> >  config CMD_BLOB
> >       bool "Enable the 'blob' command"
> > +     select FSL_BLOB
> 
> this looks wrong, because CMD_BLOB sounds like a generic command but it
> will automatically select FSL_BLOB which in turn sounds freescale specific.
> Looking at the help text, this command is (at least at the moment) freescale
> specific, but the code seems to be generic and the blob_encap() and
> blob_decap() are weak functions, thus they could be implemented in a
> different way and not just by fsl_blob.c.
> 
> I don't think this should automatically select FSL_BLOB.
Ok.. will change in next version of this series.
> 
> Also, shouldn't this be an uclass with encap and decap ops?

I agree with your suggestion. but in the context of current patch series this is not required immediately.
Will test encap and decap function after converting as uclass ops and send a separate patch.

> 
> >       depends on !MX6ULL && !MX6SLL && !MX6SL
> >       select IMX_HAB if ARCH_MX6 || ARCH_MX7 || ARCH_MX7ULP ||
> ARCH_IMX8M
> >       help
> > diff --git a/drivers/crypto/fsl/Kconfig b/drivers/crypto/fsl/Kconfig
> > index 94ff540111..ab59d516f8 100644
> > --- a/drivers/crypto/fsl/Kconfig
> > +++ b/drivers/crypto/fsl/Kconfig
> > @@ -66,4 +66,11 @@ config FSL_CAAM_RNG
> >         using the prediction resistance flag which means the DRGB is
> >         reseeded from the TRNG every time random data is generated.
> >
> > +config FSL_BLOB
> > +        bool "Enable Blob Encap/Decap, Blob KEK support"
> 
> wrong indendation?
Will be addressed in next version..

> 
> > +     help
> > +       Enable support for the hardware based crytographic blob
> encap/decap
> > +       module of the CAAM. blobs can be safely placed into non-volatile
> > +       storage. blobs can only be decapsulated by the SoC that created it.
> > +       Enable support for blob key encryption key generation.
> >  endif

RE: [EXT] Re: [PATCH v5 13/16] Layerscape: Enable Job ring driver model in U-Boot.

[Gaurav Jain]

Hello Michael

> -----Original Message-----
> From: Michael Walle <michael@walle.cc>
> Sent: Tuesday, November 16, 2021 4:51 PM
> To: Gaurav Jain <gaurav.jain@nxp.com>
> Cc: Shengzhou Liu <shengzhou.liu@nxp.com>; Varun Sethi
> <V.Sethi@nxp.com>; Adrian Alonso <adrian.alonso@nxp.com>; Alison Wang
> <alison.wang@nxp.com>; Andy Tang <andy.tang@nxp.com>;
> festevam@gmail.com; Franck Lenormand <franck.lenormand@nxp.com>;
> Horia Geanta <horia.geanta@nxp.com>; Ji Luo <ji.luo@nxp.com>;
> Meenakshi Aggarwal <meenakshi.aggarwal@nxp.com>; Mingkai Hu
> <mingkai.hu@nxp.com>; olteanv@gmail.com; Pankaj Gupta
> <pankaj.gupta@nxp.com>; Peng Fan <peng.fan@nxp.com>; Pramod Kumar
> <pramod.kumar_1@nxp.com>; Priyanka Jain <priyanka.jain@nxp.com>;
> Rajesh Bhagat <rajesh.bhagat@nxp.com>; Sahil Malhotra
> <sahil.malhotra@nxp.com>; sbabic@denx.de; Silvano Di Ninno
> <silvano.dininno@nxp.com>; sjg@chromium.org; u-boot@lists.denx.de; dl-
> uboot-imx <uboot-imx@nxp.com>; Wasim Khan <wasim.khan@nxp.com>;
> Ye Li <ye.li@nxp.com>; Michael Walle <michael@walle.cc>
> Subject: [EXT] Re: [PATCH v5 13/16] Layerscape: Enable Job ring driver model
> in U-Boot.
> 
> Caution: EXT Email
> 
> > LS(1021/1012/1028/1043/1046/1088/2088), LX2160, LX2162 platforms are
> > enabled with JR driver model.
> >
> > removed sec_init() call from board files.
> > removed CONFIG_FSL_CAAM from defconfig files.
> > sec is initialized based on job ring information processed from device
> > tree.
> >
> > Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
> > Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
> > ---
> >  arch/arm/cpu/armv7/ls102xa/Kconfig            |  4 +++
> >  arch/arm/cpu/armv7/ls102xa/cpu.c              | 16 +++++++++++
> >  arch/arm/cpu/armv8/fsl-layerscape/Kconfig     | 27 +++++++++++++++++++
> >  arch/arm/cpu/armv8/fsl-layerscape/cpu.c       | 10 ++++++-
> >  board/freescale/ls1012afrdm/ls1012afrdm.c     |  7 +----
> >  board/freescale/ls1012aqds/ls1012aqds.c       |  6 +----
> >  board/freescale/ls1012ardb/ls1012ardb.c       |  6 +----
> >  board/freescale/ls1021aiot/ls1021aiot.c       |  6 ++---
> >  board/freescale/ls1021aqds/ls1021aqds.c       |  6 +----
> >  board/freescale/ls1021atsn/ls1021atsn.c       |  7 ++---
> >  board/freescale/ls1021atwr/ls1021atwr.c       |  8 ++----
> >  board/freescale/ls1028a/ls1028a.c             |  6 +----
> >  board/freescale/ls1043ardb/ls1043ardb.c       |  6 +----
> >  board/freescale/ls1046afrwy/ls1046afrwy.c     |  7 +----
> >  board/freescale/ls1046aqds/ls1046aqds.c       |  7 +----
> >  board/freescale/ls1046ardb/ls1046ardb.c       |  6 +----
> >  board/freescale/ls1088a/ls1088a.c             |  6 +----
> >  board/freescale/ls2080aqds/ls2080aqds.c       |  6 +----
> >  board/freescale/ls2080ardb/ls2080ardb.c       |  9 +------
> >  board/freescale/lx2160a/lx2160a.c             |  5 ----
> >  configs/ls1021aiot_qspi_defconfig             |  1 -
> >  configs/ls1021aqds_nor_defconfig              |  1 -
> >  configs/ls1021aqds_qspi_defconfig             |  1 -
> >  configs/ls1021atsn_qspi_defconfig             |  1 -
> >  configs/ls1021atwr_nor_defconfig              |  1 -
> >  ...s1021atwr_sdcard_ifc_SECURE_BOOT_defconfig |  1 +
> >  configs/ls1028ardb_tfa_defconfig              |  1 -
> >  configs/ls1043ardb_tfa_defconfig              |  1 -
> >  configs/ls1046afrwy_tfa_defconfig             |  1 -
> >  configs/ls1046aqds_tfa_defconfig              |  1 -
> >  configs/ls1046ardb_tfa_defconfig              |  1 -
> >  configs/ls2088aqds_tfa_defconfig              |  1 -
> >  configs/ls2088ardb_tfa_defconfig              |  1 -
> >  configs/lx2160aqds_tfa_defconfig              |  1 -
> >  configs/lx2160ardb_tfa_defconfig              |  1 -
> >  configs/lx2162aqds_tfa_defconfig              |  1 -
> >  36 files changed, 75 insertions(+), 102 deletions(-)
> 
> board/kontron/sl28/sl28.c fixes are missing here. With this patch applied I'll
> get the following error during boot:
> 
> U-Boot 2022.01-rc2-00026-gf82ded5126-dirty (Nov 16 2021 - 11:16:40 +0100)
> 
> SoC:  LS1028A Rev1.0 (0x870b0110)
> Clock Configuration:
>        CPU0(A72):1300 MHz  CPU1(A72):1300 MHz
>        Bus:      400  MHz  DDR:      1600 MT/s
> Reset Configuration Word (RCW):
>        00000000: 34004010 00000030 00000000 00000000
>        00000010: 00000000 008f0000 0030c000 00000000
>        00000020: 06200000 00002580 00000000 00019016
>        00000030: 00000000 00000048 00000000 00000000
>        00000040: 00000000 00000000 00000000 00000000
>        00000050: 00000000 00000000 00000000 00000000
>        00000060: 00000304 00000000 000e7000 00000000
>        00000070: bb580000 00020000
> Model: Kontron SMARC-sAL28 (Dual PHY)
> EL:    3
> CPLD:  v64
> DRAM:  4 GiB (DDR3, 32-bit, CL=11, ECC on)
> caam_jr: caam not found
> 
> ^^ this error.
> 
> please add the following hunk to this patch:
> 
> diff --git a/board/kontron/sl28/sl28.c b/board/kontron/sl28/sl28.c index
> 9572502499..555e831f2a 100644
> --- a/board/kontron/sl28/sl28.c
> +++ b/board/kontron/sl28/sl28.c
> @@ -31,9 +31,6 @@ int board_early_init_f(void)
> 
>  int board_init(void)
>  {
> -       if (CONFIG_IS_ENABLED(FSL_CAAM))
> -               sec_init();
> -
>         return 0;
>  }

Added for next version of the patch.
> 
> >  config ARCH_LS1028A
> > @@ -53,6 +57,9 @@ config ARCH_LS1028A
> >       select SYS_FSL_ERRATUM_A011334
> >       select SYS_FSL_ESDHC_UNRELIABLE_PULSE_DETECTION_WORKAROUND
> >       select RESV_RAM if GIC_V3_ITS
> > +     select FSL_CAAM
> > +     select FSL_BLOB
> > +     select MISC
> 
> There are boards like the sl28 which also have ARCH_LS1028A set and
> doesn't depend on neither FSL_CAAM nor FSL_BLOB. Please don't set this per
> architecture. Both should be set by the individual boards instead as they are
> optional and having this here will just increase binary size.
> 
> Of course this is like to be true for all ARCH_LSxxx Kconfig options.
I agree with your suggestion. CAAM will be enabled for only LS1028AQDS and LS102ARDB.
Changes will be included in next version of this series.

Regards
Gaurav Jain
> 
> >       imply PANIC_HANG
> 
> -michael