imx7 issues with Secure and Non-Secure boot mode

imx7 issues with Secure and Non-Secure boot mode

[Emanuele Ghidoli]

Hello,

I'm currently facing issues with our board, Colibri-imx7,
regarding its behavior in different boot modes:

- Secure Mode (bootm_boot_mode=sec in U-Boot):
  When running Linux in secure mode, the idle time management does not function
  properly. The following error message is displayed during boot: 
  "CPUidle arm: CPU 0 failed to init idle CPU ops".

- Non-Secure Mode (bootm_boot_mode=nonsec in U-Boot):
  In non-secure mode, the caam_jr fails to initialize correctly,
  preventing the utilization of the hardware random number generation. 
  The error message shown during boot is: 
  "caam_jr 30901000.jr: failed to flush job ring before reset".

I have conducted tests using both mainline and 6.1 stable versions,
with consistent results.

I have also reviewed the following threads for potential solutions:

 - https://lore.kernel.org/u-boot/2536787.mZni4QDSI2@crypto/
 - https://lore.kernel.org/u-boot/CAByghJZn8d91uFr5JXSR=jXcfU4engZP_=buOk7MNNjaVeigLA@mail.gmail.com/
 - https://lore.kernel.org/all/20220608170223.1536594-1-festevam@denx.de/T/

The first thread leave me thinking the only solution is to use OPTEE,
but the last email is without any answer.
So, I am considering the utilization of OPTEE, as it seems it might address 
the issues discussed in the threads.
Could this configuration potentially resolve my current issues?

Your advice would be greatly appreciated.

Kind regards,

Emanuele Ghidoli

Re: imx7 issues with Secure and Non-Secure boot mode

[Emanuele Ghidoli]

On 07/03/2024 10:26, Emanuele Ghidoli wrote:
> Hello,
> 
> I'm currently facing issues with our board, Colibri-imx7,
> regarding its behavior in different boot modes:
> 
> - Secure Mode (bootm_boot_mode=sec in U-Boot):
>   When running Linux in secure mode, the idle time management does not function
>   properly. The following error message is displayed during boot: 
>   "CPUidle arm: CPU 0 failed to init idle CPU ops".
> 
> - Non-Secure Mode (bootm_boot_mode=nonsec in U-Boot):
>   In non-secure mode, the caam_jr fails to initialize correctly,
>   preventing the utilization of the hardware random number generation. 
>   The error message shown during boot is: 
>   "caam_jr 30901000.jr: failed to flush job ring before reset".
> 
> I have conducted tests using both mainline and 6.1 stable versions,
> with consistent results.
> 
> I have also reviewed the following threads for potential solutions:
> 
>  - https://lore.kernel.org/u-boot/2536787.mZni4QDSI2@crypto/
>  - https://lore.kernel.org/u-boot/CAByghJZn8d91uFr5JXSR=jXcfU4engZP_=buOk7MNNjaVeigLA@mail.gmail.com/
>  - https://lore.kernel.org/all/20220608170223.1536594-1-festevam@denx.de/T/
> 
> The first thread leave me thinking the only solution is to use OPTEE,
> but the last email is without any answer.
> So, I am considering the utilization of OPTEE, as it seems it might address 
> the issues discussed in the threads.
> Could this configuration potentially resolve my current issues?
> 
> Your advice would be greatly appreciated.
> 
> Kind regards,
> 
> Emanuele Ghidoli
Hello,
we are willing to use iMX7 without OP-TEE.

I saw that this patch was reverted, cause it is supposed that OPTEE is always used on iMX7:
22191ac35344 ("drivers/crypto/fsl: assign job-rings to non-TrustZone")

What do you think if I propose a slightly different version where 
I put the modifications conditionally under an U-Boot config?

Kind regards,
Emanuele

Re: imx7 issues with Secure and Non-Secure boot mode

[Marek Vasut]

On 3/7/24 10:26 AM, Emanuele Ghidoli wrote:
> Hello,
> 
> I'm currently facing issues with our board, Colibri-imx7,
> regarding its behavior in different boot modes:
> 
> - Secure Mode (bootm_boot_mode=sec in U-Boot):
>    When running Linux in secure mode, the idle time management does not function
>    properly. The following error message is displayed during boot:
>    "CPUidle arm: CPU 0 failed to init idle CPU ops".
> 
> - Non-Secure Mode (bootm_boot_mode=nonsec in U-Boot):
>    In non-secure mode, the caam_jr fails to initialize correctly,
>    preventing the utilization of the hardware random number generation.
>    The error message shown during boot is:
>    "caam_jr 30901000.jr: failed to flush job ring before reset".
> 
> I have conducted tests using both mainline and 6.1 stable versions,
> with consistent results.
> 
> I have also reviewed the following threads for potential solutions:
> 
>   - https://lore.kernel.org/u-boot/2536787.mZni4QDSI2@crypto/
>   - https://lore.kernel.org/u-boot/CAByghJZn8d91uFr5JXSR=jXcfU4engZP_=buOk7MNNjaVeigLA@mail.gmail.com/
>   - https://lore.kernel.org/all/20220608170223.1536594-1-festevam@denx.de/T/
> 
> The first thread leave me thinking the only solution is to use OPTEE,
> but the last email is without any answer.
> So, I am considering the utilization of OPTEE, as it seems it might address
> the issues discussed in the threads.
> Could this configuration potentially resolve my current issues?
> 
> Your advice would be greatly appreciated.

Have a look at U-Boot

1f908b1898bd ("ARM: imx8m: Deduplicate CAAM init with arch_misc_init() 
call")

Do you call this CAAM initialization on your machine ?

If not, try it, does it have any impact ?