[U-Boot] [RESEND PATCH v3 0/2] Fix CAAM for TrustZone enable for warp7

Bryan O'Donoghue bryan.odonoghue at linaro.org
Fri Jan 26 12:24:42 UTC 2018 

V3:
- Changed location of sec_init() from warp.c::board_init() to
  soc.c::arch_misc_init() which will allow any i.MX7 which defines
  CONFIG_FSL_CAAM to forget about running sec_init().

V2:
- Add an explicit assignment of JRMID when setting job-ring ownership
  Required on my reference part where the JRMID field is not set on the
  third job-ring

V1:
This series is the u-boot fix to a problem we encountered when enabling
OPTEE/TrustZone on the WaRP7. The symptom is once TrustZone is activated
the first page of CAAM registers becomes read-only, read-zero from the
perspective of Linux and other non TrustZone contexts.

Offlining the problem with Peng Fan[1] we eventually came to realise the
problem could be worked around by

1. Making Linux skip RNG initialisation - a set of patches should be
   hitting LKML to do just that.

2. Initialising the RNG either from u-boot or OPTEE. In this case u-boot is
   the right place to-do that because there's upstream code in u-boot that
   just works. Patch #2 does that for the WaRP7.

3. Ensuring the job-ring registers are assigned to the non TrustZone mode.
   On the i.MX7 after the BootROM runs the job-ring registers are assigned
   to TrustZone. Patch #1 does that for all CAAM hardware.

On point #3 this ordinarily isn't a problem because unless TrustZone is
activated the restrictions on the job-ring registers don't kick in, its
only after enabling TrustZone that Linux will loose access to the job-ring
registers.

Finally should OPTEE or another TEE want to do things with the job-ring
registers it will have sufficient privilege to assign whichever job-ring
registers it wants to OPTEE/TEE but will naturally then have to arbitrate
with Linux to inform the Kernel CAAM driver which job-ring registers it can
and cannot access.

That arbitration process is for a future putative OPTEE/TEE CAAM driver to
solve and is out of scope of this patchset.

[1] Thanks for all of your help BTW - Peng, there's no way this would be
    working without you giving direction on how.

Bryan O'Donoghue (2):
  drivers/crypto/fsl: assign job-rings to non-TrustZone
  imx: mx7: run sec_init for CAAM RNG

 arch/arm/mach-imx/mx7/soc.c | 4 ++++
 drivers/crypto/fsl/jr.c     | 9 +++++++++
 drivers/crypto/fsl/jr.h     | 2 ++
 3 files changed, 15 insertions(+)

-- 
2.7.4

More information about the U-Boot mailing list