[U-Boot] [PATCH 0/4 RFC] imx: Implement job-ring context switching

Bryan O'Donoghue bryan.odonoghue at linaro.org
Tue Apr 23 10:19:44 UTC 2019


This series implements an RFC to save/restore CAAM settings for the
job-rings prior to performing DEK blob verification.

This follows on from a converstion with Breno and Fabio where we discussed
how i.MX HAB implementations for the i.MX6 and i.MX7 will verify job-ring
ownership when doing DEK blob verification, which contrasts to HAB
authenticate image callbacks.

https://marc.info/?l=u-boot&m=155448099126800&w=2

The objective is to make job-ring ownership normal-world when handing over
from u-boot, so that a secure-world or normal-world Linux kernel has full
access to the CAAM job-rings.

By switching job-ring ownership to secure world prior to DEK blob
verification, we ensure the BootROM will be happy with the job-ring
ownership bits. Once DEK verification is complete we switch the job rings
back to normal world so that subsequent boot phases can be in either secure
or normal world.

Please note: compile tested but not runtime tested, I don't currently have
DEK blob encrypted images to test against - hence RFC on this patchset.

Bryan O'Donoghue (4):
  crypto/fsl: Introduce API to save/restore job-ring context
  crypto/fsl: Use __sec_set_jr_context_normal
  powerpc: mpc85xx: crypto: Implement mpc85xxx specific job-ring fix
  crypto/fsl: Wrapper run_descriptor_jr_idx() to set jr permissions

 arch/powerpc/cpu/mpc85xx/cpu_init.c | 22 ++++++++++++
 drivers/crypto/fsl/jr.c             | 53 +++++++++++++++++++++++++----
 include/fsl_sec.h                   |  3 ++
 3 files changed, 71 insertions(+), 7 deletions(-)

-- 
2.20.1



More information about the U-Boot mailing list