[U-Boot] [PATCH 4/4] crypto/fsl: Wrapper run_descriptor_jr_idx() to set jr permissions

Bryan O'Donoghue bryan.odonoghue at linaro.org
Tue Apr 23 10:19:48 UTC 2019

This patch sets the relevant set of job-rings to secure-world prior to
calling into run_descriptor_jr_idx(). As observed by Breno Matheus Lima the
DEK blob verification layer in NXP BootROMs performs a check on job-ring
ownership and requires the permission to be set to secure world.

Once run_descriptor_jr_idx() is complete we switch back to normal-world
ownership. Normal world job-ring ownership allows Linux to run in either
secure or normal world when using the CAAM, irrespective which is
ultimately what we want to support.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue at linaro.org>
 drivers/crypto/fsl/jr.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/crypto/fsl/jr.c b/drivers/crypto/fsl/jr.c
index 65982b8369..8ab92ad2f1 100644
--- a/drivers/crypto/fsl/jr.c
+++ b/drivers/crypto/fsl/jr.c
@@ -389,7 +389,13 @@ out:
 int run_descriptor_jr(uint32_t *desc)
-	return run_descriptor_jr_idx(desc, 0);
+	int ret;
+	sec_set_jr_context_secure();
+	ret = run_descriptor_jr_idx(desc, 0);
+	sec_set_jr_context_normal();
+	return ret;
 static inline int jr_reset_sec(uint8_t sec_idx)

More information about the U-Boot mailing list