[U-Boot] imx7d: CPU core issue in secure mode

Fri Jul 12 03:38:21 UTC 2019

> Subject: Re: [U-Boot] imx7d: CPU core issue in secure mode
> 
> + Peng
> 
> Hi Tobias, Peng,
> 
> On Thu, Jul 4, 2019 at 2:20 PM Tobias Junghans <tobias.junghans at veyon.io>
> wrote:
> >
> > Hi,
> >
> > I'm trying to get an imx7d-based Colibris board running in secure mode
> > in order to be able to use the CAAM, especially the HWRNG. However it
> > seems like it's currently not possible to boot a mainline kernel
> > (4.19) in secure mode with both CPU cores powered up, likely due to
> > the missing PSCI firmware in secure mode. When booting in nonsecure
> > mode the kernel recognizes both CPU cores while CAAM isn't working.
> > Basically it's the same issue as discussed at
> >
> >
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> >
> spinics.net%2Flists%2Fu-boot-v2%2Fmsg33873.html&data=02%7C01%7
> Cpen
> >
> g.fan%40nxp.com%7C69f453b8841a47775d7608d705edd3ee%7C686ea1d3b
> c2b4c6fa
> >
> 92cd99c5c301635%7C0%7C0%7C636984391331231662&sdata=MtD5x
> 15k3vvgBMr
> > vqBaZBY9G8AFD0WuE9J8XxIP%2Fz%2Bk%3D&reserved=0
> >
> > I'm using the latest mainline U-Boot (2019.07-rc4) with
> > CONFIG_ARMV7_BOOT_SEC_DEFAULT=y. Is there anything I can do about
> this issue?

Try "setenv bootm_boot_mode nonsec" in U-Boot stage.

> >
> > Thank you and best regards
> >
> > Tobias
> >
> >
> > _______________________________________________
> > U-Boot mailing list
> > U-Boot at lists.denx.de
> > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist
> >
> s.denx.de%2Flistinfo%2Fu-boot&data=02%7C01%7Cpeng.fan%40nxp.co
> m%7C
> >
> 69f453b8841a47775d7608d705edd3ee%7C686ea1d3bc2b4c6fa92cd99c5c30
> 1635%7C
> >
> 0%7C0%7C636984391331231662&sdata=Ra4mzQpiZpANam1gyhhsy2g
> WMHNH3JRNr
> > ryP%2BPOiqsM%3D&reserved=0
> 
> I might be mistaken, but AFAIK there was on-going work done by Peng Fan
> regarding proper CAAM initialization in the OP-TEE and further usage in the
> mainline kernel.

Silvano was doing the CAAM part in OP-TEE.

> 
> As I understood, the initial initialization of the jobrings is done in OP-TEE
> (which is booted before U-boot) in secure world, and then linux kernel,
> running in normal world, should be able to use it.
> Regarding PSCI, frankly, I have no idea who particularly should provide it's
> support here: U-boot or OP-TEE (taking into account that in this setup U-boot
> is booted in non-secure PL2, so OP-TEE is the only one, who is able to provide
> secure runtime services, so-called secure monitor).
> 
> BTW, I also saw some setups, where similar things to do the same in U-boot
> (when it's booted in secure mode), which also does have it's own
> implementation of secure monitor(subsequently PSCI) and CAAM driver,
> which probably does the same type of initialization, as in OP-TEE.
> 
> 
> Peng,
> Could you please provide some comments regarding this? Thanks!

There is psci services in U-Boot too. If want non-secure kernel without OP-TEE,
Need set "setenv bootm_boot_mode nonsec " in U-Boot stage.
If want run OP-TEE, not set the env.

Regards,
Peng.

> 
> --
> Best regards - Freundliche Grüsse - Meilleures salutations
> 
> Igor Opaniuk
> 
> mailto: igor.opaniuk at gmail.com
> skype: igor.opanyuk
> +380 (93) 836 40 67
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fua.linke
> din.com%2Fin%2Fiopaniuk&data=02%7C01%7Cpeng.fan%40nxp.com%7
> C69f453b8841a47775d7608d705edd3ee%7C686ea1d3bc2b4c6fa92cd99c5c3
> 01635%7C0%7C0%7C636984391331231662&sdata=%2B8TlRt9QP6mV
> wMhc3TtHxaZdM%2FvSx09Jz%2BpFhJOlgvg%3D&reserved=0