[EXT] [REGRESSION]: v2022.07: SHA256 hash is broken on imx8m series with CAAM enabled

ZHIZHIKIN Andrey andrey.zhizhikin at leica-geosystems.com
Fri Oct 14 20:53:38 CEST 2022


Hello all,

> -----Original Message-----
> From: U-Boot <u-boot-bounces at lists.denx.de> On Behalf Of Rasmus Villemoes
> Sent: Friday, October 14, 2022 7:50 PM
> To: Peng Fan <peng.fan at oss.nxp.com>; ZHIZHIKIN Andrey <andrey.zhizhikin at leica-
> geosystems.com>; Gaurav Jain <gaurav.jain at nxp.com>
> Cc: u-boot at lists.denx.de; festevam at denx.de; sbabic at denx.de; Michael Walle
> <michael at walle.cc>; Tommaso Merciai <tommaso.merciai at amarulasolutions.com>;
> Michael Trimarchi <michael at amarulasolutions.com>; Marek Vasut <marex at denx.de>;
> Simon Glass <sjg at chromium.org>; Patrick Delaunay <patrick.delaunay at foss.st.com>;
> Stefan Roese <sr at denx.de>; Horia Geanta <horia.geanta at nxp.com>; Pankaj Gupta
> <pankaj.gupta at nxp.com>; Varun Sethi <V.Sethi at nxp.com>; Ye Li <ye.li at nxp.com>; dl-
> uboot-imx <uboot-imx at nxp.com>; trini <trini at konsulko.com>
> Subject: Re: [EXT] [REGRESSION]: v2022.07: SHA256 hash is broken on imx8m series
> with CAAM enabled
> 
> On 14/10/2022 03.00, Peng Fan wrote:
> >
> >>> Right now I am not sure what could cause the issue.
> >>> As per our previous discussions, JR0 can not be used in uboot, so you
> >>> need to
> >>> mark it as disabled until kernel device tree is not sync.
> >>
> >> Actually, I've given this a try by setting `status = "disabled"` in
> >> sec_jr0 node,
> >> and then the hash calculation was working again!
> >
> > Did you enable optee? If disabling sec_jr0 to make it work, i think
> > there is issue somewhere.
> >
> > With optee enabled, optee will take JR0. If optee not enabled, JR0 could
> > be used by U-Boot.
> 
> I can't speak for Andrey, but no, I don't enable/use optee on my imx8mp.

I also do not have an OP-TEE in my setup, but since upstream TF-A commit
77850c96f23b ("feat(plat/imx8m): do not release JR0 to NS if HAB is using
it") [1] this makes no difference, as JR0 would be permanently held in
S-World.

Downstream fork has the same implementation done in commit 961f90418874
("TEE-639 plat: imx8m: Do not release JR0 to NS if HAB is using it"), so it
is now consistent behavior across upstream and downstream.

This means that JR0 has to be permanently disabled in the DTB, with Kernel
being the first followed by the U-Boot sync.

This work has been already accomplished by Fabio in Kernel via commit
dc9c1ceb555f ("arm64: dts: imx8m: Disable job ring 0 nodes") [3], and sync'd
in for `imx8mm.dtsi` in commit 05996f350d48 ("imx8mm: Sync device tree with
linux-next 20220711") [4].

`imx8mp.dtsi` however was not sync'd in, so the JR0 disabling is left out. :(
This does explain why the SHA calculation are not operable for that SoC.

> 
> Rasmus

-- andrey

Link: [1]: http://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=77850c96f23bcdc76ecb0ecd27a982c00fde5d9d
Link: [2]: https://source.codeaurora.org/external/imx/imx-atf/commit/plat/imx/imx8m/imx8m_caam.c?id=961f904188746ce495af67a40f300f5b0bd50ca4
Link: [3]: https://github.com/torvalds/linux/commit/dc9c1ceb555ff661e6fc1081434600771f29657c
Link: [4]: https://source.denx.de/u-boot/u-boot/-/commit/05996f350d482d2a450173ce3340ee69c8f74ad4



More information about the U-Boot mailing list