brain-hackers_pepepper-mirror/u-boot-brain
1
0
Fork 0
mirror of https://github.com/brain-hackers/u-boot-brain synced 2024-06-09 23:36:03 +09:00
Code Issues Projects Releases Wiki Activity
c883f351e6
u-boot-brain/drivers/crypto/fsl
History
Bryan O'Donoghue 22191ac353 drivers/crypto/fsl: assign job-rings to non-TrustZone 
After enabling TrustZone various parts of the CAAM silicon become
inaccessible to non TrustZone contexts. The job-ring registers are designed
to allow non TrustZone contexts like Linux to still submit jobs to CAAM
even after TrustZone has been enabled.

The default job-ring permissions after the BootROM look like this for
job-ring zero.

ms=0x00008001 ls=0x00008001

The MS field is JRaMIDR_MS (job ring MID most significant).

Referring to "Security Reference Manual for i.MX 7Dual and 7Solo
Applications Processors, Rev. 0, 03/2017" section 8.10.4 we see that
JROWN_NS controls whether or not a job-ring is accessible from non
TrustZone.

Bit 15 (TrustZone) is the logical inverse of bit 3 hence the above value of
0x8001 shows that JROWN_NS=0 and TrustZone=1.

Clearly then as soon as TrustZone becomes active the job-ring registers are
no longer accessible from Linux, which is not what we want.

This patch explicitly sets all job-ring registers to JROWN_NS=1 (non
TrustZone) by default and to the Non-Secure MID 001. Both settings are
required to successfully assign a job-ring to non-secure mode. If a piece
of TrustZone firmware requires ownership of job-ring registers it can unset
the JROWN_NS bit itself.

This patch in conjunction with a modification of the Linux kernel to skip
HWRNG initialisation makes CAAM usable to Linux with TrustZone enabled.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Alex Porosanu <alexandru.porosanu@nxp.com>
Cc: Ruchika Gupta <ruchika.gupta@nxp.com>
Cc: Aneesh Bansal <aneesh.bansal@nxp.com>
Link: https://github.com/OP-TEE/optee_os/issues/1408
Link: https://tinyurl.com/yam5gv9a
Tested-by: Lukas Auer <lukas.auer@aisec.fraunhofer.de>
2018-02-04 12:14:11 +01:00
..
desc_constr.h crypto/fsl: Correct 64-bit write when MMU disabled 2016-03-29 08:46:22 -07:00
desc.h Various, unrelated tree-wide typo fixes. 2016-07-16 09:43:12 -04:00
error.c fsl_sec: Add hardware accelerated SHA256 and SHA1 2014-10-16 14:17:07 -07:00
fsl_blob.c crypto/fsl: fix BLOB encapsulation and decapsulation 2018-01-08 08:26:03 -05:00
fsl_hash.c crypto/fsl: Fix HW accelerated hash commands 2018-01-23 11:21:20 -08:00
fsl_hash.h crypto/fsl - Add progressive hashing support using hardware acceleration. 2015-02-25 13:20:02 -08:00
fsl_rsa.c DM: crypto/fsl: Enable rsa DM driver usage before relocation 2016-07-26 09:01:21 -07:00
jobdesc.c arm: ls1046ardb: Add SD secure boot target 2017-04-17 09:03:30 -07:00
jobdesc.h imx6: Added DEK blob generator command 2015-03-02 09:57:06 +01:00
jr.c drivers/crypto/fsl: assign job-rings to non-TrustZone 2018-02-04 12:14:11 +01:00
jr.h drivers/crypto/fsl: assign job-rings to non-TrustZone 2018-02-04 12:14:11 +01:00
Kconfig Convert CONFIG_CMD_HASH to Kconfig 2017-05-22 12:38:15 -04:00
Makefile crypto/fsl: fix obj-yy in Makefile 2017-09-04 09:02:07 -04:00
rsa_caam.h DM: crypto/fsl - Add Freescale rsa DM driver 2015-01-29 17:09:58 -07:00
sec.c drivers/crypto/fsl: clean-up - use fdt_setprop_u32 helper 2015-08-03 12:06:38 -07:00