diff mbox series

[v2,1/2] drivers/crypto/fsl: assign job-rings to non-TrustZone

Message ID 1516932578-19992-2-git-send-email-bryan.odonoghue@linaro.org
State Superseded
Headers show
Series Fix CAAM for TrustZone enable for warp7 | expand

Commit Message

Bryan O'Donoghue Jan. 26, 2018, 2:09 a.m. UTC
After enabling TrustZone various parts of the CAAM silicon become
inaccessible to non TrustZone contexts. The job-ring registers are designed
to allow non TrustZone contexts like Linux to still submit jobs to CAAM
even after TrustZone has been enabled.

The default job-ring permissions after the BootROM look like this for
job-ring zero.

ms=0x00008001 ls=0x00008001

The MS field is JRaMIDR_MS (job ring MID most significant).

Referring to "Security Reference Manual for i.MX 7Dual and 7Solo
Applications Processors, Rev. 0, 03/2017" section 8.10.4 we see that
JROWN_NS controls whether or not a job-ring is accessible from non
TrustZone.

Bit 15 (TrustZone) is the logical inverse of bit 3 hence the above value of
0x8001 shows that JROWN_NS=0 and TrustZone=1.

Clearly then as soon as TrustZone becomes active the job-ring registers are
no longer accessible from Linux, which is not what we want.

This patch explicitly sets all job-ring registers to JROWN_NS=1 (non
TrustZone) by default and to the Non-Secure MID 001. Both settings are
required to successfully assign a job-ring to non-secure mode. If a piece
of TrustZone firmware requires ownership of job-ring registers it can unset
the JROWN_NS bit itself.

This patch in conjunction with a modification of the Linux kernel to skip
HWRNG initialisation makes CAAM usable to Linux with TrustZone enabled.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Alex Porosanu <alexandru.porosanu@nxp.com>
Cc: Ruchika Gupta <ruchika.gupta@nxp.com>
Cc: Aneesh Bansal <aneesh.bansal@nxp.com>
Link: https://github.com/OP-TEE/optee_os/issues/1408
Link: https://tinyurl.com/yam5gv9a
---
 drivers/crypto/fsl/jr.c | 9 +++++++++
 drivers/crypto/fsl/jr.h | 2 ++
 2 files changed, 11 insertions(+)

Comments

Lukas Auer Jan. 26, 2018, 8:57 a.m. UTC | #1
On Fri, 2018-01-26 at 02:09 +0000, Bryan O'Donoghue wrote:
> After enabling TrustZone various parts of the CAAM silicon become

> inaccessible to non TrustZone contexts. The job-ring registers are

> designed

> to allow non TrustZone contexts like Linux to still submit jobs to

> CAAM

> even after TrustZone has been enabled.

> 

> The default job-ring permissions after the BootROM look like this for

> job-ring zero.

> 

> ms=0x00008001 ls=0x00008001

> 

> The MS field is JRaMIDR_MS (job ring MID most significant).

> 

> Referring to "Security Reference Manual for i.MX 7Dual and 7Solo

> Applications Processors, Rev. 0, 03/2017" section 8.10.4 we see that

> JROWN_NS controls whether or not a job-ring is accessible from non

> TrustZone.

> 

> Bit 15 (TrustZone) is the logical inverse of bit 3 hence the above

> value of

> 0x8001 shows that JROWN_NS=0 and TrustZone=1.

> 

> Clearly then as soon as TrustZone becomes active the job-ring

> registers are

> no longer accessible from Linux, which is not what we want.

> 

> This patch explicitly sets all job-ring registers to JROWN_NS=1 (non

> TrustZone) by default and to the Non-Secure MID 001. Both settings

> are

> required to successfully assign a job-ring to non-secure mode. If a

> piece

> of TrustZone firmware requires ownership of job-ring registers it can

> unset

> the JROWN_NS bit itself.

> 

> This patch in conjunction with a modification of the Linux kernel to

> skip

> HWRNG initialisation makes CAAM usable to Linux with TrustZone

> enabled.

> 

> Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

> Cc: Fabio Estevam <fabio.estevam@nxp.com>

> Cc: Peng Fan <peng.fan@nxp.com>

> Cc: Alex Porosanu <alexandru.porosanu@nxp.com>

> Cc: Ruchika Gupta <ruchika.gupta@nxp.com>

> Cc: Aneesh Bansal <aneesh.bansal@nxp.com>

> Link: https://github.com/OP-TEE/optee_os/issues/1408

> Link: https://tinyurl.com/yam5gv9a

> ---

>  drivers/crypto/fsl/jr.c | 9 +++++++++

>  drivers/crypto/fsl/jr.h | 2 ++

>  2 files changed, 11 insertions(+)

> 

> diff --git a/drivers/crypto/fsl/jr.c b/drivers/crypto/fsl/jr.c

> index a6dad01..34bd070 100644

> --- a/drivers/crypto/fsl/jr.c

> +++ b/drivers/crypto/fsl/jr.c

> @@ -579,6 +579,8 @@ int sec_init_idx(uint8_t sec_idx)

>  {

>  	ccsr_sec_t *sec = (void *)SEC_ADDR(sec_idx);

>  	uint32_t mcr = sec_in32(&sec->mcfgr);

> +	uint32_t jrown_ns;

> +	int i;

>  	int ret = 0;

>  

>  #ifdef CONFIG_FSL_CORENET

> @@ -634,6 +636,13 @@ int sec_init_idx(uint8_t sec_idx)

>  #endif

>  #endif

>  

> +	/* Set ownership of job rings to non-TrustZone mode by

> default */

> +	for (i = 0; i < ARRAY_SIZE(sec->jrliodnr); i++) {

> +		jrown_ns = sec_in32(&sec->jrliodnr[i].ms);

> +		jrown_ns |= JROWN_NS | JRMID_NS;

> +		sec_out32(&sec->jrliodnr[i].ms, jrown_ns);

> +	}

> +

>  	ret = jr_init(sec_idx);

>  	if (ret < 0) {

>  		printf("SEC initialization failed\n");

> diff --git a/drivers/crypto/fsl/jr.h b/drivers/crypto/fsl/jr.h

> index f546226..ef515e7 100644

> --- a/drivers/crypto/fsl/jr.h

> +++ b/drivers/crypto/fsl/jr.h

> @@ -34,6 +34,8 @@

>  #define JRNSLIODN_MASK		0x0fff0000

>  #define JRSLIODN_SHIFT		0

>  #define JRSLIODN_MASK		0x00000fff

> +#define JROWN_NS		0x00000008

> +#define JRMID_NS		0x00000001

>  

>  #define JQ_DEQ_ERR		-1

>  #define JQ_DEQ_TO_ERR		-2


Hi Bryan,

just successfully tested this on my imx7d board. Your addition in v2
was quite important since job ring 2 fails to probe otherwise (was
wondering why that happened yesterday). The CAAM and all job rings
probe successfully now.

Tested-by: Lukas Auer <lukas.auer@aisec.fraunhofer.de>
diff mbox series

Patch

diff --git a/drivers/crypto/fsl/jr.c b/drivers/crypto/fsl/jr.c
index a6dad01..34bd070 100644
--- a/drivers/crypto/fsl/jr.c
+++ b/drivers/crypto/fsl/jr.c
@@ -579,6 +579,8 @@  int sec_init_idx(uint8_t sec_idx)
 {
 	ccsr_sec_t *sec = (void *)SEC_ADDR(sec_idx);
 	uint32_t mcr = sec_in32(&sec->mcfgr);
+	uint32_t jrown_ns;
+	int i;
 	int ret = 0;
 
 #ifdef CONFIG_FSL_CORENET
@@ -634,6 +636,13 @@  int sec_init_idx(uint8_t sec_idx)
 #endif
 #endif
 
+	/* Set ownership of job rings to non-TrustZone mode by default */
+	for (i = 0; i < ARRAY_SIZE(sec->jrliodnr); i++) {
+		jrown_ns = sec_in32(&sec->jrliodnr[i].ms);
+		jrown_ns |= JROWN_NS | JRMID_NS;
+		sec_out32(&sec->jrliodnr[i].ms, jrown_ns);
+	}
+
 	ret = jr_init(sec_idx);
 	if (ret < 0) {
 		printf("SEC initialization failed\n");
diff --git a/drivers/crypto/fsl/jr.h b/drivers/crypto/fsl/jr.h
index f546226..ef515e7 100644
--- a/drivers/crypto/fsl/jr.h
+++ b/drivers/crypto/fsl/jr.h
@@ -34,6 +34,8 @@ 
 #define JRNSLIODN_MASK		0x0fff0000
 #define JRSLIODN_SHIFT		0
 #define JRSLIODN_MASK		0x00000fff
+#define JROWN_NS		0x00000008
+#define JRMID_NS		0x00000001
 
 #define JQ_DEQ_ERR		-1
 #define JQ_DEQ_TO_ERR		-2