[v10,02/14] i.MX8M: crypto: updated device tree for supporting DM in SPL

disabled use of JR0 in SPL and uboot, as JR0 is reserved
for secure boot.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
---
 arch/arm/dts/imx8mm-evk-u-boot.dtsi      | 19 ++++++++++++++++++-
 arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi | 19 ++++++++++++++++++-
 arch/arm/dts/imx8mp-evk-u-boot.dtsi      | 19 ++++++++++++++++++-
 arch/arm/dts/imx8mq-evk-u-boot.dtsi      |  4 ++++
 4 files changed, 58 insertions(+), 3 deletions(-)

Hello Gaurav,

> -----Original Message-----
> From: U-Boot <u-boot-bounces@lists.denx.de> On Behalf Of Gaurav Jain
> Sent: Wednesday, January 12, 2022 2:31 PM
> To: u-boot@lists.denx.de
> Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam <festevam@gmail.com>; Peng Fan
> <peng.fan@nxp.com>; Simon Glass <sjg@chromium.org>; Michael Walle
> <michael@walle.cc>; Priyanka Jain <priyanka.jain@nxp.com>; Ye Li <ye.li@nxp.com>;
> Horia Geanta <horia.geanta@nxp.com>; Ji Luo <ji.luo@nxp.com>; Franck Lenormand
> <franck.lenormand@nxp.com>; Silvano Di Ninno <silvano.dininno@nxp.com>; Sahil
> malhotra <sahil.malhotra@nxp.com>; Pankaj Gupta <pankaj.gupta@nxp.com>; Varun
> Sethi <V.Sethi@nxp.com>; NXP i . MX U-Boot Team <uboot-imx@nxp.com>; Shengzhou
> Liu <Shengzhou.Liu@nxp.com>; Mingkai Hu <mingkai.hu@nxp.com>; Rajesh Bhagat
> <rajesh.bhagat@nxp.com>; Meenakshi Aggarwal <meenakshi.aggarwal@nxp.com>; Wasim
> Khan <wasim.khan@nxp.com>; Alison Wang <alison.wang@nxp.com>; Pramod Kumar
> <pramod.kumar_1@nxp.com>; Tang Yuantian <andy.tang@nxp.com>; Adrian Alonso
> <adrian.alonso@nxp.com>; Vladimir Oltean <olteanv@gmail.com>; Gaurav Jain
> <gaurav.jain@nxp.com>
> Subject: [PATCH v10 02/14] i.MX8M: crypto: updated device tree for supporting DM
> in SPL
> 
> disabled use of JR0 in SPL and uboot, as JR0 is reserved
> for secure boot.

I'd like to return the original question here, which was not completely clarified
during previous reviews: where does the reservation restriction is coming from?

BootROM does reserve the JR0 and JR1, which are later released by ATF. NXP downstream
ATF keeps the JR0 reserved, but upstream ATF does release *all* JRs to NS World.

If this reservation is taken like the patch proposes and U-Boot is built with upstream
ATF - this would eventually lead to the situation where the HW configuration is not
aligned with what DTB indicates.

Please note, that recent OP-TEE release has also re-mapped the JR it uses from JR0 to
JR2, which can also lead to usage of the JR which is already taken by OP-TEE. There is
an ongoing PR in OP-TEE to disable JR nodes via DT overlay for Linux [1], but I'm not
sure if the same applies to U-Boot as well.

> 
> Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
> Reviewed-by: Ye Li <ye.li@nxp.com>
> ---
>  arch/arm/dts/imx8mm-evk-u-boot.dtsi      | 19 ++++++++++++++++++-
>  arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi | 19 ++++++++++++++++++-
>  arch/arm/dts/imx8mp-evk-u-boot.dtsi      | 19 ++++++++++++++++++-
>  arch/arm/dts/imx8mq-evk-u-boot.dtsi      |  4 ++++
>  4 files changed, 58 insertions(+), 3 deletions(-)
> 
> diff --git a/arch/arm/dts/imx8mm-evk-u-boot.dtsi b/arch/arm/dts/imx8mm-evk-u-
> boot.dtsi
> index 6b459831e7..e5682ca165 100644
> --- a/arch/arm/dts/imx8mm-evk-u-boot.dtsi
> +++ b/arch/arm/dts/imx8mm-evk-u-boot.dtsi
> @@ -1,6 +1,6 @@
>  // SPDX-License-Identifier: GPL-2.0+
>  /*
> - * Copyright 2019 NXP
> + * Copyright 2019, 2021 NXP
>   */
> 
>  #include "imx8mm-u-boot.dtsi"
> @@ -68,6 +68,23 @@
>  	u-boot,dm-spl;
>  };
> 
> +&crypto {
> +	u-boot,dm-spl;
> +};
> +
> +&sec_jr0 {
> +	u-boot,dm-spl;
> +	status = "disabled";
> +};
> +
> +&sec_jr1 {
> +	u-boot,dm-spl;
> +};
> +
> +&sec_jr2 {
> +	u-boot,dm-spl;
> +};
> +
>  &usdhc1 {
>  	u-boot,dm-spl;
>  };
> diff --git a/arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi b/arch/arm/dts/imx8mn-ddr4-
> evk-u-boot.dtsi
> index 1d3844437d..d8df863083 100644
> --- a/arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi
> +++ b/arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi
> @@ -1,6 +1,6 @@
>  // SPDX-License-Identifier: GPL-2.0+
>  /*
> - * Copyright 2019 NXP
> + * Copyright 2019, 2021 NXP
>   */
> 
>  / {
> @@ -104,6 +104,23 @@
>  	u-boot,dm-spl;
>  };
> 
> +&crypto {
> +	u-boot,dm-spl;
> +};
> +
> +&sec_jr0 {
> +	u-boot,dm-spl;
> +	status = "disabled";
> +};
> +
> +&sec_jr1 {
> +	u-boot,dm-spl;
> +};
> +
> +&sec_jr2 {
> +	u-boot,dm-spl;
> +};
> +
>  &usdhc1 {
>  	u-boot,dm-spl;
>  };
> diff --git a/arch/arm/dts/imx8mp-evk-u-boot.dtsi b/arch/arm/dts/imx8mp-evk-u-
> boot.dtsi
> index ab849ebaac..f3f83ba303 100644
> --- a/arch/arm/dts/imx8mp-evk-u-boot.dtsi
> +++ b/arch/arm/dts/imx8mp-evk-u-boot.dtsi
> @@ -1,6 +1,6 @@
>  // SPDX-License-Identifier: GPL-2.0+
>  /*
> - * Copyright 2019 NXP
> + * Copyright 2019, 2021 NXP
>   */
> 
>  #include "imx8mp-u-boot.dtsi"
> @@ -67,6 +67,23 @@
>  	u-boot,dm-spl;
>  };
> 
> +&crypto {
> +	u-boot,dm-spl;
> +};
> +
> +&sec_jr0 {
> +	u-boot,dm-spl;
> +	status = "disabled";
> +};
> +
> +&sec_jr1 {
> +	u-boot,dm-spl;
> +};
> +
> +&sec_jr2 {
> +	u-boot,dm-spl;
> +};
> +
>  &i2c1 {
>  	u-boot,dm-spl;
>  };
> diff --git a/arch/arm/dts/imx8mq-evk-u-boot.dtsi b/arch/arm/dts/imx8mq-evk-u-
> boot.dtsi
> index 6f9c81462e..8f1f942215 100644
> --- a/arch/arm/dts/imx8mq-evk-u-boot.dtsi
> +++ b/arch/arm/dts/imx8mq-evk-u-boot.dtsi
> @@ -10,3 +10,7 @@
>  	sd-uhs-sdr104;
>  	sd-uhs-ddr50;
>  };
> +
> +&sec_jr0 {
> +	status = "disabled";
> +};
> --
> 2.17.1

Link: [1]: https://github.com/OP-TEE/optee_os/pull/5143

Hi,

Am 2022-01-31 22:45, schrieb ZHIZHIKIN Andrey:
>> From: U-Boot <u-boot-bounces@lists.denx.de> On Behalf Of Gaurav Jain
>> Sent: Wednesday, January 12, 2022 2:31 PM
>> To: u-boot@lists.denx.de
>> Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam 
>> <festevam@gmail.com>; Peng Fan
>> <peng.fan@nxp.com>; Simon Glass <sjg@chromium.org>; Michael Walle
>> <michael@walle.cc>; Priyanka Jain <priyanka.jain@nxp.com>; Ye Li 
>> <ye.li@nxp.com>;
>> Horia Geanta <horia.geanta@nxp.com>; Ji Luo <ji.luo@nxp.com>; Franck 
>> Lenormand
>> <franck.lenormand@nxp.com>; Silvano Di Ninno 
>> <silvano.dininno@nxp.com>; Sahil
>> malhotra <sahil.malhotra@nxp.com>; Pankaj Gupta 
>> <pankaj.gupta@nxp.com>; Varun
>> Sethi <V.Sethi@nxp.com>; NXP i . MX U-Boot Team <uboot-imx@nxp.com>; 
>> Shengzhou
>> Liu <Shengzhou.Liu@nxp.com>; Mingkai Hu <mingkai.hu@nxp.com>; Rajesh 
>> Bhagat
>> <rajesh.bhagat@nxp.com>; Meenakshi Aggarwal 
>> <meenakshi.aggarwal@nxp.com>; Wasim
>> Khan <wasim.khan@nxp.com>; Alison Wang <alison.wang@nxp.com>; Pramod 
>> Kumar
>> <pramod.kumar_1@nxp.com>; Tang Yuantian <andy.tang@nxp.com>; Adrian 
>> Alonso
>> <adrian.alonso@nxp.com>; Vladimir Oltean <olteanv@gmail.com>; Gaurav 
>> Jain
>> <gaurav.jain@nxp.com>
>> Subject: [PATCH v10 02/14] i.MX8M: crypto: updated device tree for 
>> supporting DM
>> in SPL
>> 
>> disabled use of JR0 in SPL and uboot, as JR0 is reserved
>> for secure boot.
> 
> I'd like to return the original question here, which was not
> completely clarified
> during previous reviews: where does the reservation restriction is 
> coming from?
> 
> BootROM does reserve the JR0 and JR1, which are later released by ATF.
> NXP downstream
> ATF keeps the JR0 reserved, but upstream ATF does release *all* JRs to 
> NS World.
> 
> If this reservation is taken like the patch proposes and U-Boot is
> built with upstream
> ATF - this would eventually lead to the situation where the HW
> configuration is not
> aligned with what DTB indicates.
> 
> Please note, that recent OP-TEE release has also re-mapped the JR it
> uses from JR0 to
> JR2, which can also lead to usage of the JR which is already taken by
> OP-TEE. There is
> an ongoing PR in OP-TEE to disable JR nodes via DT overlay for Linux
> [1], but I'm not
> sure if the same applies to U-Boot as well.

 From the referenced PR:

| On imx8m platforms, OP-TEE has no direct access to the Linux device
| tree. The OP-TEE CAAM driver must disable the secure JR thought the
| device tree overlay.

Why is that the case? That "we create some kind of overlay and
hope it will fit" sounds very fragile to me. Who is applying this
overlay? Will it be applied for u-boot and linux or just for linux?

-michael

[1] https://github.com/OP-TEE/optee_os/pull/5143

Hello Andrey

> -----Original Message-----
> From: ZHIZHIKIN Andrey <andrey.zhizhikin@leica-geosystems.com>
> Sent: Tuesday, February 1, 2022 3:15 AM
> To: Gaurav Jain <gaurav.jain@nxp.com>; u-boot@lists.denx.de
> Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam <festevam@gmail.com>;
> Peng Fan <peng.fan@nxp.com>; Simon Glass <sjg@chromium.org>; Michael
> Walle <michael@walle.cc>; Priyanka Jain <priyanka.jain@nxp.com>; Ye Li
> <ye.li@nxp.com>; Horia Geanta <horia.geanta@nxp.com>; Ji Luo
> <ji.luo@nxp.com>; Franck Lenormand <franck.lenormand@nxp.com>; Silvano Di
> Ninno <silvano.dininno@nxp.com>; Sahil Malhotra <sahil.malhotra@nxp.com>;
> Pankaj Gupta <pankaj.gupta@nxp.com>; Varun Sethi <V.Sethi@nxp.com>; dl-
> uboot-imx <uboot-imx@nxp.com>; Shengzhou Liu <shengzhou.liu@nxp.com>;
> Mingkai Hu <mingkai.hu@nxp.com>; Rajesh Bhagat <rajesh.bhagat@nxp.com>;
> Meenakshi Aggarwal <meenakshi.aggarwal@nxp.com>; Wasim Khan
> <wasim.khan@nxp.com>; Alison Wang <alison.wang@nxp.com>; Pramod
> Kumar <pramod.kumar_1@nxp.com>; Andy Tang <andy.tang@nxp.com>;
> Adrian Alonso <adrian.alonso@nxp.com>; Vladimir Oltean <olteanv@gmail.com>
> Subject: [EXT] RE: [PATCH v10 02/14] i.MX8M: crypto: updated device tree for
> supporting DM in SPL
> 
> Caution: EXT Email
> 
> Hello Gaurav,
> 
> > -----Original Message-----
> > From: U-Boot <u-boot-bounces@lists.denx.de> On Behalf Of Gaurav Jain
> > Sent: Wednesday, January 12, 2022 2:31 PM
> > To: u-boot@lists.denx.de
> > Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam
> > <festevam@gmail.com>; Peng Fan <peng.fan@nxp.com>; Simon Glass
> > <sjg@chromium.org>; Michael Walle <michael@walle.cc>; Priyanka Jain
> > <priyanka.jain@nxp.com>; Ye Li <ye.li@nxp.com>; Horia Geanta
> > <horia.geanta@nxp.com>; Ji Luo <ji.luo@nxp.com>; Franck Lenormand
> > <franck.lenormand@nxp.com>; Silvano Di Ninno
> > <silvano.dininno@nxp.com>; Sahil malhotra <sahil.malhotra@nxp.com>;
> > Pankaj Gupta <pankaj.gupta@nxp.com>; Varun Sethi <V.Sethi@nxp.com>;
> > NXP i . MX U-Boot Team <uboot-imx@nxp.com>; Shengzhou Liu
> > <Shengzhou.Liu@nxp.com>; Mingkai Hu <mingkai.hu@nxp.com>; Rajesh
> > Bhagat <rajesh.bhagat@nxp.com>; Meenakshi Aggarwal
> > <meenakshi.aggarwal@nxp.com>; Wasim Khan <wasim.khan@nxp.com>;
> Alison
> > Wang <alison.wang@nxp.com>; Pramod Kumar
> <pramod.kumar_1@nxp.com>;
> > Tang Yuantian <andy.tang@nxp.com>; Adrian Alonso
> > <adrian.alonso@nxp.com>; Vladimir Oltean <olteanv@gmail.com>; Gaurav
> > Jain <gaurav.jain@nxp.com>
> > Subject: [PATCH v10 02/14] i.MX8M: crypto: updated device tree for
> > supporting DM in SPL
> >
> > disabled use of JR0 in SPL and uboot, as JR0 is reserved for secure
> > boot.
> 
> I'd like to return the original question here, which was not completely clarified
> during previous reviews: where does the reservation restriction is coming from?

As mentioned earlier JR0 is being used by high assurance boot (HAB). This prevents JR0 being used by any other software layer.
> 
> BootROM does reserve the JR0 and JR1, which are later released by ATF. NXP
> downstream ATF keeps the JR0 reserved, but upstream ATF does release *all*
> JRs to NS World.
> 
> If this reservation is taken like the patch proposes and U-Boot is built with
> upstream ATF - this would eventually lead to the situation where the HW
> configuration is not aligned with what DTB indicates.

I agree with you, we will address this in the upstream ATF code base as well.
> 
> Please note, that recent OP-TEE release has also re-mapped the JR it uses from
> JR0 to JR2, which can also lead to usage of the JR which is already taken by OP-
> TEE. There is an ongoing PR in OP-TEE to disable JR nodes via DT overlay for
> Linux [1], but I'm not sure if the same applies to U-Boot as well.

Yes, Sahil would be addressing this issue in the next version of  his patch set.

Regards
Gaurav Jain
> 
> >
> > Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
> > Reviewed-by: Ye Li <ye.li@nxp.com>
> > ---
> >  arch/arm/dts/imx8mm-evk-u-boot.dtsi      | 19 ++++++++++++++++++-
> >  arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi | 19 ++++++++++++++++++-
> >  arch/arm/dts/imx8mp-evk-u-boot.dtsi      | 19 ++++++++++++++++++-
> >  arch/arm/dts/imx8mq-evk-u-boot.dtsi      |  4 ++++
> >  4 files changed, 58 insertions(+), 3 deletions(-)
> >
> > diff --git a/arch/arm/dts/imx8mm-evk-u-boot.dtsi
> > b/arch/arm/dts/imx8mm-evk-u- boot.dtsi index 6b459831e7..e5682ca165
> > 100644
> > --- a/arch/arm/dts/imx8mm-evk-u-boot.dtsi
> > +++ b/arch/arm/dts/imx8mm-evk-u-boot.dtsi
> > @@ -1,6 +1,6 @@
> >  // SPDX-License-Identifier: GPL-2.0+
> >  /*
> > - * Copyright 2019 NXP
> > + * Copyright 2019, 2021 NXP
> >   */
> >
> >  #include "imx8mm-u-boot.dtsi"
> > @@ -68,6 +68,23 @@
> >       u-boot,dm-spl;
> >  };
> >
> > +&crypto {
> > +     u-boot,dm-spl;
> > +};
> > +
> > +&sec_jr0 {
> > +     u-boot,dm-spl;
> > +     status = "disabled";
> > +};
> > +
> > +&sec_jr1 {
> > +     u-boot,dm-spl;
> > +};
> > +
> > +&sec_jr2 {
> > +     u-boot,dm-spl;
> > +};
> > +
> >  &usdhc1 {
> >       u-boot,dm-spl;
> >  };
> > diff --git a/arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi
> > b/arch/arm/dts/imx8mn-ddr4- evk-u-boot.dtsi index
> > 1d3844437d..d8df863083 100644
> > --- a/arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi
> > +++ b/arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi
> > @@ -1,6 +1,6 @@
> >  // SPDX-License-Identifier: GPL-2.0+
> >  /*
> > - * Copyright 2019 NXP
> > + * Copyright 2019, 2021 NXP
> >   */
> >
> >  / {
> > @@ -104,6 +104,23 @@
> >       u-boot,dm-spl;
> >  };
> >
> > +&crypto {
> > +     u-boot,dm-spl;
> > +};
> > +
> > +&sec_jr0 {
> > +     u-boot,dm-spl;
> > +     status = "disabled";
> > +};
> > +
> > +&sec_jr1 {
> > +     u-boot,dm-spl;
> > +};
> > +
> > +&sec_jr2 {
> > +     u-boot,dm-spl;
> > +};
> > +
> >  &usdhc1 {
> >       u-boot,dm-spl;
> >  };
> > diff --git a/arch/arm/dts/imx8mp-evk-u-boot.dtsi
> > b/arch/arm/dts/imx8mp-evk-u- boot.dtsi index ab849ebaac..f3f83ba303
> > 100644
> > --- a/arch/arm/dts/imx8mp-evk-u-boot.dtsi
> > +++ b/arch/arm/dts/imx8mp-evk-u-boot.dtsi
> > @@ -1,6 +1,6 @@
> >  // SPDX-License-Identifier: GPL-2.0+
> >  /*
> > - * Copyright 2019 NXP
> > + * Copyright 2019, 2021 NXP
> >   */
> >
> >  #include "imx8mp-u-boot.dtsi"
> > @@ -67,6 +67,23 @@
> >       u-boot,dm-spl;
> >  };
> >
> > +&crypto {
> > +     u-boot,dm-spl;
> > +};
> > +
> > +&sec_jr0 {
> > +     u-boot,dm-spl;
> > +     status = "disabled";
> > +};
> > +
> > +&sec_jr1 {
> > +     u-boot,dm-spl;
> > +};
> > +
> > +&sec_jr2 {
> > +     u-boot,dm-spl;
> > +};
> > +
> >  &i2c1 {
> >       u-boot,dm-spl;
> >  };
> > diff --git a/arch/arm/dts/imx8mq-evk-u-boot.dtsi
> > b/arch/arm/dts/imx8mq-evk-u- boot.dtsi index 6f9c81462e..8f1f942215
> > 100644
> > --- a/arch/arm/dts/imx8mq-evk-u-boot.dtsi
> > +++ b/arch/arm/dts/imx8mq-evk-u-boot.dtsi
> > @@ -10,3 +10,7 @@
> >       sd-uhs-sdr104;
> >       sd-uhs-ddr50;
> >  };
> > +
> > +&sec_jr0 {
> > +     status = "disabled";
> > +};
> > --
> > 2.17.1
> 
> Link: [1]:
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
> m%2FOP-
> TEE%2Foptee_os%2Fpull%2F5143&amp;data=04%7C01%7Cgaurav.jain%40nxp.
> com%7C86913a749ce04232bd0e08d9e502efa1%7C686ea1d3bc2b4c6fa92cd99
> c5c301635%7C0%7C0%7C637792623039930395%7CUnknown%7CTWFpbGZsb3
> d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3
> D%7C3000&amp;sdata=nTN7YN9G2vNgyhwnj6JrT8BdtGQn%2F0yILgpGdNg3mK
> g%3D&amp;reserved=0

Hello Andrey

I responded to your comments on this patch.
If you are good, can this patch series merged?

Regards
Gaurav Jain

> -----Original Message-----
> From: Gaurav Jain
> Sent: Thursday, February 3, 2022 10:58 AM
> To: ZHIZHIKIN Andrey <andrey.zhizhikin@leica-geosystems.com>; u-
> boot@lists.denx.de
> Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam <festevam@gmail.com>;
> Peng Fan <peng.fan@nxp.com>; Simon Glass <sjg@chromium.org>; Michael
> Walle <michael@walle.cc>; Priyanka Jain <priyanka.jain@nxp.com>; Ye Li
> <ye.li@nxp.com>; Horia Geanta <horia.geanta@nxp.com>; Ji Luo
> <ji.luo@nxp.com>; Franck Lenormand <franck.lenormand@nxp.com>; Silvano Di
> Ninno <silvano.dininno@nxp.com>; Sahil Malhotra <sahil.malhotra@nxp.com>;
> Pankaj Gupta <pankaj.gupta@nxp.com>; Varun Sethi <V.Sethi@nxp.com>; dl-
> uboot-imx <uboot-imx@nxp.com>; Shengzhou Liu <shengzhou.liu@nxp.com>;
> Mingkai Hu <mingkai.hu@nxp.com>; Rajesh Bhagat <rajesh.bhagat@nxp.com>;
> Meenakshi Aggarwal <meenakshi.aggarwal@nxp.com>; Wasim Khan
> <wasim.khan@nxp.com>; Alison Wang <alison.wang@nxp.com>; Pramod
> Kumar <pramod.kumar_1@nxp.com>; Andy Tang <andy.tang@nxp.com>;
> Adrian Alonso <adrian.alonso@nxp.com>; Vladimir Oltean <olteanv@gmail.com>
> Subject: RE: [EXT] RE: [PATCH v10 02/14] i.MX8M: crypto: updated device tree
> for supporting DM in SPL
> 
> Hello Andrey
> 
> > -----Original Message-----
> > From: ZHIZHIKIN Andrey <andrey.zhizhikin@leica-geosystems.com>
> > Sent: Tuesday, February 1, 2022 3:15 AM
> > To: Gaurav Jain <gaurav.jain@nxp.com>; u-boot@lists.denx.de
> > Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam
> > <festevam@gmail.com>; Peng Fan <peng.fan@nxp.com>; Simon Glass
> > <sjg@chromium.org>; Michael Walle <michael@walle.cc>; Priyanka Jain
> > <priyanka.jain@nxp.com>; Ye Li <ye.li@nxp.com>; Horia Geanta
> > <horia.geanta@nxp.com>; Ji Luo <ji.luo@nxp.com>; Franck Lenormand
> > <franck.lenormand@nxp.com>; Silvano Di Ninno
> > <silvano.dininno@nxp.com>; Sahil Malhotra <sahil.malhotra@nxp.com>;
> > Pankaj Gupta <pankaj.gupta@nxp.com>; Varun Sethi <V.Sethi@nxp.com>;
> > dl- uboot-imx <uboot-imx@nxp.com>; Shengzhou Liu
> > <shengzhou.liu@nxp.com>; Mingkai Hu <mingkai.hu@nxp.com>; Rajesh
> > Bhagat <rajesh.bhagat@nxp.com>; Meenakshi Aggarwal
> > <meenakshi.aggarwal@nxp.com>; Wasim Khan <wasim.khan@nxp.com>;
> Alison
> > Wang <alison.wang@nxp.com>; Pramod Kumar
> <pramod.kumar_1@nxp.com>;
> > Andy Tang <andy.tang@nxp.com>; Adrian Alonso <adrian.alonso@nxp.com>;
> > Vladimir Oltean <olteanv@gmail.com>
> > Subject: [EXT] RE: [PATCH v10 02/14] i.MX8M: crypto: updated device
> > tree for supporting DM in SPL
> >
> > Caution: EXT Email
> >
> > Hello Gaurav,
> >
> > > -----Original Message-----
> > > From: U-Boot <u-boot-bounces@lists.denx.de> On Behalf Of Gaurav Jain
> > > Sent: Wednesday, January 12, 2022 2:31 PM
> > > To: u-boot@lists.denx.de
> > > Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam
> > > <festevam@gmail.com>; Peng Fan <peng.fan@nxp.com>; Simon Glass
> > > <sjg@chromium.org>; Michael Walle <michael@walle.cc>; Priyanka Jain
> > > <priyanka.jain@nxp.com>; Ye Li <ye.li@nxp.com>; Horia Geanta
> > > <horia.geanta@nxp.com>; Ji Luo <ji.luo@nxp.com>; Franck Lenormand
> > > <franck.lenormand@nxp.com>; Silvano Di Ninno
> > > <silvano.dininno@nxp.com>; Sahil malhotra <sahil.malhotra@nxp.com>;
> > > Pankaj Gupta <pankaj.gupta@nxp.com>; Varun Sethi <V.Sethi@nxp.com>;
> > > NXP i . MX U-Boot Team <uboot-imx@nxp.com>; Shengzhou Liu
> > > <Shengzhou.Liu@nxp.com>; Mingkai Hu <mingkai.hu@nxp.com>; Rajesh
> > > Bhagat <rajesh.bhagat@nxp.com>; Meenakshi Aggarwal
> > > <meenakshi.aggarwal@nxp.com>; Wasim Khan <wasim.khan@nxp.com>;
> > Alison
> > > Wang <alison.wang@nxp.com>; Pramod Kumar
> > <pramod.kumar_1@nxp.com>;
> > > Tang Yuantian <andy.tang@nxp.com>; Adrian Alonso
> > > <adrian.alonso@nxp.com>; Vladimir Oltean <olteanv@gmail.com>; Gaurav
> > > Jain <gaurav.jain@nxp.com>
> > > Subject: [PATCH v10 02/14] i.MX8M: crypto: updated device tree for
> > > supporting DM in SPL
> > >
> > > disabled use of JR0 in SPL and uboot, as JR0 is reserved for secure
> > > boot.
> >
> > I'd like to return the original question here, which was not
> > completely clarified during previous reviews: where does the reservation
> restriction is coming from?
> 
> As mentioned earlier JR0 is being used by high assurance boot (HAB). This
> prevents JR0 being used by any other software layer.
> >
> > BootROM does reserve the JR0 and JR1, which are later released by ATF.
> > NXP downstream ATF keeps the JR0 reserved, but upstream ATF does
> > release *all* JRs to NS World.
> >
> > If this reservation is taken like the patch proposes and U-Boot is
> > built with upstream ATF - this would eventually lead to the situation
> > where the HW configuration is not aligned with what DTB indicates.
> 
> I agree with you, we will address this in the upstream ATF code base as well.
> >
> > Please note, that recent OP-TEE release has also re-mapped the JR it
> > uses from
> > JR0 to JR2, which can also lead to usage of the JR which is already
> > taken by OP- TEE. There is an ongoing PR in OP-TEE to disable JR nodes
> > via DT overlay for Linux [1], but I'm not sure if the same applies to U-Boot as
> well.
> 
> Yes, Sahil would be addressing this issue in the next version of  his patch set.
> 
> Regards
> Gaurav Jain
> >
> > >
> > > Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
> > > Reviewed-by: Ye Li <ye.li@nxp.com>
> > > ---
> > >  arch/arm/dts/imx8mm-evk-u-boot.dtsi      | 19 ++++++++++++++++++-
> > >  arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi | 19 ++++++++++++++++++-
> > >  arch/arm/dts/imx8mp-evk-u-boot.dtsi      | 19 ++++++++++++++++++-
> > >  arch/arm/dts/imx8mq-evk-u-boot.dtsi      |  4 ++++
> > >  4 files changed, 58 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/arch/arm/dts/imx8mm-evk-u-boot.dtsi
> > > b/arch/arm/dts/imx8mm-evk-u- boot.dtsi index 6b459831e7..e5682ca165
> > > 100644
> > > --- a/arch/arm/dts/imx8mm-evk-u-boot.dtsi
> > > +++ b/arch/arm/dts/imx8mm-evk-u-boot.dtsi
> > > @@ -1,6 +1,6 @@
> > >  // SPDX-License-Identifier: GPL-2.0+
> > >  /*
> > > - * Copyright 2019 NXP
> > > + * Copyright 2019, 2021 NXP
> > >   */
> > >
> > >  #include "imx8mm-u-boot.dtsi"
> > > @@ -68,6 +68,23 @@
> > >       u-boot,dm-spl;
> > >  };
> > >
> > > +&crypto {
> > > +     u-boot,dm-spl;
> > > +};
> > > +
> > > +&sec_jr0 {
> > > +     u-boot,dm-spl;
> > > +     status = "disabled";
> > > +};
> > > +
> > > +&sec_jr1 {
> > > +     u-boot,dm-spl;
> > > +};
> > > +
> > > +&sec_jr2 {
> > > +     u-boot,dm-spl;
> > > +};
> > > +
> > >  &usdhc1 {
> > >       u-boot,dm-spl;
> > >  };
> > > diff --git a/arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi
> > > b/arch/arm/dts/imx8mn-ddr4- evk-u-boot.dtsi index
> > > 1d3844437d..d8df863083 100644
> > > --- a/arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi
> > > +++ b/arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi
> > > @@ -1,6 +1,6 @@
> > >  // SPDX-License-Identifier: GPL-2.0+
> > >  /*
> > > - * Copyright 2019 NXP
> > > + * Copyright 2019, 2021 NXP
> > >   */
> > >
> > >  / {
> > > @@ -104,6 +104,23 @@
> > >       u-boot,dm-spl;
> > >  };
> > >
> > > +&crypto {
> > > +     u-boot,dm-spl;
> > > +};
> > > +
> > > +&sec_jr0 {
> > > +     u-boot,dm-spl;
> > > +     status = "disabled";
> > > +};
> > > +
> > > +&sec_jr1 {
> > > +     u-boot,dm-spl;
> > > +};
> > > +
> > > +&sec_jr2 {
> > > +     u-boot,dm-spl;
> > > +};
> > > +
> > >  &usdhc1 {
> > >       u-boot,dm-spl;
> > >  };
> > > diff --git a/arch/arm/dts/imx8mp-evk-u-boot.dtsi
> > > b/arch/arm/dts/imx8mp-evk-u- boot.dtsi index ab849ebaac..f3f83ba303
> > > 100644
> > > --- a/arch/arm/dts/imx8mp-evk-u-boot.dtsi
> > > +++ b/arch/arm/dts/imx8mp-evk-u-boot.dtsi
> > > @@ -1,6 +1,6 @@
> > >  // SPDX-License-Identifier: GPL-2.0+
> > >  /*
> > > - * Copyright 2019 NXP
> > > + * Copyright 2019, 2021 NXP
> > >   */
> > >
> > >  #include "imx8mp-u-boot.dtsi"
> > > @@ -67,6 +67,23 @@
> > >       u-boot,dm-spl;
> > >  };
> > >
> > > +&crypto {
> > > +     u-boot,dm-spl;
> > > +};
> > > +
> > > +&sec_jr0 {
> > > +     u-boot,dm-spl;
> > > +     status = "disabled";
> > > +};
> > > +
> > > +&sec_jr1 {
> > > +     u-boot,dm-spl;
> > > +};
> > > +
> > > +&sec_jr2 {
> > > +     u-boot,dm-spl;
> > > +};
> > > +
> > >  &i2c1 {
> > >       u-boot,dm-spl;
> > >  };
> > > diff --git a/arch/arm/dts/imx8mq-evk-u-boot.dtsi
> > > b/arch/arm/dts/imx8mq-evk-u- boot.dtsi index 6f9c81462e..8f1f942215
> > > 100644
> > > --- a/arch/arm/dts/imx8mq-evk-u-boot.dtsi
> > > +++ b/arch/arm/dts/imx8mq-evk-u-boot.dtsi
> > > @@ -10,3 +10,7 @@
> > >       sd-uhs-sdr104;
> > >       sd-uhs-ddr50;
> > >  };
> > > +
> > > +&sec_jr0 {
> > > +     status = "disabled";
> > > +};
> > > --
> > > 2.17.1
> >
> > Link: [1]:
> > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
> > ub.co
> > m%2FOP-
> >
> TEE%2Foptee_os%2Fpull%2F5143&amp;data=04%7C01%7Cgaurav.jain%40nxp.
> >
> com%7C86913a749ce04232bd0e08d9e502efa1%7C686ea1d3bc2b4c6fa92cd99
> >
> c5c301635%7C0%7C0%7C637792623039930395%7CUnknown%7CTWFpbGZsb3
> >
> d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3
> >
> D%7C3000&amp;sdata=nTN7YN9G2vNgyhwnj6JrT8BdtGQn%2F0yILgpGdNg3mK
> > g%3D&amp;reserved=0

Hello Gaurav,

Sorry, I somehow missed you last reply here.

Cc: Rouven

> -----Original Message-----
> From: U-Boot <u-boot-bounces@lists.denx.de> On Behalf Of Gaurav Jain
> Sent: Friday, February 11, 2022 10:48 AM
> To: ZHIZHIKIN Andrey <andrey.zhizhikin@leica-geosystems.com>; u-
> boot@lists.denx.de
> Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam <festevam@gmail.com>; Peng Fan
> <peng.fan@nxp.com>; Simon Glass <sjg@chromium.org>; Michael Walle
> <michael@walle.cc>; Priyanka Jain <priyanka.jain@nxp.com>; Ye Li <ye.li@nxp.com>;
> Horia Geanta <horia.geanta@nxp.com>; Ji Luo <ji.luo@nxp.com>; Franck Lenormand
> <franck.lenormand@nxp.com>; Silvano Di Ninno <silvano.dininno@nxp.com>; Sahil
> Malhotra <sahil.malhotra@nxp.com>; Pankaj Gupta <pankaj.gupta@nxp.com>; Varun
> Sethi <V.Sethi@nxp.com>; dl-uboot-imx <uboot-imx@nxp.com>; Shengzhou Liu
> <shengzhou.liu@nxp.com>; Mingkai Hu <mingkai.hu@nxp.com>; Rajesh Bhagat
> <rajesh.bhagat@nxp.com>; Meenakshi Aggarwal <meenakshi.aggarwal@nxp.com>; Wasim
> Khan <wasim.khan@nxp.com>; Alison Wang <alison.wang@nxp.com>; Pramod Kumar
> <pramod.kumar_1@nxp.com>; Andy Tang <andy.tang@nxp.com>; Adrian Alonso
> <adrian.alonso@nxp.com>; Vladimir Oltean <olteanv@gmail.com>
> Subject: RE: [EXT] RE: [PATCH v10 02/14] i.MX8M: crypto: updated device tree for
> supporting DM in SPL
> 
> Hello Andrey
> 
> I responded to your comments on this patch.
> If you are good, can this patch series merged?
> 
> Regards
> Gaurav Jain
> 
> > -----Original Message-----
> > From: Gaurav Jain
> > Sent: Thursday, February 3, 2022 10:58 AM
> > To: ZHIZHIKIN Andrey <andrey.zhizhikin@leica-geosystems.com>; u-
> > boot@lists.denx.de
> > Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam <festevam@gmail.com>;
> > Peng Fan <peng.fan@nxp.com>; Simon Glass <sjg@chromium.org>; Michael
> > Walle <michael@walle.cc>; Priyanka Jain <priyanka.jain@nxp.com>; Ye Li
> > <ye.li@nxp.com>; Horia Geanta <horia.geanta@nxp.com>; Ji Luo
> > <ji.luo@nxp.com>; Franck Lenormand <franck.lenormand@nxp.com>; Silvano Di
> > Ninno <silvano.dininno@nxp.com>; Sahil Malhotra <sahil.malhotra@nxp.com>;
> > Pankaj Gupta <pankaj.gupta@nxp.com>; Varun Sethi <V.Sethi@nxp.com>; dl-
> > uboot-imx <uboot-imx@nxp.com>; Shengzhou Liu <shengzhou.liu@nxp.com>;
> > Mingkai Hu <mingkai.hu@nxp.com>; Rajesh Bhagat <rajesh.bhagat@nxp.com>;
> > Meenakshi Aggarwal <meenakshi.aggarwal@nxp.com>; Wasim Khan
> > <wasim.khan@nxp.com>; Alison Wang <alison.wang@nxp.com>; Pramod
> > Kumar <pramod.kumar_1@nxp.com>; Andy Tang <andy.tang@nxp.com>;
> > Adrian Alonso <adrian.alonso@nxp.com>; Vladimir Oltean <olteanv@gmail.com>
> > Subject: RE: [EXT] RE: [PATCH v10 02/14] i.MX8M: crypto: updated device tree
> > for supporting DM in SPL
> >
> > Hello Andrey
> >
> > > -----Original Message-----
> > > From: ZHIZHIKIN Andrey <andrey.zhizhikin@leica-geosystems.com>
> > > Sent: Tuesday, February 1, 2022 3:15 AM
> > > To: Gaurav Jain <gaurav.jain@nxp.com>; u-boot@lists.denx.de
> > > Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam
> > > <festevam@gmail.com>; Peng Fan <peng.fan@nxp.com>; Simon Glass
> > > <sjg@chromium.org>; Michael Walle <michael@walle.cc>; Priyanka Jain
> > > <priyanka.jain@nxp.com>; Ye Li <ye.li@nxp.com>; Horia Geanta
> > > <horia.geanta@nxp.com>; Ji Luo <ji.luo@nxp.com>; Franck Lenormand
> > > <franck.lenormand@nxp.com>; Silvano Di Ninno
> > > <silvano.dininno@nxp.com>; Sahil Malhotra <sahil.malhotra@nxp.com>;
> > > Pankaj Gupta <pankaj.gupta@nxp.com>; Varun Sethi <V.Sethi@nxp.com>;
> > > dl- uboot-imx <uboot-imx@nxp.com>; Shengzhou Liu
> > > <shengzhou.liu@nxp.com>; Mingkai Hu <mingkai.hu@nxp.com>; Rajesh
> > > Bhagat <rajesh.bhagat@nxp.com>; Meenakshi Aggarwal
> > > <meenakshi.aggarwal@nxp.com>; Wasim Khan <wasim.khan@nxp.com>;
> > Alison
> > > Wang <alison.wang@nxp.com>; Pramod Kumar
> > <pramod.kumar_1@nxp.com>;
> > > Andy Tang <andy.tang@nxp.com>; Adrian Alonso <adrian.alonso@nxp.com>;
> > > Vladimir Oltean <olteanv@gmail.com>
> > > Subject: [EXT] RE: [PATCH v10 02/14] i.MX8M: crypto: updated device
> > > tree for supporting DM in SPL
> > >
> > > Caution: EXT Email
> > >
> > > Hello Gaurav,
> > >
> > > > -----Original Message-----
> > > > From: U-Boot <u-boot-bounces@lists.denx.de> On Behalf Of Gaurav Jain
> > > > Sent: Wednesday, January 12, 2022 2:31 PM
> > > > To: u-boot@lists.denx.de
> > > > Cc: Stefano Babic <sbabic@denx.de>; Fabio Estevam
> > > > <festevam@gmail.com>; Peng Fan <peng.fan@nxp.com>; Simon Glass
> > > > <sjg@chromium.org>; Michael Walle <michael@walle.cc>; Priyanka Jain
> > > > <priyanka.jain@nxp.com>; Ye Li <ye.li@nxp.com>; Horia Geanta
> > > > <horia.geanta@nxp.com>; Ji Luo <ji.luo@nxp.com>; Franck Lenormand
> > > > <franck.lenormand@nxp.com>; Silvano Di Ninno
> > > > <silvano.dininno@nxp.com>; Sahil malhotra <sahil.malhotra@nxp.com>;
> > > > Pankaj Gupta <pankaj.gupta@nxp.com>; Varun Sethi <V.Sethi@nxp.com>;
> > > > NXP i . MX U-Boot Team <uboot-imx@nxp.com>; Shengzhou Liu
> > > > <Shengzhou.Liu@nxp.com>; Mingkai Hu <mingkai.hu@nxp.com>; Rajesh
> > > > Bhagat <rajesh.bhagat@nxp.com>; Meenakshi Aggarwal
> > > > <meenakshi.aggarwal@nxp.com>; Wasim Khan <wasim.khan@nxp.com>;
> > > Alison
> > > > Wang <alison.wang@nxp.com>; Pramod Kumar
> > > <pramod.kumar_1@nxp.com>;
> > > > Tang Yuantian <andy.tang@nxp.com>; Adrian Alonso
> > > > <adrian.alonso@nxp.com>; Vladimir Oltean <olteanv@gmail.com>; Gaurav
> > > > Jain <gaurav.jain@nxp.com>
> > > > Subject: [PATCH v10 02/14] i.MX8M: crypto: updated device tree for
> > > > supporting DM in SPL
> > > >
> > > > disabled use of JR0 in SPL and uboot, as JR0 is reserved for secure
> > > > boot.
> > >
> > > I'd like to return the original question here, which was not
> > > completely clarified during previous reviews: where does the reservation
> > restriction is coming from?
> >
> > As mentioned earlier JR0 is being used by high assurance boot (HAB). This
> > prevents JR0 being used by any other software layer.

From what I understood reading AN4581 and companion AN12056, HAB requires
JR only in case when Encrypted Boot is performed. For image signature
verification it is not required, hence this reservation does sound a bit
artificial to me. Please correct me here if my understanding is not complete,
I was not able to get this information from all the answers you provided
before on the purpose of this reservation.

This fact, coupled with the one that upstream TF-A does release all JR to
NS-World, suggests that the reservation is not actually necessary, and
moreover - it will not reflect what the HW configuration it will have in
all combinations of BootROM->SPL->TF-A->(potentially OP-TEE)->Kernel.

Please note, that in case of downstream NXP TF-A is used here - this
reservation is rather valid, but it leads to "vendor locking" of
upstream U-Boot as it cannot be expected that all board/device vendors
are using downstream TF-A.

You do suggest below that this TF-A "mismatch" will be addressed in
upstream, but until this is done it is not reasonable to imply this
reservation IMHO.

As a side note: I had a patch series in the Kernel that performs
exactly the same reservation, but had to hold it back exactly because
of the reason I stated above: upstream TF-A does behave different from
downstream NXP one, hence booting Kernel with either one of those would
have different results with respect to JR0 reservation, see [1]. So you
can say that I'm and "interested party" here, since depending on how this
is solved in the boot chain would influence my next version of the patch
set to the Kernel.

> > >
> > > BootROM does reserve the JR0 and JR1, which are later released by ATF.
> > > NXP downstream ATF keeps the JR0 reserved, but upstream ATF does
> > > release *all* JRs to NS World.
> > >
> > > If this reservation is taken like the patch proposes and U-Boot is
> > > built with upstream ATF - this would eventually lead to the situation
> > > where the HW configuration is not aligned with what DTB indicates.
> >
> > I agree with you, we will address this in the upstream ATF code base as well.

That would be really great! I would personally consider this as a first
step before at least this reservation is performed. This would ensure the
consistency of HW description that DT provides.

> > >
> > > Please note, that recent OP-TEE release has also re-mapped the JR it
> > > uses from
> > > JR0 to JR2, which can also lead to usage of the JR which is already
> > > taken by OP- TEE. There is an ongoing PR in OP-TEE to disable JR nodes
> > > via DT overlay for Linux [1], but I'm not sure if the same applies to U-Boot
> as
> > well.
> >
> > Yes, Sahil would be addressing this issue in the next version of  his patch
> set.

Michael had a share of comments regarding the approach chosen for LS family,
and I think once that is solved - same solution can be applied to imx8 family.

> >
> > Regards
> > Gaurav Jain
> > >

Link: [1]: https://lore.kernel.org/lkml/AM6PR06MB4691D4FCA4D82284E70A9F53A64E9@AM6PR06MB4691.eurprd06.prod.outlook.com/

-- andrey