From patchwork Fri Apr  5 16:16:03 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Breno Matheus Lima <breno.lima@nxp.com>
X-Patchwork-Id: 1078534
X-Patchwork-Delegate: prabhakar@freescale.com
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.denx.de
	(client-ip=81.169.180.215; helo=lists.denx.de;
	envelope-from=u-boot-bounces@lists.denx.de;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=nxp.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
	unprotected) header.d=nxp.com header.i=@nxp.com header.b="KtfcvaiE";
	dkim-atps=neutral
Received: from lists.denx.de (dione.denx.de [81.169.180.215])
	by ozlabs.org (Postfix) with ESMTP id 44bQ0y1PT5z9sP7
	for <incoming@patchwork.ozlabs.org>;
	Sat,  6 Apr 2019 03:16:16 +1100 (AEDT)
Received: by lists.denx.de (Postfix, from userid 105)
	id 0C889C21E45; Fri,  5 Apr 2019 16:16:10 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=SPF_HELO_PASS, T_DKIM_INVALID
	autolearn=unavailable autolearn_force=no version=3.4.0
Received: from lists.denx.de (localhost [IPv6:::1])
	by lists.denx.de (Postfix) with ESMTP id 199B7C21C50;
	Fri,  5 Apr 2019 16:16:08 +0000 (UTC)
Received: by lists.denx.de (Postfix, from userid 105)
	id 7FAB0C21C50; Fri,  5 Apr 2019 16:16:06 +0000 (UTC)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com
	(mail-eopbgr20048.outbound.protection.outlook.com [40.107.2.48])
	by lists.denx.de (Postfix) with ESMTPS id E952AC21C2F
	for <u-boot@lists.denx.de>; Fri,  5 Apr 2019 16:16:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector1;
	h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
	bh=FsE2y5xMwAiP0XjpjuihEUAtacs+3rwOPe3qyf05dkQ=;
	b=KtfcvaiE91HY0Y74ddGaEal4UK9zc73R3SNZp9TNM7vqB53VwaUqoTucVT2J6Fg+KsipsE/+EJanOXdmfiyRYoKCtBC+JH3zgnQfK2jc84ea1HmpLBy/EkqIaryA14V92vvcq6f8Ae2jyIH2ZK/IFuNJVK86yuQg20PyVHTzCBI=
Received: from DB7PR04MB4636.eurprd04.prod.outlook.com (52.135.138.158) by
	DB7PR04MB4922.eurprd04.prod.outlook.com (20.176.234.29) with
	Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
	15.20.1771.13; Fri, 5 Apr 2019 16:16:03 +0000
Received: from DB7PR04MB4636.eurprd04.prod.outlook.com
	([fe80::be:8f21:cd6e:9378]) by
	DB7PR04MB4636.eurprd04.prod.outlook.com
	([fe80::be:8f21:cd6e:9378%3]) with mapi id 15.20.1750.021;
	Fri, 5 Apr 2019 16:16:03 +0000
From: Breno Matheus Lima <breno.lima@nxp.com>
To: Fabio Estevam <fabio.estevam@nxp.com>, "trini@konsulko.com"
	<trini@konsulko.com>, "sbabic@denx.de" <sbabic@denx.de>,
	"bryan.odonoghue@linaro.org" <bryan.odonoghue@linaro.org>
Thread-Topic: [PATCH] crypto: fsl: jr: Make job-rings assignment non-Secure
	dependent
Thread-Index: AQHU68rd2ElUeFZXB0y2FtZTmdPFYg==
Date: Fri, 5 Apr 2019 16:16:03 +0000
Message-ID: <1554480925-36-1-git-send-email-breno.lima@nxp.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [64.157.242.222]
x-clientproxiedby: SN4PR0201CA0038.namprd02.prod.outlook.com
	(2603:10b6:803:2e::24) To DB7PR04MB4636.eurprd04.prod.outlook.com
	(2603:10a6:5:36::30)
authentication-results: spf=none (sender IP is )
	smtp.mailfrom=breno.lima@nxp.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: git-send-email 2.7.4
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b2128936-c12e-4f6e-10bb-08d6b9e1ffc7
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0;
	RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600139)(711020)(4605104)(4618075)(2017052603328)(7193020);
	SRVR:DB7PR04MB4922;
x-ms-traffictypediagnostic: DB7PR04MB4922:
x-microsoft-antispam-prvs: 
 <DB7PR04MB49221AB194EBD89BD338476980510@DB7PR04MB4922.eurprd04.prod.outlook.com>
x-forefront-prvs: 0998671D02
x-forefront-antispam-report: SFV:NSPM;
	SFS:(10009020)(136003)(39860400002)(376002)(346002)(396003)(366004)(199004)(189003)(110136005)(6116002)(52116002)(50226002)(478600001)(68736007)(6486002)(36756003)(86362001)(97736004)(71190400001)(2906002)(6436002)(71200400001)(8676002)(99286004)(2501003)(7736002)(6512007)(14454004)(53936002)(256004)(106356001)(3846002)(305945005)(81166006)(186003)(316002)(26005)(386003)(81156014)(6506007)(25786009)(105586002)(54906003)(2616005)(8936002)(102836004)(476003)(66066001)(486006)(5660300002)(4326008)(2201001);
	DIR:OUT; SFP:1101; SCL:1; SRVR:DB7PR04MB4922;
	H:DB7PR04MB4636.eurprd04.prod.outlook.com; FPR:; SPF:None; LANG:en;
	PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: nxp.com does not designate
	permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 
 IZKt/rdDReSXvZwHgojRafKIVDaeaFaQNtIezd/Jo2ztpcQDmdeCBiE3jI9dBXABjjvIGaaKRXuWm6fnAwfahQmoxvIFT4Gi/MeMPbsO2dBf85RzgjY8ifOFq7oa0q/nLo1Z+rb0cnQ7ux/vrSHm+UrFpfq5noUOFXAgjPlKnZIuOWz1BvqnvHj8sA5us19SkQu/1aqAwP9JCsIgX50cFxl2SsXr3ZdGUk1ms+kXjshiBpy/QyIEz2ekr/EnGjUaQ/fIe1nsbirMSPswquu+nvcEAaQ7aZXTu+7Hb9faYMMdj1pRvtfVBYoUK/0S0NttpyfaMMDDKEkSfeIkko+ZONvEqgUR9634ImhnSyvuub9Yo+Lw0KIO+sbFl5TLkyPhtzLGVJ1+cWeIZI90xB1dDyDCOAVBvLfhdBL6LmNoMHE=
MIME-Version: 1.0
X-OriginatorOrg: nxp.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 b2128936-c12e-4f6e-10bb-08d6b9e1ffc7
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Apr 2019 16:16:03.6925
	(UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR04MB4922
Cc: Breno Matheus Lima <breno.lima@nxp.com>,
	"aneesh.bansal@nxp.com" <aneesh.bansal@nxp.com>,
	"u-boot@lists.denx.de" <u-boot@lists.denx.de>,
	"brenomatheus@gmail.com" <brenomatheus@gmail.com>,
	Ruchika Gupta <ruchika.gupta@nxp.com>,
	Silvano Di Ninno <silvano.dininno@nxp.com>
Subject: [U-Boot] [PATCH] crypto: fsl: jr: Make job-rings assignment
	non-Secure dependent
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <http://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

Commit 22191ac35344 ("drivers/crypto/fsl: assign job-rings to
 non-TrustZone") breaks HABv4 encrypted boot support in the
following i.MX devices:

- i.MX6UL
- i.MX7S
- i.MX7D
- i.MX7ULP

For preparing a HABv4 encrypted boot image it's necessary to
encapsulate the generated DEK in a blob. In devices listed
above the blob generation function takes into consideration
the Job Ring TrustZone ownership configuration (JROWN_NS)
and can be only decapsulated by the same configuration.

The ROM code expects DEK blobs encapsulated by the Secure World
environments which commonly have JROWN_NS = 0.

As U-Boot is running in Secure World we must have JROWN_NS = 0
so the blobs generated by dek_blob tool can be decapsulated
by the ROM code.

Linux Kernel is booting by default in TrustZone Secure World in
most of targets. Make job-rings assignment to non-Secure dependent
of CONFIG_OPTEE and CONFIG_ARMV7_BOOT_SEC_DEFAULT to avoid a Kernel
crash when booting Linux in non-Secure World.

OP-TEE users can still use dek_blob command as job ring assignment
is also dependent of CONFIG_CMD_DEKBLOB configuration.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
---
 drivers/crypto/fsl/jr.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/drivers/crypto/fsl/jr.c b/drivers/crypto/fsl/jr.c
index cc8d3b02a5..23d5a64da0 100644
--- a/drivers/crypto/fsl/jr.c
+++ b/drivers/crypto/fsl/jr.c
@@ -635,11 +635,15 @@ int sec_init_idx(uint8_t sec_idx)
 #endif
 #endif
 
-	/* Set ownership of job rings to non-TrustZone mode by default */
-	for (i = 0; i < ARRAY_SIZE(sec->jrliodnr); i++) {
-		jrown_ns = sec_in32(&sec->jrliodnr[i].ms);
-		jrown_ns |= JROWN_NS | JRMID_NS;
-		sec_out32(&sec->jrliodnr[i].ms, jrown_ns);
+	if ((IS_ENABLED(CONFIG_OPTEE) ||
+	     !IS_ENABLED(CONFIG_ARMV7_BOOT_SEC_DEFAULT)) &&
+	     !IS_ENABLED(CONFIG_CMD_DEKBLOB)) {
+		/* Set ownership of job rings to  non-TrustZone mode. */
+		for (i = 0; i < ARRAY_SIZE(sec->jrliodnr); i++) {
+			jrown_ns = sec_in32(&sec->jrliodnr[i].ms);
+			jrown_ns |= JROWN_NS | JRMID_NS;
+			sec_out32(&sec->jrliodnr[i].ms, jrown_ns);
+		}
 	}
 
 	ret = jr_init(sec_idx);