Master+imx caam fix #2986
Master+imx caam fix #2986
Conversation
0xB0D
force-pushed
the
master+imx_caam_fix
branch
3 times, most recently
from
677056b
to
a8c39ae
Compare
core/arch/arm/plat-imx/imx_caam.c
Outdated
| int i; | ||
|
|
||
| for (i = 0; i < CAAM_NUM_JOB_RINGS; i++) { | ||
| reg = io_read32(&caam->jr[i].jrmidr_ms); |
There was a problem hiding this comment.
Setting all Job rings to NS should not be a good idea, secure world also need one when caam is supported in secure world
There was a problem hiding this comment.
But..
If you want to use the CAAM in secure world you would run the driver NXP is upstreaming in #2962
If you don't want to run the CAAM in secure world, then the default as given here would still apply.
| @@ -1,7 +1,7 @@ | |||
| global-incdirs-y += . | |||
| srcs-y += main.c | |||
|
|
|||
| srcs-$(CFG_MX6)$(CFG_MX7) += mmdc.c imx-common.c | |||
| srcs-$(CFG_MX6)$(CFG_MX7) += mmdc.c imx-common.c imx_caam.c | |||
There was a problem hiding this comment.
I prefer a build CFG for this new function.
|
There is a bigger version of this feature in #2962 |
|
|
| #if defined(CFG_MX6ULL) | ||
| #define CAAM_NUM_JOB_RINGS 0 | ||
| #else | ||
| #define CAAM_NUM_JOB_RINGS 4 |
There was a problem hiding this comment.
At least the Security Reference Manuals I have for i.MX6Q and i.MX6UL document different numbers of job rings. Maybe @MrVan can clarify whether it is okay to assume four jobrings for all devices.
There was a problem hiding this comment.
ah damn.
I thought I probably wasn't getting full coverage on job-ring numbers - let me review the two you have flagged - thanks.
There was a problem hiding this comment.
Actually I believe four is the correct number.
https://github.com/u-boot/u-boot/blob/master/include/fsl_sec.h - line 84
https://github.com/u-boot/u-boot/blob/master/drivers/crypto/fsl/jr.c - line 636
The address-space maps 4 job-ring queues. You're right that not all processors implement 4 queues but the address space offset is valid.
It's up to the CAAM drivers - and their DTS configs to describe which runtime job-rings are used.
4 is the right value here though.
| @@ -32,4 +33,5 @@ static void init_csu(void) | |||
| void plat_cpu_reset_late(void) | |||
| { | |||
| init_csu(); | |||
| init_caam(); | |||
There was a problem hiding this comment.
Any reason why this is done in plat_cpu_reset_late? At least for this case the earliest user is the linux driver, in that case it can be moved to normal platform init.
There was a problem hiding this comment.
No reason at all. I located it with csu_init() because it seemed like the right place.
I can move it elsewhere - I don't think there's any barrier to that.
There was a problem hiding this comment.
plat_cpu_reset_late happens before the console is initialized, but since your code does not print anyway this is a minor nit on my part. If you go the route of implementing this into the driver subdir, this may be the correct place afterall, since the full CAAM implementation (if I remember correctly) should be initialized in plat_cpu_reset_late anyway. Take this with a grain of salt, I have not looked deep into the code yet.
|
@bryanodonoghue , thanks, |
0xB0D
force-pushed
the
master+imx_caam_fix
branch
from
b006097
to
014c7d9
Compare
|
Latest drop.
On point # 3 I think the right thing to-do is to set default CAAM permissions irrespective of whether or not the CAAM driver will be used in OP-TEE - i.e. we should not require compilation of the CAAM driver to setup the job-rings for Linux. When/if the CAAM driver makes it into upstream there may be an opportunity to rationalize the code but, in the meantime I'd like to move on with fixing the job-ring permissions, so that I can post an update to u-boot to remove job-ring ownership assignment there. |
0xB0D
force-pushed
the
master+imx_caam_fix
branch
from
014c7d9
to
1b1f0c2
Compare
|
Update. It wants :) |
|
@bryanodonoghue , I've manually restarted IBART once, but it is still failing. I cannot see that the changes in this patch has anything to do with the errors, probably just a rebase of master that is needed. Could you please do that and force push. |
When we transition to secure-world certain parts of the CAAM become opaque to normal world. This patch adds a simple routine to set CAAM job-ring permissions to normal-world by default. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Reviewed-by: Peng Fan <peng.fan@nxp.com>
This patch adds a call to set CAAM job-ring permissions for i.MX6 and i.MX7 processors. Since the iMX6ULL does not have a CAAM it will be skipped but, all other i.MX6 and i.MX7 SoCs will have their default CAAM job-ring permissions set to normal-world. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Reviewed-by: Peng Fan <peng.fan@nxp.com>
0xB0D
force-pushed
the
master+imx_caam_fix
branch
from
1b1f0c2
to
e3c73a4
Compare
|
This PR causes an error in the Shippable build: (why has Shippable not run during the CI step? Weird...) |
I've seen many weird thing on GitHub last couple of days, comments not being posted, takes time PRs to update after patch has been sent and so on. So made some issue at the GitHub side. |
|
@bryanodonoghue would you mind having a look at it and send a fix? |
|
@bryanodonoghue an intermediate cast to |
|
I'll post an update now |
|
Well there's an interesting typo edit: yep... turns out it is possible to forward declare a struct in a cast.... so even this junk would compile struct imx_caam_ctrl *caam = (struct larry *) CAAM_BASE; |
This series
This is not a full fledged CAAM driver, which both NXP and Microsoft have written but, not thus far upstreamed code for. This is simply about setting the default permissions of the CAAM.
The expectation is that a full CAAM driver will assign some job-rings to secure and some job-rings to normal world and will communicate job-ring ownership via DTB settings.
Setting job-ring ownership when transitioning from secure to non-secure world is best done in OPTEE rather than u-boot and so if this code is applied in OP-TEE the next step is to stop setting job-ring permissions in u-boot.