From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33]) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1jRVyR-000438-6E for barebox@lists.infradead.org; Thu, 23 Apr 2020 07:08:42 +0000 Date: Thu, 23 Apr 2020 09:08:36 +0200 From: Sascha Hauer Message-ID: <20200423070836.GZ1694@pengutronix.de> References: <20200422114407.10351-1-a.schwarzkopf@phytec.de> <6eaa50e7572c732d554bae666de68f6305e4437f.camel@pengutronix.de> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <6eaa50e7572c732d554bae666de68f6305e4437f.camel@pengutronix.de> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "barebox" Errors-To: barebox-bounces+u.kleine-koenig=pengutronix.de@lists.infradead.org Subject: Re: [PATCH] mach-imx: hab: Unlock CAAM MID for OP-TEE To: Rouven Czerwinski Cc: Albert Schwarzkopf , barebox@lists.infradead.org On Wed, Apr 22, 2020 at 02:34:20PM +0200, Rouven Czerwinski wrote: > Hi, > > On Wed, 2020-04-22 at 13:44 +0200, Albert Schwarzkopf wrote: > > The current CSF config used by barebox does not allow a successful > > bootup of OP-TEE within a closed HAB configuration. As specified > > in section 2.1 of the application notes [1], OP-TEE requires that > > the "UNLOCK MID" HAB command is present in the CSF file for > > this case. > > > > This patch adds the mentioned command if support for OP-TEE is > > enabled in the configuration. It's based on the discussion > > in [2]. > > > > [1] https://www.nxp.com/docs/en/application-note/AN12056.pdf > > [2] https://github.com/OP-TEE/optee_os/issues/3609 > > > > Signed-off-by: Albert Schwarzkopf > > --- > > arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h | 4 ++++ > > 1 file changed, 4 insertions(+) > > > > diff --git a/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h > > b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h > > index 581887960..0e6c7e2dd 100644 > > --- a/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h > > +++ b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h > > @@ -29,7 +29,11 @@ hab [Authenticate CSF] > > > > hab [Unlock] > > hab Engine = CAAM > > +#if defined(CONFIG_BOOTM_OPTEE) || defined(CONFIG_PBL_OPTEE) > > +hab Features = MID,RNG > > +#else > > hab Features = RNG > > +#endif > > I don't see any reason to not unlock the MID settings in a secure > configuration without OP-TEE. MID Setup only really makes sense if > normal and secure world require different access policies to the CAAM, > which isn't the case if only linux is run in the secure world. > AFAIK unlocked MID should not prevent Linux from working correctly with > the CAAM even if no OP-TEE is present, although I have not specifically > tested this case. Are you suggesting to drop the #ifdef and do a "hab Features = MID,RNG" unconditionally? Sascha -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ barebox mailing list barebox@lists.infradead.org http://lists.infradead.org/mailman/listinfo/barebox