* [PATCH] mach-imx: hab: Unlock CAAM MID for OP-TEE
@ 2020-04-22 11:44 Albert Schwarzkopf
2020-04-22 12:34 ` Rouven Czerwinski
0 siblings, 1 reply; 4+ messages in thread
From: Albert Schwarzkopf @ 2020-04-22 11:44 UTC (permalink / raw)
To: barebox
The current CSF config used by barebox does not allow a successful
bootup of OP-TEE within a closed HAB configuration. As specified
in section 2.1 of the application notes [1], OP-TEE requires that
the "UNLOCK MID" HAB command is present in the CSF file for
this case.
This patch adds the mentioned command if support for OP-TEE is
enabled in the configuration. It's based on the discussion
in [2].
[1] https://www.nxp.com/docs/en/application-note/AN12056.pdf
[2] https://github.com/OP-TEE/optee_os/issues/3609
Signed-off-by: Albert Schwarzkopf <a.schwarzkopf@phytec.de>
---
arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
index 581887960..0e6c7e2dd 100644
--- a/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
+++ b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
@@ -29,7 +29,11 @@ hab [Authenticate CSF]
hab [Unlock]
hab Engine = CAAM
+#if defined(CONFIG_BOOTM_OPTEE) || defined(CONFIG_PBL_OPTEE)
+hab Features = MID,RNG
+#else
hab Features = RNG
+#endif
hab [Install Key]
/* verification key index in key store (0, 2...4) */
--
2.17.1
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] mach-imx: hab: Unlock CAAM MID for OP-TEE
2020-04-22 11:44 [PATCH] mach-imx: hab: Unlock CAAM MID for OP-TEE Albert Schwarzkopf
@ 2020-04-22 12:34 ` Rouven Czerwinski
2020-04-23 7:08 ` Sascha Hauer
0 siblings, 1 reply; 4+ messages in thread
From: Rouven Czerwinski @ 2020-04-22 12:34 UTC (permalink / raw)
To: Albert Schwarzkopf, barebox
Hi,
On Wed, 2020-04-22 at 13:44 +0200, Albert Schwarzkopf wrote:
> The current CSF config used by barebox does not allow a successful
> bootup of OP-TEE within a closed HAB configuration. As specified
> in section 2.1 of the application notes [1], OP-TEE requires that
> the "UNLOCK MID" HAB command is present in the CSF file for
> this case.
>
> This patch adds the mentioned command if support for OP-TEE is
> enabled in the configuration. It's based on the discussion
> in [2].
>
> [1] https://www.nxp.com/docs/en/application-note/AN12056.pdf
> [2] https://github.com/OP-TEE/optee_os/issues/3609
>
> Signed-off-by: Albert Schwarzkopf <a.schwarzkopf@phytec.de>
> ---
> arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
> b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
> index 581887960..0e6c7e2dd 100644
> --- a/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
> +++ b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
> @@ -29,7 +29,11 @@ hab [Authenticate CSF]
>
> hab [Unlock]
> hab Engine = CAAM
> +#if defined(CONFIG_BOOTM_OPTEE) || defined(CONFIG_PBL_OPTEE)
> +hab Features = MID,RNG
> +#else
> hab Features = RNG
> +#endif
I don't see any reason to not unlock the MID settings in a secure
configuration without OP-TEE. MID Setup only really makes sense if
normal and secure world require different access policies to the CAAM,
which isn't the case if only linux is run in the secure world.
AFAIK unlocked MID should not prevent Linux from working correctly with
the CAAM even if no OP-TEE is present, although I have not specifically
tested this case.
Regards,
Rouven Czerwinski
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] mach-imx: hab: Unlock CAAM MID for OP-TEE
2020-04-22 12:34 ` Rouven Czerwinski
@ 2020-04-23 7:08 ` Sascha Hauer
2020-04-23 7:09 ` Rouven Czerwinski
0 siblings, 1 reply; 4+ messages in thread
From: Sascha Hauer @ 2020-04-23 7:08 UTC (permalink / raw)
To: Rouven Czerwinski; +Cc: Albert Schwarzkopf, barebox
On Wed, Apr 22, 2020 at 02:34:20PM +0200, Rouven Czerwinski wrote:
> Hi,
>
> On Wed, 2020-04-22 at 13:44 +0200, Albert Schwarzkopf wrote:
> > The current CSF config used by barebox does not allow a successful
> > bootup of OP-TEE within a closed HAB configuration. As specified
> > in section 2.1 of the application notes [1], OP-TEE requires that
> > the "UNLOCK MID" HAB command is present in the CSF file for
> > this case.
> >
> > This patch adds the mentioned command if support for OP-TEE is
> > enabled in the configuration. It's based on the discussion
> > in [2].
> >
> > [1] https://www.nxp.com/docs/en/application-note/AN12056.pdf
> > [2] https://github.com/OP-TEE/optee_os/issues/3609
> >
> > Signed-off-by: Albert Schwarzkopf <a.schwarzkopf@phytec.de>
> > ---
> > arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
> > b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
> > index 581887960..0e6c7e2dd 100644
> > --- a/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
> > +++ b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
> > @@ -29,7 +29,11 @@ hab [Authenticate CSF]
> >
> > hab [Unlock]
> > hab Engine = CAAM
> > +#if defined(CONFIG_BOOTM_OPTEE) || defined(CONFIG_PBL_OPTEE)
> > +hab Features = MID,RNG
> > +#else
> > hab Features = RNG
> > +#endif
>
> I don't see any reason to not unlock the MID settings in a secure
> configuration without OP-TEE. MID Setup only really makes sense if
> normal and secure world require different access policies to the CAAM,
> which isn't the case if only linux is run in the secure world.
> AFAIK unlocked MID should not prevent Linux from working correctly with
> the CAAM even if no OP-TEE is present, although I have not specifically
> tested this case.
Are you suggesting to drop the #ifdef and do a "hab Features = MID,RNG"
unconditionally?
Sascha
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] mach-imx: hab: Unlock CAAM MID for OP-TEE
2020-04-23 7:08 ` Sascha Hauer
@ 2020-04-23 7:09 ` Rouven Czerwinski
0 siblings, 0 replies; 4+ messages in thread
From: Rouven Czerwinski @ 2020-04-23 7:09 UTC (permalink / raw)
To: Sascha Hauer; +Cc: Albert Schwarzkopf, barebox
On Thu, 2020-04-23 at 09:08 +0200, Sascha Hauer wrote:
> On Wed, Apr 22, 2020 at 02:34:20PM +0200, Rouven Czerwinski wrote:
> > Hi,
> >
> > On Wed, 2020-04-22 at 13:44 +0200, Albert Schwarzkopf wrote:
> > > The current CSF config used by barebox does not allow a
> > > successful
> > > bootup of OP-TEE within a closed HAB configuration. As specified
> > > in section 2.1 of the application notes [1], OP-TEE requires that
> > > the "UNLOCK MID" HAB command is present in the CSF file for
> > > this case.
> > >
> > > This patch adds the mentioned command if support for OP-TEE is
> > > enabled in the configuration. It's based on the discussion
> > > in [2].
> > >
> > > [1] https://www.nxp.com/docs/en/application-note/AN12056.pdf
> > > [2] https://github.com/OP-TEE/optee_os/issues/3609
> > >
> > > Signed-off-by: Albert Schwarzkopf <a.schwarzkopf@phytec.de>
> > > ---
> > > arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h | 4 ++++
> > > 1 file changed, 4 insertions(+)
> > >
> > > diff --git a/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
> > > b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
> > > index 581887960..0e6c7e2dd 100644
> > > --- a/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
> > > +++ b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
> > > @@ -29,7 +29,11 @@ hab [Authenticate CSF]
> > >
> > > hab [Unlock]
> > > hab Engine = CAAM
> > > +#if defined(CONFIG_BOOTM_OPTEE) || defined(CONFIG_PBL_OPTEE)
> > > +hab Features = MID,RNG
> > > +#else
> > > hab Features = RNG
> > > +#endif
> >
> > I don't see any reason to not unlock the MID settings in a secure
> > configuration without OP-TEE. MID Setup only really makes sense if
> > normal and secure world require different access policies to the
> > CAAM,
> > which isn't the case if only linux is run in the secure world.
> > AFAIK unlocked MID should not prevent Linux from working correctly
> > with
> > the CAAM even if no OP-TEE is present, although I have not
> > specifically
> > tested this case.
>
> Are you suggesting to drop the #ifdef and do a "hab Features =
> MID,RNG"
> unconditionally?
Yes.
- Rouven
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-04-23 7:09 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-22 11:44 [PATCH] mach-imx: hab: Unlock CAAM MID for OP-TEE Albert Schwarzkopf
2020-04-22 12:34 ` Rouven Czerwinski
2020-04-23 7:08 ` Sascha Hauer
2020-04-23 7:09 ` Rouven Czerwinski
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox