From: Rouven Czerwinski <r.czerwinski@pengutronix.de>
To: Albert Schwarzkopf <a.schwarzkopf@phytec.de>,
barebox@lists.infradead.org
Subject: Re: [PATCH] mach-imx: hab: Unlock CAAM MID for OP-TEE
Date: Wed, 22 Apr 2020 14:34:20 +0200 [thread overview]
Message-ID: <6eaa50e7572c732d554bae666de68f6305e4437f.camel@pengutronix.de> (raw)
In-Reply-To: <20200422114407.10351-1-a.schwarzkopf@phytec.de>
Hi,
On Wed, 2020-04-22 at 13:44 +0200, Albert Schwarzkopf wrote:
> The current CSF config used by barebox does not allow a successful
> bootup of OP-TEE within a closed HAB configuration. As specified
> in section 2.1 of the application notes [1], OP-TEE requires that
> the "UNLOCK MID" HAB command is present in the CSF file for
> this case.
>
> This patch adds the mentioned command if support for OP-TEE is
> enabled in the configuration. It's based on the discussion
> in [2].
>
> [1] https://www.nxp.com/docs/en/application-note/AN12056.pdf
> [2] https://github.com/OP-TEE/optee_os/issues/3609
>
> Signed-off-by: Albert Schwarzkopf <a.schwarzkopf@phytec.de>
> ---
> arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
> b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
> index 581887960..0e6c7e2dd 100644
> --- a/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
> +++ b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
> @@ -29,7 +29,11 @@ hab [Authenticate CSF]
>
> hab [Unlock]
> hab Engine = CAAM
> +#if defined(CONFIG_BOOTM_OPTEE) || defined(CONFIG_PBL_OPTEE)
> +hab Features = MID,RNG
> +#else
> hab Features = RNG
> +#endif
I don't see any reason to not unlock the MID settings in a secure
configuration without OP-TEE. MID Setup only really makes sense if
normal and secure world require different access policies to the CAAM,
which isn't the case if only linux is run in the secure world.
AFAIK unlocked MID should not prevent Linux from working correctly with
the CAAM even if no OP-TEE is present, although I have not specifically
tested this case.
Regards,
Rouven Czerwinski
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
next prev parent reply other threads:[~2020-04-22 12:34 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-22 11:44 Albert Schwarzkopf
2020-04-22 12:34 ` Rouven Czerwinski [this message]
2020-04-23 7:08 ` Sascha Hauer
2020-04-23 7:09 ` Rouven Czerwinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6eaa50e7572c732d554bae666de68f6305e4437f.camel@pengutronix.de \
--to=r.czerwinski@pengutronix.de \
--cc=a.schwarzkopf@phytec.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox