From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33]) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1jREaA-0000LH-2Z for barebox@lists.infradead.org; Wed, 22 Apr 2020 12:34:27 +0000 Message-ID: <6eaa50e7572c732d554bae666de68f6305e4437f.camel@pengutronix.de> From: Rouven Czerwinski Date: Wed, 22 Apr 2020 14:34:20 +0200 In-Reply-To: <20200422114407.10351-1-a.schwarzkopf@phytec.de> References: <20200422114407.10351-1-a.schwarzkopf@phytec.de> MIME-Version: 1.0 List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "barebox" Errors-To: barebox-bounces+u.kleine-koenig=pengutronix.de@lists.infradead.org Subject: Re: [PATCH] mach-imx: hab: Unlock CAAM MID for OP-TEE To: Albert Schwarzkopf , barebox@lists.infradead.org Hi, On Wed, 2020-04-22 at 13:44 +0200, Albert Schwarzkopf wrote: > The current CSF config used by barebox does not allow a successful > bootup of OP-TEE within a closed HAB configuration. As specified > in section 2.1 of the application notes [1], OP-TEE requires that > the "UNLOCK MID" HAB command is present in the CSF file for > this case. > > This patch adds the mentioned command if support for OP-TEE is > enabled in the configuration. It's based on the discussion > in [2]. > > [1] https://www.nxp.com/docs/en/application-note/AN12056.pdf > [2] https://github.com/OP-TEE/optee_os/issues/3609 > > Signed-off-by: Albert Schwarzkopf > --- > arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h > b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h > index 581887960..0e6c7e2dd 100644 > --- a/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h > +++ b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h > @@ -29,7 +29,11 @@ hab [Authenticate CSF] > > hab [Unlock] > hab Engine = CAAM > +#if defined(CONFIG_BOOTM_OPTEE) || defined(CONFIG_PBL_OPTEE) > +hab Features = MID,RNG > +#else > hab Features = RNG > +#endif I don't see any reason to not unlock the MID settings in a secure configuration without OP-TEE. MID Setup only really makes sense if normal and secure world require different access policies to the CAAM, which isn't the case if only linux is run in the secure world. AFAIK unlocked MID should not prevent Linux from working correctly with the CAAM even if no OP-TEE is present, although I have not specifically tested this case. Regards, Rouven Czerwinski _______________________________________________ barebox mailing list barebox@lists.infradead.org http://lists.infradead.org/mailman/listinfo/barebox