Commit graph

14 commits

Author SHA1 Message Date
Gaurav Jain
4556cf8271 crypto/fsl: Add support for CAAM Job ring driver model
added device tree support for job ring driver.
sec is initialized based on job ring information processed
from device tree.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2022-04-12 11:18:34 +02:00
Ye Li
2ff17d2f74 crypto: fsl: refactor for 32 bit version CAAM support on ARM64
Previous patch "MLK-18044-4: crypto: caam: Fix pointer size to 32bit
for i.MX8M" breaks the 64 bits CAAM.

Since i.MX CAAM are all 32 bits no matter the ARM arch (32 or 64),
to adapt and not break 64 bits CAAM support,  add a new config
CONFIG_CAAM_64BIT and new relevant type "caam_dma_addr_t".

This config is default enabled when CONFIG_PHYS_64BIT is set except
for iMX8M.

Signed-off-by: Ye Li <ye.li@nxp.com>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
2021-04-08 20:29:53 +02:00
Aymen Sghaier
a018e6e4f7 crypto: caam: Fix pointer size to 32bit for i.MX8M
The CAAM block used in i.MX8M is 32 bits address size but when the flag
 PHYS_64BIT is enabled for armv8, the CAAM driver will try to use a
 wrong pointer size.
  This patch fixes this issue.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
2021-04-08 09:18:29 +02:00
Franck LENORMAND
68a905d1ff crypto: caam: change JR running loop
Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
2021-04-08 09:18:29 +02:00
Breno Matheus Lima
51f1357f34 Revert "drivers/crypto/fsl: assign job-rings to non-TrustZone"
Commit 22191ac353 ("drivers/crypto/fsl: assign job-rings to
 non-TrustZone") breaks HABv4 encrypted boot support in the
following i.MX devices:

- i.MX6UL
- i.MX7S
- i.MX7D
- i.MX7ULP

For preparing a HABv4 encrypted boot image it's necessary to
encapsulate the generated DEK in a blob. In devices listed
above the blob generation function takes into consideration
the Job Ring TrustZone ownership configuration (JROWN_NS)
and can be only decapsulated by the same configuration.

The ROM code expects DEK blobs encapsulated by the Secure World
environments which commonly have JROWN_NS = 0.

As U-Boot is running in Secure World we must have JROWN_NS = 0
so the blobs generated by dek_blob tool can be decapsulated
by the ROM code.

Job-rings assignment is now handled in OP-TEE OS, this commit can
be safely reverted.
https://github.com/OP-TEE/optee_os/pull/2986

This reverts commit 22191ac353.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Acked-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
2019-06-11 10:42:48 +02:00
Tom Rini
83d290c56f SPDX: Convert all of our single license tags to Linux Kernel style
When U-Boot started using SPDX tags we were among the early adopters and
there weren't a lot of other examples to borrow from.  So we picked the
area of the file that usually had a full license text and replaced it
with an appropriate SPDX-License-Identifier: entry.  Since then, the
Linux Kernel has adopted SPDX tags and they place it as the very first
line in a file (except where shebangs are used, then it's second line)
and with slightly different comment styles than us.

In part due to community overlap, in part due to better tag visibility
and in part for other minor reasons, switch over to that style.

This commit changes all instances where we have a single declared
license in the tag as both the before and after are identical in tag
contents.  There's also a few places where I found we did not have a tag
and have introduced one.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-05-07 09:34:12 -04:00
Lukas Auer
dfaec76029 crypto/fsl: instantiate all rng state handles
Extend the instantiate_rng() function and the corresponding CAAM job
descriptor to instantiate all RNG state handles. This moves the RNG
instantiation code in line with the CAAM kernel driver.

Previously, only the first state handle was instantiated. The second
one was instantiated by the CAAM kernel driver. This works if the
kernel runs in secure mode, but fails in non-secure mode since the
kernel driver uses DEC0 directly instead of over the job ring
interface. Instantiating all RNG state handles in u-boot removes the
need for using DEC0 in the kernel driver, making it possible to use
the CAAM in non-secure mode.

Signed-off-by: Lukas Auer <lukas.auer@aisec.fraunhofer.de>
Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: York Sun <york.sun@nxp.com>
2018-02-09 08:34:34 -08:00
Bryan O'Donoghue
22191ac353 drivers/crypto/fsl: assign job-rings to non-TrustZone
After enabling TrustZone various parts of the CAAM silicon become
inaccessible to non TrustZone contexts. The job-ring registers are designed
to allow non TrustZone contexts like Linux to still submit jobs to CAAM
even after TrustZone has been enabled.

The default job-ring permissions after the BootROM look like this for
job-ring zero.

ms=0x00008001 ls=0x00008001

The MS field is JRaMIDR_MS (job ring MID most significant).

Referring to "Security Reference Manual for i.MX 7Dual and 7Solo
Applications Processors, Rev. 0, 03/2017" section 8.10.4 we see that
JROWN_NS controls whether or not a job-ring is accessible from non
TrustZone.

Bit 15 (TrustZone) is the logical inverse of bit 3 hence the above value of
0x8001 shows that JROWN_NS=0 and TrustZone=1.

Clearly then as soon as TrustZone becomes active the job-ring registers are
no longer accessible from Linux, which is not what we want.

This patch explicitly sets all job-ring registers to JROWN_NS=1 (non
TrustZone) by default and to the Non-Secure MID 001. Both settings are
required to successfully assign a job-ring to non-secure mode. If a piece
of TrustZone firmware requires ownership of job-ring registers it can unset
the JROWN_NS bit itself.

This patch in conjunction with a modification of the Linux kernel to skip
HWRNG initialisation makes CAAM usable to Linux with TrustZone enabled.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Alex Porosanu <alexandru.porosanu@nxp.com>
Cc: Ruchika Gupta <ruchika.gupta@nxp.com>
Cc: Aneesh Bansal <aneesh.bansal@nxp.com>
Link: https://github.com/OP-TEE/optee_os/issues/1408
Link: https://tinyurl.com/yam5gv9a
Tested-by: Lukas Auer <lukas.auer@aisec.fraunhofer.de>
2018-02-04 12:14:11 +01:00
Alex Porosanu
76394c9c91 crypto/fsl: add support for multiple SEC engines initialization
For SoCs that contain multiple SEC engines, each of them needs
to be initialized (by means of initializing among others the
random number generator).

Signed-off-by: Alex Porosanu <alexandru.porosanu@nxp.com>
Reviewed-by: York Sun <york.sun@nxp.com>
2016-05-18 08:51:46 -07:00
Saksham Jain
8a6f83dcb8 crypto/fsl: Make CAAM transactions cacheable
This commit solves CAAM coherency issue on ls2080. When caches are
enabled and CAAM's DMA's AXI transcations are not made cacheable,
Core reads/writes data from/to caches and CAAM does from main memory.
This forces data flushes to synchronize various data structures. But
even if any data in proximity of these structures is read by core,
these structures again are fetched in caches.

To avoid this problem, either all the data that CAAM accesses can be
made cache line aligned or CAAM transcations can be made cacheable.

So, this commit makes CAAM transcations as write back with write and
read allocate.

Signed-off-by: Saksham Jain <saksham.jain@nxp.com>
Reviewed-by: York Sun <york.sun@nxp.com>
2016-03-29 08:46:22 -07:00
Ruchika Gupta
7f4736bd65 drivers/crypto/fsl : Allocate output ring with size aligned to CACHELNE SIZE
The output ring needs to be invalidated before enqueuing the job to SEC.
While allocation of space to output ring, it should be taken care that the
size is cacheline size aligned inorder to prevent invalidating valid data.

The patch also correct the method of aligning end of structs while flushing caches

    Since start = align(start_of_struct), it is incorrect to assign
    end = align(start + struct_size). It should instead be,
    end = align(start_of_struct + struct_size).

Signed-off-by: Saksham Jain <saksham@nxp.com>
Signed-off-by: Ruchika Gupta <ruchika.gupta@nxp.com>
Reviewed-by: York Sun <york.sun@nxp.com>
2016-02-24 08:40:55 -08:00
Aneesh Bansal
f59e69cbd3 crypto/fsl: SEC driver cleanup for 64 bit and endianness
The SEC driver code has been cleaned up to work for 64 bit
physical addresses and systems where endianess of SEC block
is different from the Core.
Changes:
1. Descriptor created on Core is modified as per SEC block
   endianness before the job is submitted.
2. The read/write of physical addresses to Job Rings will
   be depend on endianness of SEC block as 32 bit low and
   high part of the 64 bit address will vary.
3. The 32 bit low and high part of the 64 bit address in
   descriptor will vary depending on endianness of SEC.

Signed-off-by: Aneesh Bansal <aneesh.bansal@freescale.com>
Reviewed-by: York Sun <yorksun@freescale.com>
2015-10-29 10:33:57 -07:00
horia.geanta@freescale.com
3ef2412de6 drivers/crypto/fsl: fix snooping for write transactions
HW coherency won't work properly for CAAM write transactions
if AWCACHE is left to default (POR) value - 4'b0001.
It has to be programmed to 4'b0010.

For platforms that have HW coherency support:
-PPC-based: the update has no effect; CAAM coherency already works
due to the IOMMU (PAMU) driver setting the correct memory coherency
attributes
-ARM-based: the update fixes cache coherency issues,
since IOMMU (SMMU) driver is not programmed to behave similar to PAMU

Fixes: b9eebfade9 ("fsl_sec: Add hardware accelerated SHA256 and SHA1")
Signed-off-by: Horia Geantă <horia.geanta@freescale.com>
Reviewed-by: Aneesh Bansal <aneesh.bansal@freescale.com>
Reviewed-by: Mingkai Hu <Mingkai.Hu@freescale.com>
Acked-by: Ruchika Gupta<ruchika.gupta@freescale.com>
Reviewed-by: York Sun <yorksun@freescale.com>
2015-08-03 12:06:38 -07:00
Ruchika Gupta
b9eebfade9 fsl_sec: Add hardware accelerated SHA256 and SHA1
SHA-256 and SHA-1 accelerated using SEC hardware in Freescale SoC's
The driver for SEC (CAAM) IP is based on linux drivers/crypto/caam.
The platforms needto add the MACRO CONFIG_FSL_CAAM inorder to
enable initialization of this hardware IP.

Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com>
Reviewed-by: York Sun <yorksun@freescale.com>
2014-10-16 14:17:07 -07:00