This patch sets the relevant set of job-rings to secure-world prior to calling into run_descriptor_jr_idx(). As observed by Breno Matheus Lima the DEK blob verification layer in NXP BootROMs performs a check on job-ring ownership and requires the permission to be set to secure world.
Once run_descriptor_jr_idx() is complete we switch back to normal-world ownership. Normal world job-ring ownership allows Linux to run in either secure or normal world when using the CAAM, irrespective which is ultimately what we want to support. Signed-off-by: Bryan O'Donoghue <bryan.odonog...@linaro.org> --- drivers/crypto/fsl/jr.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/crypto/fsl/jr.c b/drivers/crypto/fsl/jr.c index 65982b8369..8ab92ad2f1 100644 --- a/drivers/crypto/fsl/jr.c +++ b/drivers/crypto/fsl/jr.c @@ -389,7 +389,13 @@ out: int run_descriptor_jr(uint32_t *desc) { - return run_descriptor_jr_idx(desc, 0); + int ret; + + sec_set_jr_context_secure(); + ret = run_descriptor_jr_idx(desc, 0); + sec_set_jr_context_normal(); + + return ret; } static inline int jr_reset_sec(uint8_t sec_idx) -- 2.20.1 _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot