RE: [PATCH v10 02/14] i.MX8M: crypto: updated device tree for supporting DM in SPL

[ZHIZHIKIN Andrey]

Hello Gaurav,

> -----Original Message-----
> From: U-Boot <u-boot-boun...@lists.denx.de> On Behalf Of Gaurav Jain
> Sent: Wednesday, January 12, 2022 2:31 PM
> To: u-boot@lists.denx.de
> Cc: Stefano Babic <sba...@denx.de>; Fabio Estevam <feste...@gmail.com>; Peng 
> Fan
> <peng....@nxp.com>; Simon Glass <s...@chromium.org>; Michael Walle
> <mich...@walle.cc>; Priyanka Jain <priyanka.j...@nxp.com>; Ye Li 
> <ye...@nxp.com>;
> Horia Geanta <horia.gea...@nxp.com>; Ji Luo <ji....@nxp.com>; Franck Lenormand
> <franck.lenorm...@nxp.com>; Silvano Di Ninno <silvano.dini...@nxp.com>; Sahil
> malhotra <sahil.malho...@nxp.com>; Pankaj Gupta <pankaj.gu...@nxp.com>; Varun
> Sethi <v.se...@nxp.com>; NXP i . MX U-Boot Team <uboot-...@nxp.com>; Shengzhou
> Liu <shengzhou....@nxp.com>; Mingkai Hu <mingkai...@nxp.com>; Rajesh Bhagat
> <rajesh.bha...@nxp.com>; Meenakshi Aggarwal <meenakshi.aggar...@nxp.com>; 
> Wasim
> Khan <wasim.k...@nxp.com>; Alison Wang <alison.w...@nxp.com>; Pramod Kumar
> <pramod.kuma...@nxp.com>; Tang Yuantian <andy.t...@nxp.com>; Adrian Alonso
> <adrian.alo...@nxp.com>; Vladimir Oltean <olte...@gmail.com>; Gaurav Jain
> <gaurav.j...@nxp.com>
> Subject: [PATCH v10 02/14] i.MX8M: crypto: updated device tree for supporting 
> DM
> in SPL
> 
> disabled use of JR0 in SPL and uboot, as JR0 is reserved
> for secure boot.

I'd like to return the original question here, which was not completely 
clarified
during previous reviews: where does the reservation restriction is coming from?

BootROM does reserve the JR0 and JR1, which are later released by ATF. NXP 
downstream
ATF keeps the JR0 reserved, but upstream ATF does release *all* JRs to NS World.

If this reservation is taken like the patch proposes and U-Boot is built with 
upstream
ATF - this would eventually lead to the situation where the HW configuration is 
not
aligned with what DTB indicates.

Please note, that recent OP-TEE release has also re-mapped the JR it uses from 
JR0 to
JR2, which can also lead to usage of the JR which is already taken by OP-TEE. 
There is
an ongoing PR in OP-TEE to disable JR nodes via DT overlay for Linux [1], but 
I'm not
sure if the same applies to U-Boot as well.

> 
> Signed-off-by: Gaurav Jain <gaurav.j...@nxp.com>
> Reviewed-by: Ye Li <ye...@nxp.com>
> ---
>  arch/arm/dts/imx8mm-evk-u-boot.dtsi      | 19 ++++++++++++++++++-
>  arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi | 19 ++++++++++++++++++-
>  arch/arm/dts/imx8mp-evk-u-boot.dtsi      | 19 ++++++++++++++++++-
>  arch/arm/dts/imx8mq-evk-u-boot.dtsi      |  4 ++++
>  4 files changed, 58 insertions(+), 3 deletions(-)
> 
> diff --git a/arch/arm/dts/imx8mm-evk-u-boot.dtsi b/arch/arm/dts/imx8mm-evk-u-
> boot.dtsi
> index 6b459831e7..e5682ca165 100644
> --- a/arch/arm/dts/imx8mm-evk-u-boot.dtsi
> +++ b/arch/arm/dts/imx8mm-evk-u-boot.dtsi
> @@ -1,6 +1,6 @@
>  // SPDX-License-Identifier: GPL-2.0+
>  /*
> - * Copyright 2019 NXP
> + * Copyright 2019, 2021 NXP
>   */
> 
>  #include "imx8mm-u-boot.dtsi"
> @@ -68,6 +68,23 @@
>       u-boot,dm-spl;
>  };
> 
> +&crypto {
> +     u-boot,dm-spl;
> +};
> +
> +&sec_jr0 {
> +     u-boot,dm-spl;
> +     status = "disabled";
> +};
> +
> +&sec_jr1 {
> +     u-boot,dm-spl;
> +};
> +
> +&sec_jr2 {
> +     u-boot,dm-spl;
> +};
> +
>  &usdhc1 {
>       u-boot,dm-spl;
>  };
> diff --git a/arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi 
> b/arch/arm/dts/imx8mn-ddr4-
> evk-u-boot.dtsi
> index 1d3844437d..d8df863083 100644
> --- a/arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi
> +++ b/arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi
> @@ -1,6 +1,6 @@
>  // SPDX-License-Identifier: GPL-2.0+
>  /*
> - * Copyright 2019 NXP
> + * Copyright 2019, 2021 NXP
>   */
> 
>  / {
> @@ -104,6 +104,23 @@
>       u-boot,dm-spl;
>  };
> 
> +&crypto {
> +     u-boot,dm-spl;
> +};
> +
> +&sec_jr0 {
> +     u-boot,dm-spl;
> +     status = "disabled";
> +};
> +
> +&sec_jr1 {
> +     u-boot,dm-spl;
> +};
> +
> +&sec_jr2 {
> +     u-boot,dm-spl;
> +};
> +
>  &usdhc1 {
>       u-boot,dm-spl;
>  };
> diff --git a/arch/arm/dts/imx8mp-evk-u-boot.dtsi b/arch/arm/dts/imx8mp-evk-u-
> boot.dtsi
> index ab849ebaac..f3f83ba303 100644
> --- a/arch/arm/dts/imx8mp-evk-u-boot.dtsi
> +++ b/arch/arm/dts/imx8mp-evk-u-boot.dtsi
> @@ -1,6 +1,6 @@
>  // SPDX-License-Identifier: GPL-2.0+
>  /*
> - * Copyright 2019 NXP
> + * Copyright 2019, 2021 NXP
>   */
> 
>  #include "imx8mp-u-boot.dtsi"
> @@ -67,6 +67,23 @@
>       u-boot,dm-spl;
>  };
> 
> +&crypto {
> +     u-boot,dm-spl;
> +};
> +
> +&sec_jr0 {
> +     u-boot,dm-spl;
> +     status = "disabled";
> +};
> +
> +&sec_jr1 {
> +     u-boot,dm-spl;
> +};
> +
> +&sec_jr2 {
> +     u-boot,dm-spl;
> +};
> +
>  &i2c1 {
>       u-boot,dm-spl;
>  };
> diff --git a/arch/arm/dts/imx8mq-evk-u-boot.dtsi b/arch/arm/dts/imx8mq-evk-u-
> boot.dtsi
> index 6f9c81462e..8f1f942215 100644
> --- a/arch/arm/dts/imx8mq-evk-u-boot.dtsi
> +++ b/arch/arm/dts/imx8mq-evk-u-boot.dtsi
> @@ -10,3 +10,7 @@
>       sd-uhs-sdr104;
>       sd-uhs-ddr50;
>  };
> +
> +&sec_jr0 {
> +     status = "disabled";
> +};
> --
> 2.17.1

Link: [1]: https://github.com/OP-TEE/optee_os/pull/5143