Add OTP hardware key support to plat-ti #1492
Conversation
core/arch/arm/plat-ti/main.c
Outdated
| @@ -161,6 +165,8 @@ void init_sec_mon(unsigned long nsec_entry) | |||
| nsec_ctx->mode_regs.und_lr = plat_boot_args->nsec_ctx.und_lr; | |||
| nsec_ctx->mon_lr = plat_boot_args->nsec_ctx.mon_lr; | |||
| nsec_ctx->mon_spsr = plat_boot_args->nsec_ctx.mon_spsr; | |||
|
|
|||
| memcpy(&plat_huk[0], &plat_boot_args->huk[0], sizeof(plat_boot_args->huk)); | |||
There was a problem hiding this comment.
This &array[0] style looks a bit funny, why not use just array instead?
There was a problem hiding this comment.
If that is your preference then it makes no difference to me, updated.
core/arch/arm/plat-ti/conf.mk
Outdated
| @@ -15,6 +15,7 @@ $(call force,CFG_PL310_LOCKED,y) | |||
| $(call force,CFG_SECURE_TIME_SOURCE_REE,y) | |||
| arm32-platform-cpuarch := cortex-a9 | |||
| else | |||
| $(call force,CFG_OTP_SUPPORT,y) | |||
There was a problem hiding this comment.
Nitpicking: should this be CFG_OTP_SUPPORT ?= y instead? (so that the option may be disabled at build time: make ... CFG_OTP_SUPPORT=n). Now, if you think it doesn't make much sense, I'm perfectly OK with force.
There was a problem hiding this comment.
I think your suggestion makes more sense, updated.
core/arch/arm/plat-ti/main.c
Outdated
| memcpy(&hwkey->data[0], &plat_huk[0], sizeof(hwkey->data)); | ||
| } | ||
|
|
||
| /* TODO */ |
There was a problem hiding this comment.
A patch such as this one [0] would remove the need for this temporary tee_otp_get_die_id clone.
[0] 32dce12
There was a problem hiding this comment.
Indeed. I'll pick up the first three patches from #1318.
There was a problem hiding this comment.
Thanks, Updated to take advantage of this change.
| @@ -15,6 +15,7 @@ $(call force,CFG_PL310_LOCKED,y) | |||
| $(call force,CFG_SECURE_TIME_SOURCE_REE,y) | |||
| arm32-platform-cpuarch := cortex-a9 | |||
| else | |||
| CFG_OTP_SUPPORT ?= y | |||
There was a problem hiding this comment.
Sorry for changing my mind ;) but in fact I think this should just go. CFG_OTP_SUPPORT does not appear anywhere else now, and you already have the plat_huk[] array populated unconditionally, so it is a bit weird not to use it. Let's make things as simple as possible. OK?
There was a problem hiding this comment.
Oh no scratch that, you have multiple platform flavors. Sorry.
There was a problem hiding this comment.
Hum. All flavors work the same so yeah, I think CFG_OTP_SUPPORT is useless.
Time to stop reviewing code and leave the office now ;)
There was a problem hiding this comment.
Right, when AM43xx gets support for this then we can safely drop CFG_OTP_SUPPORT.
|
|
Currently the non-secure context is passed in from our initial secure software as part of the OP-TEE load process. This passed-in data will not only contain the non-secure context but also any additional data we may need to give to OP-TEE. Rename these structures and group the context data into a struct for future expansion. Signed-off-by: Andrew F. Davis <afd@ti.com> Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Some TI platforms pass the HUK to OP-TEE via a secure memory stack. Read and store this key for later use. On platforms without CFG_OTP_SUPPORT this key is ignored. Signed-off-by: Andrew F. Davis <afd@ti.com> Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
On DRA7xx/AM57xx the initial secure software will pass OP-TEE a Hardware Unique Key (HUK), use this key when requested. Signed-off-by: Andrew F. Davis <afd@ti.com> Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
No description provided.