From 24993b9b5b796f2f6294c8fbf5360925406df390 Mon Sep 17 00:00:00 2001
From: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
Date: Tue, 26 Mar 2024 13:24:02 +0100
Subject: u-boot-toradex: Add patches to fix RNG not available / failed to init
 idle CPU ops

On colibri-imx7 (nand) linux kernel fails to initialize the CAAM Job Rings,
with this error:
`caam_jr 30901000.jr: failed to flush job ring`

On colibri-imx7-emmc linux kernel fails to initialize CPUidle with this error:
`CPUidle arm: CPU 0 failed to init idle CPU ops`

CAAM Job Rings linux driver needs that U-Boot allow access to JR registers
when running in HYP mode (aka U-Boot non secure-mode)

CPUIdle needs PSCI it is active only when HYP mode.

Moreover, mainline kernel should be run in HYP mode.

So, enable non secure mode on colibri-imx7-emmc and give access
at CAAM Job Rings to Non Trusted Zone when running in HYP mode.

Related-to: ELB-4940 ELB-5611
Signed-off-by: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
---
 ...allow-accessing-Job-Ring-from-non-TrustZo.patch | 89 ++++++++++++++++++++++
 ...ibri-imx7-set-non-secure-boot-mode-as-def.patch | 30 ++++++++
 ...ibri-imx7-allow-accessing-job-rings-from-.patch | 43 +++++++++++
 recipes-bsp/u-boot/u-boot-toradex_2022.07.bb       |  3 +
 4 files changed, 165 insertions(+)
 create mode 100644 recipes-bsp/u-boot/u-boot-toradex/0001-crypto-fsl-allow-accessing-Job-Ring-from-non-TrustZo.patch
 create mode 100644 recipes-bsp/u-boot/u-boot-toradex/0002-configs-colibri-imx7-set-non-secure-boot-mode-as-def.patch
 create mode 100644 recipes-bsp/u-boot/u-boot-toradex/0003-configs-colibri-imx7-allow-accessing-job-rings-from-.patch

diff --git a/recipes-bsp/u-boot/u-boot-toradex/0001-crypto-fsl-allow-accessing-Job-Ring-from-non-TrustZo.patch b/recipes-bsp/u-boot/u-boot-toradex/0001-crypto-fsl-allow-accessing-Job-Ring-from-non-TrustZo.patch
new file mode 100644
index 0000000..e69d7a2
--- /dev/null
+++ b/recipes-bsp/u-boot/u-boot-toradex/0001-crypto-fsl-allow-accessing-Job-Ring-from-non-TrustZo.patch
@@ -0,0 +1,89 @@
+From 26c1c3009747cbcda9f90881174b389a7d296a2d Mon Sep 17 00:00:00 2001
+From: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+Date: Wed, 20 Mar 2024 10:08:49 +0100
+Subject: [PATCH 1/3] crypto/fsl: allow accessing Job Ring from non-TrustZone
+
+Add a new kconfig option to allow non-secure world access
+to the CAAM Job Ring.
+This is needed, for example, when running linux without
+OP-TEE services, as it's done on Colibri iMX7.
+
+Upstream-Status: Submitted [https://lore.kernel.org/all/20240328101724.127371-1-ghidoliemanuele@gmail.com/]
+Fixes: 51f1357f3428 ("Revert "drivers/crypto/fsl: assign job-rings to non-TrustZone"")
+Signed-off-by: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+---
+ drivers/crypto/fsl/Kconfig |  6 ++++++
+ drivers/crypto/fsl/jr.c    | 19 +++++++++++++++++++
+ drivers/crypto/fsl/jr.h    |  2 ++
+ 3 files changed, 27 insertions(+)
+
+diff --git a/drivers/crypto/fsl/Kconfig b/drivers/crypto/fsl/Kconfig
+index e03fcdd9c7e4..be65abd3f52b 100644
+--- a/drivers/crypto/fsl/Kconfig
++++ b/drivers/crypto/fsl/Kconfig
+@@ -57,6 +57,12 @@ config SYS_FSL_SEC_LE
+ 
+ if FSL_CAAM
+ 
++config FSL_CAAM_JR_NTZ_ACCESS
++	bool "Give CAAM Job Ring access to non-secure world"
++	help
++	  It is needed when OP-TEE is not used and Freescale CAAM Job Ring linux
++	  driver is used.
++
+ config FSL_CAAM_RNG
+ 	bool "Enable Random Number Generator support"
+ 	depends on DM_RNG
+diff --git a/drivers/crypto/fsl/jr.c b/drivers/crypto/fsl/jr.c
+index acd29924f7e7..09e7b01dab92 100644
+--- a/drivers/crypto/fsl/jr.c
++++ b/drivers/crypto/fsl/jr.c
+@@ -673,6 +673,21 @@ static int rng_init(uint8_t sec_idx, ccsr_sec_t *sec)
+ 	return ret;
+ }
+ 
++#if CONFIG_IS_ENABLED(FSL_CAAM_JR_NTZ_ACCESS)
++static void jr_setown_non_trusted(ccsr_sec_t *sec)
++{
++	u32 jrown_ns;
++	int i;
++
++	/* Set ownership of job rings to non-TrustZone mode */
++	for (i = 0; i < ARRAY_SIZE(sec->jrliodnr); i++) {
++		jrown_ns = sec_in32(&sec->jrliodnr[i].ms);
++		jrown_ns |= JROWN_NS | JRMID_NS;
++		sec_out32(&sec->jrliodnr[i].ms, jrown_ns);
++	}
++}
++#endif
++
+ int sec_init_idx(uint8_t sec_idx)
+ {
+ 	int ret = 0;
+@@ -761,6 +776,10 @@ int sec_init_idx(uint8_t sec_idx)
+ #if CONFIG_IS_ENABLED(OF_CONTROL)
+ init:
+ #endif
++#if CONFIG_IS_ENABLED(FSL_CAAM_JR_NTZ_ACCESS)
++	jr_setown_non_trusted(sec);
++#endif
++
+ 	ret = jr_init(sec_idx, caam);
+ 	if (ret < 0) {
+ 		printf("SEC%u:  initialization failed\n", sec_idx);
+diff --git a/drivers/crypto/fsl/jr.h b/drivers/crypto/fsl/jr.h
+index 3eb7be79da41..f46001065403 100644
+--- a/drivers/crypto/fsl/jr.h
++++ b/drivers/crypto/fsl/jr.h
+@@ -37,6 +37,8 @@
+ #define JRNSLIODN_MASK		0x0fff0000
+ #define JRSLIODN_SHIFT		0
+ #define JRSLIODN_MASK		0x00000fff
++#define JROWN_NS		0x00000008
++#define JRMID_NS		0x00000001
+ 
+ #define JRDID_MS_PRIM_DID	BIT(0)
+ #define JRDID_MS_PRIM_TZ	BIT(4)
+-- 
+2.34.1
+
diff --git a/recipes-bsp/u-boot/u-boot-toradex/0002-configs-colibri-imx7-set-non-secure-boot-mode-as-def.patch b/recipes-bsp/u-boot/u-boot-toradex/0002-configs-colibri-imx7-set-non-secure-boot-mode-as-def.patch
new file mode 100644
index 0000000..e2765e6
--- /dev/null
+++ b/recipes-bsp/u-boot/u-boot-toradex/0002-configs-colibri-imx7-set-non-secure-boot-mode-as-def.patch
@@ -0,0 +1,30 @@
+From 5f84fe1258750e40c9943e6d6e70008e318da58c Mon Sep 17 00:00:00 2001
+From: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+Date: Wed, 20 Mar 2024 18:12:02 +0100
+Subject: [PATCH 2/3] configs: colibri-imx7: set non-secure boot mode as
+ default
+
+Linux kernel is supposed to run in non-secure world,
+fix the defconfig accordingly.
+
+Upstream-Status: Submitted [https://lore.kernel.org/all/20240328101724.127371-1-ghidoliemanuele@gmail.com/]
+Signed-off-by: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+---
+ configs/colibri_imx7_emmc_defconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/configs/colibri_imx7_emmc_defconfig b/configs/colibri_imx7_emmc_defconfig
+index 0e09127255c1..5839d21d60f6 100644
+--- a/configs/colibri_imx7_emmc_defconfig
++++ b/configs/colibri_imx7_emmc_defconfig
+@@ -7,7 +7,6 @@ CONFIG_DM_GPIO=y
+ CONFIG_DEFAULT_DEVICE_TREE="imx7-colibri-emmc"
+ CONFIG_TARGET_COLIBRI_IMX7=y
+ CONFIG_TARGET_COLIBRI_IMX7_EMMC=y
+-CONFIG_ARMV7_BOOT_SEC_DEFAULT=y
+ CONFIG_IMX_RDC=y
+ CONFIG_IMX_BOOTAUX=y
+ CONFIG_IMX_HAB=y
+-- 
+2.34.1
+
diff --git a/recipes-bsp/u-boot/u-boot-toradex/0003-configs-colibri-imx7-allow-accessing-job-rings-from-.patch b/recipes-bsp/u-boot/u-boot-toradex/0003-configs-colibri-imx7-allow-accessing-job-rings-from-.patch
new file mode 100644
index 0000000..4b608be
--- /dev/null
+++ b/recipes-bsp/u-boot/u-boot-toradex/0003-configs-colibri-imx7-allow-accessing-job-rings-from-.patch
@@ -0,0 +1,43 @@
+From fa6d076e47356b8a4413a2ace7c2051e4890e297 Mon Sep 17 00:00:00 2001
+From: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+Date: Wed, 20 Mar 2024 19:59:13 +0100
+Subject: [PATCH 3/3] configs: colibri-imx7: allow accessing job-rings from
+ non-TrustZone
+
+Set FSL_CAAM_JR_NTZ_ACCESS configuration since colibri-imx7
+uses Freescale CAAM Job Ring linux driver
+
+Upstream-Status: Submitted [https://lore.kernel.org/all/20240328101724.127371-1-ghidoliemanuele@gmail.com/]
+Signed-off-by: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+---
+ configs/colibri_imx7_defconfig      | 1 +
+ configs/colibri_imx7_emmc_defconfig | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/configs/colibri_imx7_defconfig b/configs/colibri_imx7_defconfig
+index 9b04ebc8199f..f0ad4aa7d77e 100644
+--- a/configs/colibri_imx7_defconfig
++++ b/configs/colibri_imx7_defconfig
+@@ -61,6 +61,7 @@ CONFIG_TFTP_BLOCKSIZE=16352
+ CONFIG_BOUNCE_BUFFER=y
+ CONFIG_BOOTCOUNT_LIMIT=y
+ CONFIG_BOOTCOUNT_ENV=y
++CONFIG_FSL_CAAM_JR_NTZ_ACCESS=y
+ CONFIG_DFU_NAND=y
+ CONFIG_USB_FUNCTION_FASTBOOT=y
+ CONFIG_FASTBOOT_BUF_ADDR=0x81100000
+diff --git a/configs/colibri_imx7_emmc_defconfig b/configs/colibri_imx7_emmc_defconfig
+index 5839d21d60f6..278115de11aa 100644
+--- a/configs/colibri_imx7_emmc_defconfig
++++ b/configs/colibri_imx7_emmc_defconfig
+@@ -51,6 +51,7 @@ CONFIG_IP_DEFRAG=y
+ CONFIG_TFTP_BLOCKSIZE=16352
+ CONFIG_BOOTCOUNT_LIMIT=y
+ CONFIG_BOOTCOUNT_ENV=y
++CONFIG_FSL_CAAM_JR_NTZ_ACCESS=y
+ CONFIG_USB_FUNCTION_FASTBOOT=y
+ CONFIG_FASTBOOT_BUF_ADDR=0x81100000
+ CONFIG_FASTBOOT_FLASH=y
+-- 
+2.34.1
+
diff --git a/recipes-bsp/u-boot/u-boot-toradex_2022.07.bb b/recipes-bsp/u-boot/u-boot-toradex_2022.07.bb
index 9e9addc..de8b78b 100644
--- a/recipes-bsp/u-boot/u-boot-toradex_2022.07.bb
+++ b/recipes-bsp/u-boot/u-boot-toradex_2022.07.bb
@@ -35,6 +35,9 @@ TDX_PATCHES = " \
     file://0001-colibri-imx7-Call-fdt_increase_size.patch \
     file://0001-board-colibri_imx7-fix-emmc-detection.patch \
     file://0014-toradex-tdx-cfg-block-Add-new-apalis-and-colibri-pid.patch \
+    file://0001-crypto-fsl-allow-accessing-Job-Ring-from-non-TrustZo.patch \
+    file://0002-configs-colibri-imx7-set-non-secure-boot-mode-as-def.patch \
+    file://0003-configs-colibri-imx7-allow-accessing-job-rings-from-.patch \
 "
 SRC_URI:append = " ${TDX_PATCHES}"
 
-- 
cgit v1.2.3