Hi, On Wed, 2020-04-22 at 13:44 +0200, Albert Schwarzkopf wrote: > The current CSF config used by barebox does not allow a successful > bootup of OP-TEE within a closed HAB configuration. As specified > in section 2.1 of the application notes [1], OP-TEE requires that > the "UNLOCK MID" HAB command is present in the CSF file for > this case. > > This patch adds the mentioned command if support for OP-TEE is > enabled in the configuration. It's based on the discussion > in [2]. > > [1] https://www.nxp.com/docs/en/application-note/AN12056.pdf > [2] https://github.com/OP-TEE/optee_os/issues/3609 > > Signed-off-by: Albert Schwarzkopf <a.schwarzkopf@xxxxxxxxx> > --- > arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h > b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h > index 581887960..0e6c7e2dd 100644 > --- a/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h > +++ b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h > @@ -29,7 +29,11 @@ hab [Authenticate CSF] > > hab [Unlock] > hab Engine = CAAM > +#if defined(CONFIG_BOOTM_OPTEE) || defined(CONFIG_PBL_OPTEE) > +hab Features = MID,RNG > +#else > hab Features = RNG > +#endif I don't see any reason to not unlock the MID settings in a secure configuration without OP-TEE. MID Setup only really makes sense if normal and secure world require different access policies to the CAAM, which isn't the case if only linux is run in the secure world. AFAIK unlocked MID should not prevent Linux from working correctly with the CAAM even if no OP-TEE is present, although I have not specifically tested this case. Regards, Rouven Czerwinski _______________________________________________ barebox mailing list barebox@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/barebox
