[HABv4] Unlock MID command and CAAM Usage Limitations

cancel
Showing results for 
Search instead for 
Did you mean: 

[HABv4] Unlock MID command and CAAM Usage Limitations

[HABv4] Unlock MID command and CAAM Usage Limitations

Background:

CAAM MID (Or DID) registers can be configured to set TrustZone and master ownership to a certain CAAM module. Depending on the application, it may be necessary to set up an access policy so that the CAAM can be used by different masters and from the non-secure TrustZone world.

Once the desired configuration is programed the register configuration can be locked (LDID) so no further changes can be made until reset.

Issue Description:

For devices, prior to HAB v4.4.0 the HAB code locks the Job-rings and DECO MID registers in the closed Secure configuration, the default configuration is assigning job rings and DECO to be used by the secure world only.

In case the MID (or DID) registers are locked the bootloader cannot configure CAAM registers and the following errors may occur when trying to use CAAM from a non-secure world.

- Kernel:

[ 3.285187] caam_jr 30901000.jr0: failed to flush job ring 0
[ 3.293910] caam_jr: probe of 30901000.jr0 failed with error -5
[ 3.300025] caam_jr 30902000.jr1: failed to flush job ring 1
[ 3.305733] caam_jr: probe of 30902000.jr1 failed with error -5
[ 3.311837] caam_jr 30903000.jr2: failed to flush job ring 2

- U-Boot:

RNG: Instantiation failed with error fffffffe
RNG: Failed to instantiate RNG
SEC0: RNG instantiation failed

Workaround:

If the application requires changes in CAAM MID (or DID) registers it is necessary to add the "Unlock CAAM MID" command into the CSF file.

[Unlock]
     Engine = CAAM
     Features = MID

This command should be added in the first image to boot in the device. Please note that the Unlock command is already included by default in the signed HDMI and DisplayPort firmware, so no need to add in i.MX 8MQ device in case HDMI is enabled.

The current NXP BSP implementation expects the CAAM registers to be unlocked when configuring the CAAM to operate in the non-secure TrustZone world, this is the case for:

- All i.MX 8MQ and i.MX 8MM Linux and Android users.
- All i.MX 6, i.MX 7, and i.MX 7ULP OP-TEE users.

Devices supporting HAB v4.4.0 and newer have the proper fix in place thus are not impacted.

This issue does not compromise the i.MX security.

Tags (3)
Version history
Revision #:
1 of 1
Last update:
‎06-22-2020 12:16 PM
Updated by: