Re: [EXT] [PATCH v9 3/7] crypto: caam - determine whether CAAM supports blob encap/decap
From: Michael Walle
Date: Wed May 11 2022 - 06:00:55 EST
Am 2022-05-11 11:48, schrieb Horia Geantă:
On 5/11/2022 12:21 PM, Michael Walle wrote:
Hi,
Am 2022-05-11 11:16, schrieb Pankaj Gupta:
-----Original Message-----
From: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx>
Sent: Monday, May 9, 2022 6:34 PM
To: Pankaj Gupta <pankaj.gupta@xxxxxxx>; Horia Geanta
<horia.geanta@xxxxxxx>; Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>;
David S.
Miller <davem@xxxxxxxxxxxxx>
Cc: kernel@xxxxxxxxxxxxxx; Michael Walle <michael@xxxxxxxx>; James
Bottomley <jejb@xxxxxxxxxxxxx>; Jarkko Sakkinen <jarkko@xxxxxxxxxx>;
Mimi
Zohar <zohar@xxxxxxxxxxxxx>; David Howells <dhowells@xxxxxxxxxx>;
James
Morris <jmorris@xxxxxxxxx>; Eric Biggers <ebiggers@xxxxxxxxxx>;
Serge
E.
Hallyn <serge@xxxxxxxxxx>; Jan Luebbe <j.luebbe@xxxxxxxxxxxxxx>;
David
Gstir
<david@xxxxxxxxxxxxx>; Richard Weinberger <richard@xxxxxx>; Franck
Lenormand <franck.lenormand@xxxxxxx>; Matthias Schiffer
<matthias.schiffer@xxxxxxxxxxxxxxx>; Sumit Garg
<sumit.garg@xxxxxxxxxx>;
linux-integrity@xxxxxxxxxxxxxxx; keyrings@xxxxxxxxxxxxxxx; linux-
crypto@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx;
linux-security-
module@xxxxxxxxxxxxxxx
Subject: Re: [EXT] [PATCH v9 3/7] crypto: caam - determine whether
CAAM
supports blob encap/decap
Caution: EXT Email
Hello Pankaj,
On Mon, 2022-05-09 at 12:39 +0000, Pankaj Gupta wrote:
- if (ctrlpriv->era < 10)
+ comp_params = rd_reg32(&ctrl->perfmon.comp_parms_ls);
+ ctrlpriv->blob_present = !!(comp_params & CTPR_LS_BLOB);
+
+ if (ctrlpriv->era < 10) {
rng_vid = (rd_reg32(&ctrl->perfmon.cha_id_ls) &
CHA_ID_LS_RNG_MASK) >>
CHA_ID_LS_RNG_SHIFT;
Check for AES CHAs for Era < 10, should be added.
Do I need this? I only do this check for Era >= 10, because
apparently
there are
Layerscape non-E processors that indicate BLOB support via
CTPR_LS_BLOB, but
fail at runtime. Are there any Era < 10 SoCs that are similarly
broken?
For non-E variants, it might happen that Blob protocol is enabled,
but
number of AES CHA are zero.
If the output of below expression is > 0, then only blob_present
should be marked present or true.
For era > 10, you handled. But for era < 10, please add the below
code.
Are there any CAAMs which can be just enabled partially for era < 10?
I didn't found anything. To me it looks like the non-export controlled
CAAM is only available for era >= 10. For era < 10, the CAAM is either
fully featured there or it is not available at all and thus the node
is removed in the bootloader (at least that is the case for
layerscape).
Qouting from our previous discussion in U-boot:
https://patchwork.ozlabs.org/project/uboot/patch/20200602150904.1997-1-michael@xxxxxxxx/#2457448
"
Based on previous (NXP-internal) discussions, non-E crypto module is:
-fully disabled on: LS1021A (ARMv7), LS1043A, LS1088A, LS2088A
(and their personalities)
-partially [*] disabled on: LS1012A, LS1028A, LS1046A, LX2160A
(and their personalities)
"
From the partially disabled list, LS1028A and LX2160A have CAAM Era 10,
while LS1012A and LS1046A integrate CAAM Era 8.
Thanks for clarification. Do you know it that is a layerscape feature?
I had a look at the imx8mn which have a era 9 and it doesn't have the
PKHA_VERSION register which indicates the partially disabled PKHA
block. Thus I concluded that there is no partially disabled feature
on era < 10.
Unfortunately, I don't have a security manual for the LS1012A and
LS1046A so I cannot check there.
-michael