Working on iMX8QM, with caveats

[cquartier]

I've seen in the past that others have asked for imx8 support, and I was able to get this module working on the imx8qm mek dev kit, but I was unable to figure out how to properly get the SSM status. As that feature only alerts the user I found it fine to just remove that section altogether:

#if CONFIG_HAVE_IMX8_SECO
        // on IMX8 parts with a SECO, we no longer have access to the SNVS registers.
        // the CAAM_CSTA register now holds the SSM status
#else
        page = ioremap(SNVS_HPSR_REG & ~(SZ_4K - 1), SZ_4K);
        offset = SNVS_HPSR_REG & (SZ_4K - 1);
        ssm_state = (__raw_readl(page + offset) & SNVS_HPSR_SSM_STATE_MASK);

        if (ssm_state == SNVS_HPSR_SSM_STATE_TRUSTED) {
                printk(KERN_INFO "caam_keyblob: Trusted State detected\n");
        } else if (ssm_state == SNVS_HPSR_SSM_STATE_SECURE) {
                printk(KERN_INFO "caam_keyblob: Secure State detected\n");
        } else {
                printk(KERN_NOTICE "caam_keyblob: WARNING - not in Trusted or Secure State, Non-volatile Test Key in effect\n");
        }
#endif

The CAAM_CSTA register holds the SSM state, at least in parts with a SECO, and I know that the caam driver in the kernel reads this register, but I was unable to figure out how to properly read it from this module. Unfortunately the CAAM register map lives in the Security Reference Manual for the imx8, which I believe you need a signed NDA with NXP to access.

Also of note were changes to the Makefile and the caam_tool.go file. I built this as part of a yocto project so I don't feel my Makefile changes are portable enough for this repo.

Also because the imx8qm is a 64-bit part, the ioctl constants changed for the caam_tool to:

const (
	// _IOWR(CAAM_KB_MAGIC, 0, struct caam_kb_data)
	CAAM_KB_ENCRYPT = 0xc0304900
	// _IOWR(CAAM_KB_MAGIC, 1, struct caam_kb_data)
	CAAM_KB_DECRYPT = 0xc0304901
)

I didn't feel comfortable presenting my changes as a pull request because I didn't feel I made them portable enough, nor did I know if they broke support for the imx6/7 parts this was known to work for. I'm making this issue in hopes that it helps others that may be looking to use this on imx8 parts.

[abarisani]

We don't have an i.MX8 to test with, however we do have the reference manual for the i.MX7 which also uses CAAM_CSTA.

You can try checking bits 9-8 which are the "Mode of Operation", mapped accordingly:

00b - Non-Secure
01b - Secure
10b - Trusted
11b - Fail

[cquartier]

@abarisani I should clarify that my problem is that I can't figure out how to successfully ioremap the CAAM_CSTA register in order to access it. I'm admittedly not well-versed in kernel driver development, but adapting the existing code which reads the SNVS register didn't work for me. Its highly likely that I have the register addressing wrong. Its also possible the 64-bit capability of the A53 core means I can't adapt the existing code. Unfortunately I only had so much time to devote to this, and without reading the SSM state the module works well enough for our application.

[abarisani]

Understood. I will keep this issue open as long as we cannot find a way to fix this, which dev board are you using, can you share your modifications to help us in supporting you on this? Thanks.

[embetrix]

@cquartier for the i.MX8 I used successfully the following code from NXP :

https://source.codeaurora.org/external/imxsupport/imx_sec_apps/tree/demo-caam-blobs

[Oquirella]

@embexus Can that be integrated in the current project? It would be wonderfully if it also could support the different iMX8 boards.