Thread (16 messages) 16 messages, 4 authors, 2022-05-11

Re: [PATCH v8 0/6] KEYS: trusted: Introduce support for NXP CAAM-based trusted keys

From: Ahmad Fatoum <a.fatoum@pengutronix.de>
Date: 2022-05-11 10:45:20
Also in: keyrings, linux-crypto, linux-integrity, lkml 

Hello John,

On 07.05.22 23:30, John Ernberg wrote:
Hi Ahmad,
quoted
quoted
dmesg snips:
[    1.296772] trusted_key: Job Ring Device allocation for transform failed
...
[    1.799768] caam 31400000.crypto: device ID = 0x0a16040000000100 (Era 9)
[    1.807142] caam 31400000.crypto: job rings = 2, qi = 0
[    1.822667] caam algorithms registered in /proc/crypto
[    1.830541] caam 31400000.crypto: caam pkc algorithms registered in /proc/crypto
[    1.841807] caam 31400000.crypto: registering rng-caam

I didn't quite have the time to get a better trace than that.
I don't see a crypto@31400000 node upstream. Where can I see your device tree?
Apologies for forgetting to mention that, I took it from the NXP tree
while removing the SM and SECO bits [1].
I also had to rebase some of their patches onto 5.17 for the CAAM to
probe, as the SCU makes some register pages unavailable.
If the CAAM has a dependency on some SCU-provided resource, this
would explain why the driver probes it that late.
quoted
Initcall ordering does the right thing, but if CAAM device probe is deferred beyond
late_initcall, then it won't help.

This is a general limitation with trusted keys at the moment. Anything that's
not there by the time of the late_initcall won't be tried again. You can work
around it by having trusted keys as a module. We might be able to do something
with fw_devlinks in the future and a look into your device tree would help here,
but I think that should be separate from this patch series.
Thank for you the explanation, it makes sense, and I agree that such work
would be a different patch set.
quoted
Please let me know if the module build improves the situation for you.
After I changed trusted keys to a module I got it working. Which is good
enough for me as QXP CAAM support is not upstream yet.
Great!

Feel free to add my tested by if you need to make another spin.
Tested-by: John Ernberg <redacted> # iMX8QXP

I didn't test v9 as I would have to patch around the new patch due to
the SCU.
Thanks for the test. I will add it to v10 except for

 - "crypto: caam - determine whether CAAM supports blob encap/decap", which
   was new in v9
 - "doc: trusted-encrypted: describe new CAAM trust source",
   "MAINTAINERS: add KEYS-TRUSTED-CAAM" as runtime test isn't affected by these.

Cheers,
Ahmad

Best regards // John Ernberg

[1]: https://source.codeaurora.org/external/imx/linux-imx/tree/arch/arm64/boot/dts/freescale/imx8-ss-security.dtsi?h=lf-5.10.y

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help