include: Drop <common.h> from include lists

At this point, we don't need to have <common.h> be included because of
properties in the header itself, it only includes other common header
files. We've also audited the code enough at this point that we can drop
<common.h> from being included in headers and rely on code to have the
correct inclusions themselves, or at least <common.h>.

Signed-off-by: Tom Rini <trini@konsulko.com>

imx: fsl_sec: preprocessor casting issue with addresses involving math

The sec_in32 preprocessor is defined as follows in include/fsl_sec.h file:
When address "a" is calculated using math for ex: addition of base address and
an offset, then casting is applied only to the first address which in this
example is base address.

caam_ccbvid_reg = sec_in32(CONFIG_SYS_FSL_SEC_ADDR + CAAM_CCBVID_OFFSET)
resolves to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET)
instead it should resolve to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)(CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET))

Thus add parenthesis around the address "a" so that however the address is
calculated, the casting is applied to the final calculated address.

Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

global: Migrate CONFIG_SYS_FSL* symbols to the CFG_SYS namespace

Migrate all of COFIG_SYS_FSL* to the CFG_SYS namespace.

Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

i.MX6SX: crypto/fsl: fix entropy delay value

RNG Hardware error is reported due to incorrect entropy delay

rng self test are run to determine the correct ent_dly.
test is executed with different voltage and temperature to identify the
worst case value for ent_dly. after adding a margin value(1000),
ent_dly should be at least 12000.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>

crypto/fsl: i.MX8: Enable Job ring driver model.

i.MX8(QM/QXP) - added support for JR driver model.
sec is initialized based on job ring information processed
from device tree.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>

imx8m: Add DEK blob encapsulation for imx8m

Add DEK blob encapsulation support for IMX8M through "dek_blob" command.
On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob
for encrypted boot.
The DEK blob is encapsulated by OP-TEE through a trusted application call.
U-boot sends and receives the DEK and the DEK blob binaries through OP-TEE
dynamic shared memory.

To enable the DEK blob encapsulation, add to the defconfig:
CONFIG_SECURE_BOOT=y
CONFIG_FAT_WRITE=y
CONFIG_CMD_DEKBLOB=y

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add secure memory vid 3 support

In i.MX8M platforms the secure memory block has a newer version
than those used in i.MX6/7 platforms, this patch update the driver
to use the correct registers offsets.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Fix build warnings pointer casting

Enabling CAAM driver for i.MX8M platforms, a 64 bits architecture,
lead to casting warnings: from/to pointer to/from integer with
different size. This patch fix these warnings

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add CAAM support to i.MX8M platforms

This patch enable CAAM support for i.MX8M platforms.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

caam: enable support for iMX7ULP

Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

cmd: blob: Instantiate RNG before running CMD_BLOB

U-Boot can instantiate CAAM RNG if needed by crypto operations.
Call sec_init() prior running a blob operation to ensure
RNG is correctly instantiated.

Make sure CAAM clock is enabled and check if a job ring is
available for that operation.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

imx: imx7 Support for Manufacturing Protection

This code was originally developed by Raul Cardenas <raul.casas@nxp.com>
and modified to be applied in U-Boot imx_v2017.03.

More information about the initial submission can be seen
in the link below:
https://lists.denx.de/pipermail/u-boot/2016-February/245273.html

i.MX7D has an a protection feature for Manufacturing process.
This feature uses asymmetric encryption to sign and verify
authenticated software handled between parties. This command
enables the use of such feature.

The private key is unique and generated once per device.
And it is stored in secure memory and only accessible by CAAM.
Therefore, the public key generation and signature functions
are the only functions available for the user.

The manufacturing-protection authentication process can be used to
authenticate the chip to the OEM's server.

Command usage:

Print the public key for the device.
- mfgprot pubk

Generates Signature over given data.
- mfgprot sign <data_address> <data_size>

Signed-off-by: Raul Ulises Cardenas <raul.casas@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto/fsl: instantiate the RNG with prediciton resistance

If it is already instantiated tear it down first and then reinstanciate
it again with prediction resistance.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: don't regenerate secure keys

The secure keys (TDKEK, JDKEK, TDSK) can only be generated once after a
POR. Otherwise the RNG4 will throw an error.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: support newer SEC modules

Since Era 10, the version registers changed. Add the version registers
and use them on newer modules.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: export caam_get_era()

We need the era in other modules, too. For example, to get the RNG
version.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

armv8: lx2160a: add icid setup for platform devices

Add ICID setup for the platform devices contained on this chip: usb,
sata, sdhc, sec.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

fsl_sec: fix register layout on Layerscape architectures

On Layerscape architectures the SEC memory map is 1MB and the
register blocks contained in it are 64KB aligned, not 4KB as
the ccsr_sec structure currently assumes. Fix the layout of
the structure for these architectures.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Bharat Bhushan <bharat.bhushan@nxp.com>
Reviewed-by: Prabhakar Kushwaha <prabhakar.kushwaha@nxp.com>

include: Drop <common.h> from include lists

At this point, we don't need to have <common.h> be included because of
properties in the header itself, it only includes other common header
files. We've also audited the code enough at this point that we can drop
<common.h> from being included in headers and rely on code to have the
correct inclusions themselves, or at least <common.h>.

Signed-off-by: Tom Rini <trini@konsulko.com>

imx: fsl_sec: preprocessor casting issue with addresses involving math

The sec_in32 preprocessor is defined as follows in include/fsl_sec.h file:
When address "a" is calculated using math for ex: addition of base address and
an offset, then casting is applied only to the first address which in this
example is base address.

caam_ccbvid_reg = sec_in32(CONFIG_SYS_FSL_SEC_ADDR + CAAM_CCBVID_OFFSET)
resolves to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET)
instead it should resolve to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)(CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET))

Thus add parenthesis around the address "a" so that however the address is
calculated, the casting is applied to the final calculated address.

Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

global: Migrate CONFIG_SYS_FSL* symbols to the CFG_SYS namespace

Migrate all of COFIG_SYS_FSL* to the CFG_SYS namespace.

Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

i.MX6SX: crypto/fsl: fix entropy delay value

RNG Hardware error is reported due to incorrect entropy delay

rng self test are run to determine the correct ent_dly.
test is executed with different voltage and temperature to identify the
worst case value for ent_dly. after adding a margin value(1000),
ent_dly should be at least 12000.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>

crypto/fsl: i.MX8: Enable Job ring driver model.

i.MX8(QM/QXP) - added support for JR driver model.
sec is initialized based on job ring information processed
from device tree.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>

imx8m: Add DEK blob encapsulation for imx8m

Add DEK blob encapsulation support for IMX8M through "dek_blob" command.
On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob
for encrypted boot.
The DEK blob is encapsulated by OP-TEE through a trusted application call.
U-boot sends and receives the DEK and the DEK blob binaries through OP-TEE
dynamic shared memory.

To enable the DEK blob encapsulation, add to the defconfig:
CONFIG_SECURE_BOOT=y
CONFIG_FAT_WRITE=y
CONFIG_CMD_DEKBLOB=y

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add secure memory vid 3 support

In i.MX8M platforms the secure memory block has a newer version
than those used in i.MX6/7 platforms, this patch update the driver
to use the correct registers offsets.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Fix build warnings pointer casting

Enabling CAAM driver for i.MX8M platforms, a 64 bits architecture,
lead to casting warnings: from/to pointer to/from integer with
different size. This patch fix these warnings

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add CAAM support to i.MX8M platforms

This patch enable CAAM support for i.MX8M platforms.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

caam: enable support for iMX7ULP

Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

cmd: blob: Instantiate RNG before running CMD_BLOB

U-Boot can instantiate CAAM RNG if needed by crypto operations.
Call sec_init() prior running a blob operation to ensure
RNG is correctly instantiated.

Make sure CAAM clock is enabled and check if a job ring is
available for that operation.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

imx: imx7 Support for Manufacturing Protection

This code was originally developed by Raul Cardenas <raul.casas@nxp.com>
and modified to be applied in U-Boot imx_v2017.03.

More information about the initial submission can be seen
in the link below:
https://lists.denx.de/pipermail/u-boot/2016-February/245273.html

i.MX7D has an a protection feature for Manufacturing process.
This feature uses asymmetric encryption to sign and verify
authenticated software handled between parties. This command
enables the use of such feature.

The private key is unique and generated once per device.
And it is stored in secure memory and only accessible by CAAM.
Therefore, the public key generation and signature functions
are the only functions available for the user.

The manufacturing-protection authentication process can be used to
authenticate the chip to the OEM's server.

Command usage:

Print the public key for the device.
- mfgprot pubk

Generates Signature over given data.
- mfgprot sign <data_address> <data_size>

Signed-off-by: Raul Ulises Cardenas <raul.casas@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto/fsl: instantiate the RNG with prediciton resistance

If it is already instantiated tear it down first and then reinstanciate
it again with prediction resistance.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: don't regenerate secure keys

The secure keys (TDKEK, JDKEK, TDSK) can only be generated once after a
POR. Otherwise the RNG4 will throw an error.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: support newer SEC modules

Since Era 10, the version registers changed. Add the version registers
and use them on newer modules.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: export caam_get_era()

We need the era in other modules, too. For example, to get the RNG
version.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

armv8: lx2160a: add icid setup for platform devices

Add ICID setup for the platform devices contained on this chip: usb,
sata, sdhc, sec.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

fsl_sec: fix register layout on Layerscape architectures

On Layerscape architectures the SEC memory map is 1MB and the
register blocks contained in it are 64KB aligned, not 4KB as
the ccsr_sec structure currently assumes. Fix the layout of
the structure for these architectures.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Bharat Bhushan <bharat.bhushan@nxp.com>
Reviewed-by: Prabhakar Kushwaha <prabhakar.kushwaha@nxp.com>

include: Drop <common.h> from include lists

At this point, we don't need to have <common.h> be included because of
properties in the header itself, it only includes other common header
files. We've also audited the code enough at this point that we can drop
<common.h> from being included in headers and rely on code to have the
correct inclusions themselves, or at least <common.h>.

Signed-off-by: Tom Rini <trini@konsulko.com>

imx: fsl_sec: preprocessor casting issue with addresses involving math

The sec_in32 preprocessor is defined as follows in include/fsl_sec.h file:
When address "a" is calculated using math for ex: addition of base address and
an offset, then casting is applied only to the first address which in this
example is base address.

caam_ccbvid_reg = sec_in32(CONFIG_SYS_FSL_SEC_ADDR + CAAM_CCBVID_OFFSET)
resolves to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET)
instead it should resolve to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)(CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET))

Thus add parenthesis around the address "a" so that however the address is
calculated, the casting is applied to the final calculated address.

Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

global: Migrate CONFIG_SYS_FSL* symbols to the CFG_SYS namespace

Migrate all of COFIG_SYS_FSL* to the CFG_SYS namespace.

Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

i.MX6SX: crypto/fsl: fix entropy delay value

RNG Hardware error is reported due to incorrect entropy delay

rng self test are run to determine the correct ent_dly.
test is executed with different voltage and temperature to identify the
worst case value for ent_dly. after adding a margin value(1000),
ent_dly should be at least 12000.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>

crypto/fsl: i.MX8: Enable Job ring driver model.

i.MX8(QM/QXP) - added support for JR driver model.
sec is initialized based on job ring information processed
from device tree.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>

imx8m: Add DEK blob encapsulation for imx8m

Add DEK blob encapsulation support for IMX8M through "dek_blob" command.
On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob
for encrypted boot.
The DEK blob is encapsulated by OP-TEE through a trusted application call.
U-boot sends and receives the DEK and the DEK blob binaries through OP-TEE
dynamic shared memory.

To enable the DEK blob encapsulation, add to the defconfig:
CONFIG_SECURE_BOOT=y
CONFIG_FAT_WRITE=y
CONFIG_CMD_DEKBLOB=y

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add secure memory vid 3 support

In i.MX8M platforms the secure memory block has a newer version
than those used in i.MX6/7 platforms, this patch update the driver
to use the correct registers offsets.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Fix build warnings pointer casting

Enabling CAAM driver for i.MX8M platforms, a 64 bits architecture,
lead to casting warnings: from/to pointer to/from integer with
different size. This patch fix these warnings

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add CAAM support to i.MX8M platforms

This patch enable CAAM support for i.MX8M platforms.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

caam: enable support for iMX7ULP

Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

cmd: blob: Instantiate RNG before running CMD_BLOB

U-Boot can instantiate CAAM RNG if needed by crypto operations.
Call sec_init() prior running a blob operation to ensure
RNG is correctly instantiated.

Make sure CAAM clock is enabled and check if a job ring is
available for that operation.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

imx: imx7 Support for Manufacturing Protection

This code was originally developed by Raul Cardenas <raul.casas@nxp.com>
and modified to be applied in U-Boot imx_v2017.03.

More information about the initial submission can be seen
in the link below:
https://lists.denx.de/pipermail/u-boot/2016-February/245273.html

i.MX7D has an a protection feature for Manufacturing process.
This feature uses asymmetric encryption to sign and verify
authenticated software handled between parties. This command
enables the use of such feature.

The private key is unique and generated once per device.
And it is stored in secure memory and only accessible by CAAM.
Therefore, the public key generation and signature functions
are the only functions available for the user.

The manufacturing-protection authentication process can be used to
authenticate the chip to the OEM's server.

Command usage:

Print the public key for the device.
- mfgprot pubk

Generates Signature over given data.
- mfgprot sign <data_address> <data_size>

Signed-off-by: Raul Ulises Cardenas <raul.casas@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto/fsl: instantiate the RNG with prediciton resistance

If it is already instantiated tear it down first and then reinstanciate
it again with prediction resistance.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: don't regenerate secure keys

The secure keys (TDKEK, JDKEK, TDSK) can only be generated once after a
POR. Otherwise the RNG4 will throw an error.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: support newer SEC modules

Since Era 10, the version registers changed. Add the version registers
and use them on newer modules.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: export caam_get_era()

We need the era in other modules, too. For example, to get the RNG
version.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

armv8: lx2160a: add icid setup for platform devices

Add ICID setup for the platform devices contained on this chip: usb,
sata, sdhc, sec.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

fsl_sec: fix register layout on Layerscape architectures

On Layerscape architectures the SEC memory map is 1MB and the
register blocks contained in it are 64KB aligned, not 4KB as
the ccsr_sec structure currently assumes. Fix the layout of
the structure for these architectures.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Bharat Bhushan <bharat.bhushan@nxp.com>
Reviewed-by: Prabhakar Kushwaha <prabhakar.kushwaha@nxp.com>

include: Drop <common.h> from include lists

At this point, we don't need to have <common.h> be included because of
properties in the header itself, it only includes other common header
files. We've also audited the code enough at this point that we can drop
<common.h> from being included in headers and rely on code to have the
correct inclusions themselves, or at least <common.h>.

Signed-off-by: Tom Rini <trini@konsulko.com>

imx: fsl_sec: preprocessor casting issue with addresses involving math

The sec_in32 preprocessor is defined as follows in include/fsl_sec.h file:
When address "a" is calculated using math for ex: addition of base address and
an offset, then casting is applied only to the first address which in this
example is base address.

caam_ccbvid_reg = sec_in32(CONFIG_SYS_FSL_SEC_ADDR + CAAM_CCBVID_OFFSET)
resolves to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET)
instead it should resolve to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)(CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET))

Thus add parenthesis around the address "a" so that however the address is
calculated, the casting is applied to the final calculated address.

Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

global: Migrate CONFIG_SYS_FSL* symbols to the CFG_SYS namespace

Migrate all of COFIG_SYS_FSL* to the CFG_SYS namespace.

Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

i.MX6SX: crypto/fsl: fix entropy delay value

RNG Hardware error is reported due to incorrect entropy delay

rng self test are run to determine the correct ent_dly.
test is executed with different voltage and temperature to identify the
worst case value for ent_dly. after adding a margin value(1000),
ent_dly should be at least 12000.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>

crypto/fsl: i.MX8: Enable Job ring driver model.

i.MX8(QM/QXP) - added support for JR driver model.
sec is initialized based on job ring information processed
from device tree.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>

imx8m: Add DEK blob encapsulation for imx8m

Add DEK blob encapsulation support for IMX8M through "dek_blob" command.
On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob
for encrypted boot.
The DEK blob is encapsulated by OP-TEE through a trusted application call.
U-boot sends and receives the DEK and the DEK blob binaries through OP-TEE
dynamic shared memory.

To enable the DEK blob encapsulation, add to the defconfig:
CONFIG_SECURE_BOOT=y
CONFIG_FAT_WRITE=y
CONFIG_CMD_DEKBLOB=y

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add secure memory vid 3 support

In i.MX8M platforms the secure memory block has a newer version
than those used in i.MX6/7 platforms, this patch update the driver
to use the correct registers offsets.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Fix build warnings pointer casting

Enabling CAAM driver for i.MX8M platforms, a 64 bits architecture,
lead to casting warnings: from/to pointer to/from integer with
different size. This patch fix these warnings

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add CAAM support to i.MX8M platforms

This patch enable CAAM support for i.MX8M platforms.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

caam: enable support for iMX7ULP

Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

cmd: blob: Instantiate RNG before running CMD_BLOB

U-Boot can instantiate CAAM RNG if needed by crypto operations.
Call sec_init() prior running a blob operation to ensure
RNG is correctly instantiated.

Make sure CAAM clock is enabled and check if a job ring is
available for that operation.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

imx: imx7 Support for Manufacturing Protection

This code was originally developed by Raul Cardenas <raul.casas@nxp.com>
and modified to be applied in U-Boot imx_v2017.03.

More information about the initial submission can be seen
in the link below:
https://lists.denx.de/pipermail/u-boot/2016-February/245273.html

i.MX7D has an a protection feature for Manufacturing process.
This feature uses asymmetric encryption to sign and verify
authenticated software handled between parties. This command
enables the use of such feature.

The private key is unique and generated once per device.
And it is stored in secure memory and only accessible by CAAM.
Therefore, the public key generation and signature functions
are the only functions available for the user.

The manufacturing-protection authentication process can be used to
authenticate the chip to the OEM's server.

Command usage:

Print the public key for the device.
- mfgprot pubk

Generates Signature over given data.
- mfgprot sign <data_address> <data_size>

Signed-off-by: Raul Ulises Cardenas <raul.casas@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto/fsl: instantiate the RNG with prediciton resistance

If it is already instantiated tear it down first and then reinstanciate
it again with prediction resistance.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: don't regenerate secure keys

The secure keys (TDKEK, JDKEK, TDSK) can only be generated once after a
POR. Otherwise the RNG4 will throw an error.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: support newer SEC modules

Since Era 10, the version registers changed. Add the version registers
and use them on newer modules.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: export caam_get_era()

We need the era in other modules, too. For example, to get the RNG
version.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

armv8: lx2160a: add icid setup for platform devices

Add ICID setup for the platform devices contained on this chip: usb,
sata, sdhc, sec.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

fsl_sec: fix register layout on Layerscape architectures

On Layerscape architectures the SEC memory map is 1MB and the
register blocks contained in it are 64KB aligned, not 4KB as
the ccsr_sec structure currently assumes. Fix the layout of
the structure for these architectures.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Bharat Bhushan <bharat.bhushan@nxp.com>
Reviewed-by: Prabhakar Kushwaha <prabhakar.kushwaha@nxp.com>

include: Drop <common.h> from include lists

At this point, we don't need to have <common.h> be included because of
properties in the header itself, it only includes other common header
files. We've also audited the code enough at this point that we can drop
<common.h> from being included in headers and rely on code to have the
correct inclusions themselves, or at least <common.h>.

Signed-off-by: Tom Rini <trini@konsulko.com>

imx: fsl_sec: preprocessor casting issue with addresses involving math

The sec_in32 preprocessor is defined as follows in include/fsl_sec.h file:
When address "a" is calculated using math for ex: addition of base address and
an offset, then casting is applied only to the first address which in this
example is base address.

caam_ccbvid_reg = sec_in32(CONFIG_SYS_FSL_SEC_ADDR + CAAM_CCBVID_OFFSET)
resolves to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET)
instead it should resolve to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)(CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET))

Thus add parenthesis around the address "a" so that however the address is
calculated, the casting is applied to the final calculated address.

Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

global: Migrate CONFIG_SYS_FSL* symbols to the CFG_SYS namespace

Migrate all of COFIG_SYS_FSL* to the CFG_SYS namespace.

Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

i.MX6SX: crypto/fsl: fix entropy delay value

RNG Hardware error is reported due to incorrect entropy delay

rng self test are run to determine the correct ent_dly.
test is executed with different voltage and temperature to identify the
worst case value for ent_dly. after adding a margin value(1000),
ent_dly should be at least 12000.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>

crypto/fsl: i.MX8: Enable Job ring driver model.

i.MX8(QM/QXP) - added support for JR driver model.
sec is initialized based on job ring information processed
from device tree.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>

imx8m: Add DEK blob encapsulation for imx8m

Add DEK blob encapsulation support for IMX8M through "dek_blob" command.
On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob
for encrypted boot.
The DEK blob is encapsulated by OP-TEE through a trusted application call.
U-boot sends and receives the DEK and the DEK blob binaries through OP-TEE
dynamic shared memory.

To enable the DEK blob encapsulation, add to the defconfig:
CONFIG_SECURE_BOOT=y
CONFIG_FAT_WRITE=y
CONFIG_CMD_DEKBLOB=y

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add secure memory vid 3 support

In i.MX8M platforms the secure memory block has a newer version
than those used in i.MX6/7 platforms, this patch update the driver
to use the correct registers offsets.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Fix build warnings pointer casting

Enabling CAAM driver for i.MX8M platforms, a 64 bits architecture,
lead to casting warnings: from/to pointer to/from integer with
different size. This patch fix these warnings

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add CAAM support to i.MX8M platforms

This patch enable CAAM support for i.MX8M platforms.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

caam: enable support for iMX7ULP

Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

cmd: blob: Instantiate RNG before running CMD_BLOB

U-Boot can instantiate CAAM RNG if needed by crypto operations.
Call sec_init() prior running a blob operation to ensure
RNG is correctly instantiated.

Make sure CAAM clock is enabled and check if a job ring is
available for that operation.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

imx: imx7 Support for Manufacturing Protection

This code was originally developed by Raul Cardenas <raul.casas@nxp.com>
and modified to be applied in U-Boot imx_v2017.03.

More information about the initial submission can be seen
in the link below:
https://lists.denx.de/pipermail/u-boot/2016-February/245273.html

i.MX7D has an a protection feature for Manufacturing process.
This feature uses asymmetric encryption to sign and verify
authenticated software handled between parties. This command
enables the use of such feature.

The private key is unique and generated once per device.
And it is stored in secure memory and only accessible by CAAM.
Therefore, the public key generation and signature functions
are the only functions available for the user.

The manufacturing-protection authentication process can be used to
authenticate the chip to the OEM's server.

Command usage:

Print the public key for the device.
- mfgprot pubk

Generates Signature over given data.
- mfgprot sign <data_address> <data_size>

Signed-off-by: Raul Ulises Cardenas <raul.casas@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto/fsl: instantiate the RNG with prediciton resistance

If it is already instantiated tear it down first and then reinstanciate
it again with prediction resistance.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: don't regenerate secure keys

The secure keys (TDKEK, JDKEK, TDSK) can only be generated once after a
POR. Otherwise the RNG4 will throw an error.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: support newer SEC modules

Since Era 10, the version registers changed. Add the version registers
and use them on newer modules.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: export caam_get_era()

We need the era in other modules, too. For example, to get the RNG
version.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

armv8: lx2160a: add icid setup for platform devices

Add ICID setup for the platform devices contained on this chip: usb,
sata, sdhc, sec.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

fsl_sec: fix register layout on Layerscape architectures

On Layerscape architectures the SEC memory map is 1MB and the
register blocks contained in it are 64KB aligned, not 4KB as
the ccsr_sec structure currently assumes. Fix the layout of
the structure for these architectures.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Bharat Bhushan <bharat.bhushan@nxp.com>
Reviewed-by: Prabhakar Kushwaha <prabhakar.kushwaha@nxp.com>

include: Drop <common.h> from include lists

At this point, we don't need to have <common.h> be included because of
properties in the header itself, it only includes other common header
files. We've also audited the code enough at this point that we can drop
<common.h> from being included in headers and rely on code to have the
correct inclusions themselves, or at least <common.h>.

Signed-off-by: Tom Rini <trini@konsulko.com>

imx: fsl_sec: preprocessor casting issue with addresses involving math

The sec_in32 preprocessor is defined as follows in include/fsl_sec.h file:
When address "a" is calculated using math for ex: addition of base address and
an offset, then casting is applied only to the first address which in this
example is base address.

caam_ccbvid_reg = sec_in32(CONFIG_SYS_FSL_SEC_ADDR + CAAM_CCBVID_OFFSET)
resolves to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET)
instead it should resolve to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)(CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET))

Thus add parenthesis around the address "a" so that however the address is
calculated, the casting is applied to the final calculated address.

Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

global: Migrate CONFIG_SYS_FSL* symbols to the CFG_SYS namespace

Migrate all of COFIG_SYS_FSL* to the CFG_SYS namespace.

Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

i.MX6SX: crypto/fsl: fix entropy delay value

RNG Hardware error is reported due to incorrect entropy delay

rng self test are run to determine the correct ent_dly.
test is executed with different voltage and temperature to identify the
worst case value for ent_dly. after adding a margin value(1000),
ent_dly should be at least 12000.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>

crypto/fsl: i.MX8: Enable Job ring driver model.

i.MX8(QM/QXP) - added support for JR driver model.
sec is initialized based on job ring information processed
from device tree.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>

imx8m: Add DEK blob encapsulation for imx8m

Add DEK blob encapsulation support for IMX8M through "dek_blob" command.
On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob
for encrypted boot.
The DEK blob is encapsulated by OP-TEE through a trusted application call.
U-boot sends and receives the DEK and the DEK blob binaries through OP-TEE
dynamic shared memory.

To enable the DEK blob encapsulation, add to the defconfig:
CONFIG_SECURE_BOOT=y
CONFIG_FAT_WRITE=y
CONFIG_CMD_DEKBLOB=y

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add secure memory vid 3 support

In i.MX8M platforms the secure memory block has a newer version
than those used in i.MX6/7 platforms, this patch update the driver
to use the correct registers offsets.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Fix build warnings pointer casting

Enabling CAAM driver for i.MX8M platforms, a 64 bits architecture,
lead to casting warnings: from/to pointer to/from integer with
different size. This patch fix these warnings

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add CAAM support to i.MX8M platforms

This patch enable CAAM support for i.MX8M platforms.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

caam: enable support for iMX7ULP

Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

cmd: blob: Instantiate RNG before running CMD_BLOB

U-Boot can instantiate CAAM RNG if needed by crypto operations.
Call sec_init() prior running a blob operation to ensure
RNG is correctly instantiated.

Make sure CAAM clock is enabled and check if a job ring is
available for that operation.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

imx: imx7 Support for Manufacturing Protection

This code was originally developed by Raul Cardenas <raul.casas@nxp.com>
and modified to be applied in U-Boot imx_v2017.03.

More information about the initial submission can be seen
in the link below:
https://lists.denx.de/pipermail/u-boot/2016-February/245273.html

i.MX7D has an a protection feature for Manufacturing process.
This feature uses asymmetric encryption to sign and verify
authenticated software handled between parties. This command
enables the use of such feature.

The private key is unique and generated once per device.
And it is stored in secure memory and only accessible by CAAM.
Therefore, the public key generation and signature functions
are the only functions available for the user.

The manufacturing-protection authentication process can be used to
authenticate the chip to the OEM's server.

Command usage:

Print the public key for the device.
- mfgprot pubk

Generates Signature over given data.
- mfgprot sign <data_address> <data_size>

Signed-off-by: Raul Ulises Cardenas <raul.casas@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto/fsl: instantiate the RNG with prediciton resistance

If it is already instantiated tear it down first and then reinstanciate
it again with prediction resistance.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: don't regenerate secure keys

The secure keys (TDKEK, JDKEK, TDSK) can only be generated once after a
POR. Otherwise the RNG4 will throw an error.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: support newer SEC modules

Since Era 10, the version registers changed. Add the version registers
and use them on newer modules.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: export caam_get_era()

We need the era in other modules, too. For example, to get the RNG
version.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

armv8: lx2160a: add icid setup for platform devices

Add ICID setup for the platform devices contained on this chip: usb,
sata, sdhc, sec.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

fsl_sec: fix register layout on Layerscape architectures

On Layerscape architectures the SEC memory map is 1MB and the
register blocks contained in it are 64KB aligned, not 4KB as
the ccsr_sec structure currently assumes. Fix the layout of
the structure for these architectures.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Bharat Bhushan <bharat.bhushan@nxp.com>
Reviewed-by: Prabhakar Kushwaha <prabhakar.kushwaha@nxp.com>

include: Drop <common.h> from include lists

At this point, we don't need to have <common.h> be included because of
properties in the header itself, it only includes other common header
files. We've also audited the code enough at this point that we can drop
<common.h> from being included in headers and rely on code to have the
correct inclusions themselves, or at least <common.h>.

Signed-off-by: Tom Rini <trini@konsulko.com>

imx: fsl_sec: preprocessor casting issue with addresses involving math

The sec_in32 preprocessor is defined as follows in include/fsl_sec.h file:
When address "a" is calculated using math for ex: addition of base address and
an offset, then casting is applied only to the first address which in this
example is base address.

caam_ccbvid_reg = sec_in32(CONFIG_SYS_FSL_SEC_ADDR + CAAM_CCBVID_OFFSET)
resolves to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET)
instead it should resolve to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)(CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET))

Thus add parenthesis around the address "a" so that however the address is
calculated, the casting is applied to the final calculated address.

Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

global: Migrate CONFIG_SYS_FSL* symbols to the CFG_SYS namespace

Migrate all of COFIG_SYS_FSL* to the CFG_SYS namespace.

Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

i.MX6SX: crypto/fsl: fix entropy delay value

RNG Hardware error is reported due to incorrect entropy delay

rng self test are run to determine the correct ent_dly.
test is executed with different voltage and temperature to identify the
worst case value for ent_dly. after adding a margin value(1000),
ent_dly should be at least 12000.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>

crypto/fsl: i.MX8: Enable Job ring driver model.

i.MX8(QM/QXP) - added support for JR driver model.
sec is initialized based on job ring information processed
from device tree.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>

imx8m: Add DEK blob encapsulation for imx8m

Add DEK blob encapsulation support for IMX8M through "dek_blob" command.
On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob
for encrypted boot.
The DEK blob is encapsulated by OP-TEE through a trusted application call.
U-boot sends and receives the DEK and the DEK blob binaries through OP-TEE
dynamic shared memory.

To enable the DEK blob encapsulation, add to the defconfig:
CONFIG_SECURE_BOOT=y
CONFIG_FAT_WRITE=y
CONFIG_CMD_DEKBLOB=y

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add secure memory vid 3 support

In i.MX8M platforms the secure memory block has a newer version
than those used in i.MX6/7 platforms, this patch update the driver
to use the correct registers offsets.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Fix build warnings pointer casting

Enabling CAAM driver for i.MX8M platforms, a 64 bits architecture,
lead to casting warnings: from/to pointer to/from integer with
different size. This patch fix these warnings

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add CAAM support to i.MX8M platforms

This patch enable CAAM support for i.MX8M platforms.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

caam: enable support for iMX7ULP

Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

cmd: blob: Instantiate RNG before running CMD_BLOB

U-Boot can instantiate CAAM RNG if needed by crypto operations.
Call sec_init() prior running a blob operation to ensure
RNG is correctly instantiated.

Make sure CAAM clock is enabled and check if a job ring is
available for that operation.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

imx: imx7 Support for Manufacturing Protection

This code was originally developed by Raul Cardenas <raul.casas@nxp.com>
and modified to be applied in U-Boot imx_v2017.03.

More information about the initial submission can be seen
in the link below:
https://lists.denx.de/pipermail/u-boot/2016-February/245273.html

i.MX7D has an a protection feature for Manufacturing process.
This feature uses asymmetric encryption to sign and verify
authenticated software handled between parties. This command
enables the use of such feature.

The private key is unique and generated once per device.
And it is stored in secure memory and only accessible by CAAM.
Therefore, the public key generation and signature functions
are the only functions available for the user.

The manufacturing-protection authentication process can be used to
authenticate the chip to the OEM's server.

Command usage:

Print the public key for the device.
- mfgprot pubk

Generates Signature over given data.
- mfgprot sign <data_address> <data_size>

Signed-off-by: Raul Ulises Cardenas <raul.casas@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto/fsl: instantiate the RNG with prediciton resistance

If it is already instantiated tear it down first and then reinstanciate
it again with prediction resistance.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: don't regenerate secure keys

The secure keys (TDKEK, JDKEK, TDSK) can only be generated once after a
POR. Otherwise the RNG4 will throw an error.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: support newer SEC modules

Since Era 10, the version registers changed. Add the version registers
and use them on newer modules.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: export caam_get_era()

We need the era in other modules, too. For example, to get the RNG
version.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

armv8: lx2160a: add icid setup for platform devices

Add ICID setup for the platform devices contained on this chip: usb,
sata, sdhc, sec.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

fsl_sec: fix register layout on Layerscape architectures

On Layerscape architectures the SEC memory map is 1MB and the
register blocks contained in it are 64KB aligned, not 4KB as
the ccsr_sec structure currently assumes. Fix the layout of
the structure for these architectures.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Bharat Bhushan <bharat.bhushan@nxp.com>
Reviewed-by: Prabhakar Kushwaha <prabhakar.kushwaha@nxp.com>

include: Drop <common.h> from include lists

At this point, we don't need to have <common.h> be included because of
properties in the header itself, it only includes other common header
files. We've also audited the code enough at this point that we can drop
<common.h> from being included in headers and rely on code to have the
correct inclusions themselves, or at least <common.h>.

Signed-off-by: Tom Rini <trini@konsulko.com>

imx: fsl_sec: preprocessor casting issue with addresses involving math

The sec_in32 preprocessor is defined as follows in include/fsl_sec.h file:
When address "a" is calculated using math for ex: addition of base address and
an offset, then casting is applied only to the first address which in this
example is base address.

caam_ccbvid_reg = sec_in32(CONFIG_SYS_FSL_SEC_ADDR + CAAM_CCBVID_OFFSET)
resolves to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET)
instead it should resolve to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)(CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET))

Thus add parenthesis around the address "a" so that however the address is
calculated, the casting is applied to the final calculated address.

Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

global: Migrate CONFIG_SYS_FSL* symbols to the CFG_SYS namespace

Migrate all of COFIG_SYS_FSL* to the CFG_SYS namespace.

Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

i.MX6SX: crypto/fsl: fix entropy delay value

RNG Hardware error is reported due to incorrect entropy delay

rng self test are run to determine the correct ent_dly.
test is executed with different voltage and temperature to identify the
worst case value for ent_dly. after adding a margin value(1000),
ent_dly should be at least 12000.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>

crypto/fsl: i.MX8: Enable Job ring driver model.

i.MX8(QM/QXP) - added support for JR driver model.
sec is initialized based on job ring information processed
from device tree.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>

imx8m: Add DEK blob encapsulation for imx8m

Add DEK blob encapsulation support for IMX8M through "dek_blob" command.
On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob
for encrypted boot.
The DEK blob is encapsulated by OP-TEE through a trusted application call.
U-boot sends and receives the DEK and the DEK blob binaries through OP-TEE
dynamic shared memory.

To enable the DEK blob encapsulation, add to the defconfig:
CONFIG_SECURE_BOOT=y
CONFIG_FAT_WRITE=y
CONFIG_CMD_DEKBLOB=y

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add secure memory vid 3 support

In i.MX8M platforms the secure memory block has a newer version
than those used in i.MX6/7 platforms, this patch update the driver
to use the correct registers offsets.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Fix build warnings pointer casting

Enabling CAAM driver for i.MX8M platforms, a 64 bits architecture,
lead to casting warnings: from/to pointer to/from integer with
different size. This patch fix these warnings

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add CAAM support to i.MX8M platforms

This patch enable CAAM support for i.MX8M platforms.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

caam: enable support for iMX7ULP

Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

cmd: blob: Instantiate RNG before running CMD_BLOB

U-Boot can instantiate CAAM RNG if needed by crypto operations.
Call sec_init() prior running a blob operation to ensure
RNG is correctly instantiated.

Make sure CAAM clock is enabled and check if a job ring is
available for that operation.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

imx: imx7 Support for Manufacturing Protection

This code was originally developed by Raul Cardenas <raul.casas@nxp.com>
and modified to be applied in U-Boot imx_v2017.03.

More information about the initial submission can be seen
in the link below:
https://lists.denx.de/pipermail/u-boot/2016-February/245273.html

i.MX7D has an a protection feature for Manufacturing process.
This feature uses asymmetric encryption to sign and verify
authenticated software handled between parties. This command
enables the use of such feature.

The private key is unique and generated once per device.
And it is stored in secure memory and only accessible by CAAM.
Therefore, the public key generation and signature functions
are the only functions available for the user.

The manufacturing-protection authentication process can be used to
authenticate the chip to the OEM's server.

Command usage:

Print the public key for the device.
- mfgprot pubk

Generates Signature over given data.
- mfgprot sign <data_address> <data_size>

Signed-off-by: Raul Ulises Cardenas <raul.casas@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto/fsl: instantiate the RNG with prediciton resistance

If it is already instantiated tear it down first and then reinstanciate
it again with prediction resistance.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: don't regenerate secure keys

The secure keys (TDKEK, JDKEK, TDSK) can only be generated once after a
POR. Otherwise the RNG4 will throw an error.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: support newer SEC modules

Since Era 10, the version registers changed. Add the version registers
and use them on newer modules.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: export caam_get_era()

We need the era in other modules, too. For example, to get the RNG
version.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

armv8: lx2160a: add icid setup for platform devices

Add ICID setup for the platform devices contained on this chip: usb,
sata, sdhc, sec.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

fsl_sec: fix register layout on Layerscape architectures

On Layerscape architectures the SEC memory map is 1MB and the
register blocks contained in it are 64KB aligned, not 4KB as
the ccsr_sec structure currently assumes. Fix the layout of
the structure for these architectures.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Bharat Bhushan <bharat.bhushan@nxp.com>
Reviewed-by: Prabhakar Kushwaha <prabhakar.kushwaha@nxp.com>

include: Drop <common.h> from include lists

At this point, we don't need to have <common.h> be included because of
properties in the header itself, it only includes other common header
files. We've also audited the code enough at this point that we can drop
<common.h> from being included in headers and rely on code to have the
correct inclusions themselves, or at least <common.h>.

Signed-off-by: Tom Rini <trini@konsulko.com>

imx: fsl_sec: preprocessor casting issue with addresses involving math

The sec_in32 preprocessor is defined as follows in include/fsl_sec.h file:
When address "a" is calculated using math for ex: addition of base address and
an offset, then casting is applied only to the first address which in this
example is base address.

caam_ccbvid_reg = sec_in32(CONFIG_SYS_FSL_SEC_ADDR + CAAM_CCBVID_OFFSET)
resolves to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET)
instead it should resolve to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)(CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET))

Thus add parenthesis around the address "a" so that however the address is
calculated, the casting is applied to the final calculated address.

Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

global: Migrate CONFIG_SYS_FSL* symbols to the CFG_SYS namespace

Migrate all of COFIG_SYS_FSL* to the CFG_SYS namespace.

Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

i.MX6SX: crypto/fsl: fix entropy delay value

RNG Hardware error is reported due to incorrect entropy delay

rng self test are run to determine the correct ent_dly.
test is executed with different voltage and temperature to identify the
worst case value for ent_dly. after adding a margin value(1000),
ent_dly should be at least 12000.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>

crypto/fsl: i.MX8: Enable Job ring driver model.

i.MX8(QM/QXP) - added support for JR driver model.
sec is initialized based on job ring information processed
from device tree.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>

imx8m: Add DEK blob encapsulation for imx8m

Add DEK blob encapsulation support for IMX8M through "dek_blob" command.
On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob
for encrypted boot.
The DEK blob is encapsulated by OP-TEE through a trusted application call.
U-boot sends and receives the DEK and the DEK blob binaries through OP-TEE
dynamic shared memory.

To enable the DEK blob encapsulation, add to the defconfig:
CONFIG_SECURE_BOOT=y
CONFIG_FAT_WRITE=y
CONFIG_CMD_DEKBLOB=y

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add secure memory vid 3 support

In i.MX8M platforms the secure memory block has a newer version
than those used in i.MX6/7 platforms, this patch update the driver
to use the correct registers offsets.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Fix build warnings pointer casting

Enabling CAAM driver for i.MX8M platforms, a 64 bits architecture,
lead to casting warnings: from/to pointer to/from integer with
different size. This patch fix these warnings

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add CAAM support to i.MX8M platforms

This patch enable CAAM support for i.MX8M platforms.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

caam: enable support for iMX7ULP

Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

cmd: blob: Instantiate RNG before running CMD_BLOB

U-Boot can instantiate CAAM RNG if needed by crypto operations.
Call sec_init() prior running a blob operation to ensure
RNG is correctly instantiated.

Make sure CAAM clock is enabled and check if a job ring is
available for that operation.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

imx: imx7 Support for Manufacturing Protection

This code was originally developed by Raul Cardenas <raul.casas@nxp.com>
and modified to be applied in U-Boot imx_v2017.03.

More information about the initial submission can be seen
in the link below:
https://lists.denx.de/pipermail/u-boot/2016-February/245273.html

i.MX7D has an a protection feature for Manufacturing process.
This feature uses asymmetric encryption to sign and verify
authenticated software handled between parties. This command
enables the use of such feature.

The private key is unique and generated once per device.
And it is stored in secure memory and only accessible by CAAM.
Therefore, the public key generation and signature functions
are the only functions available for the user.

The manufacturing-protection authentication process can be used to
authenticate the chip to the OEM's server.

Command usage:

Print the public key for the device.
- mfgprot pubk

Generates Signature over given data.
- mfgprot sign <data_address> <data_size>

Signed-off-by: Raul Ulises Cardenas <raul.casas@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto/fsl: instantiate the RNG with prediciton resistance

If it is already instantiated tear it down first and then reinstanciate
it again with prediction resistance.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: don't regenerate secure keys

The secure keys (TDKEK, JDKEK, TDSK) can only be generated once after a
POR. Otherwise the RNG4 will throw an error.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: support newer SEC modules

Since Era 10, the version registers changed. Add the version registers
and use them on newer modules.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: export caam_get_era()

We need the era in other modules, too. For example, to get the RNG
version.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

armv8: lx2160a: add icid setup for platform devices

Add ICID setup for the platform devices contained on this chip: usb,
sata, sdhc, sec.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

fsl_sec: fix register layout on Layerscape architectures

On Layerscape architectures the SEC memory map is 1MB and the
register blocks contained in it are 64KB aligned, not 4KB as
the ccsr_sec structure currently assumes. Fix the layout of
the structure for these architectures.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Bharat Bhushan <bharat.bhushan@nxp.com>
Reviewed-by: Prabhakar Kushwaha <prabhakar.kushwaha@nxp.com>

include: Drop <common.h> from include lists

At this point, we don't need to have <common.h> be included because of
properties in the header itself, it only includes other common header
files. We've also audited the code enough at this point that we can drop
<common.h> from being included in headers and rely on code to have the
correct inclusions themselves, or at least <common.h>.

Signed-off-by: Tom Rini <trini@konsulko.com>

imx: fsl_sec: preprocessor casting issue with addresses involving math

The sec_in32 preprocessor is defined as follows in include/fsl_sec.h file:
When address "a" is calculated using math for ex: addition of base address and
an offset, then casting is applied only to the first address which in this
example is base address.

caam_ccbvid_reg = sec_in32(CONFIG_SYS_FSL_SEC_ADDR + CAAM_CCBVID_OFFSET)
resolves to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET)
instead it should resolve to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)(CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET))

Thus add parenthesis around the address "a" so that however the address is
calculated, the casting is applied to the final calculated address.

Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

global: Migrate CONFIG_SYS_FSL* symbols to the CFG_SYS namespace

Migrate all of COFIG_SYS_FSL* to the CFG_SYS namespace.

Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

i.MX6SX: crypto/fsl: fix entropy delay value

RNG Hardware error is reported due to incorrect entropy delay

rng self test are run to determine the correct ent_dly.
test is executed with different voltage and temperature to identify the
worst case value for ent_dly. after adding a margin value(1000),
ent_dly should be at least 12000.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>

crypto/fsl: i.MX8: Enable Job ring driver model.

i.MX8(QM/QXP) - added support for JR driver model.
sec is initialized based on job ring information processed
from device tree.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>

imx8m: Add DEK blob encapsulation for imx8m

Add DEK blob encapsulation support for IMX8M through "dek_blob" command.
On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob
for encrypted boot.
The DEK blob is encapsulated by OP-TEE through a trusted application call.
U-boot sends and receives the DEK and the DEK blob binaries through OP-TEE
dynamic shared memory.

To enable the DEK blob encapsulation, add to the defconfig:
CONFIG_SECURE_BOOT=y
CONFIG_FAT_WRITE=y
CONFIG_CMD_DEKBLOB=y

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add secure memory vid 3 support

In i.MX8M platforms the secure memory block has a newer version
than those used in i.MX6/7 platforms, this patch update the driver
to use the correct registers offsets.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Fix build warnings pointer casting

Enabling CAAM driver for i.MX8M platforms, a 64 bits architecture,
lead to casting warnings: from/to pointer to/from integer with
different size. This patch fix these warnings

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add CAAM support to i.MX8M platforms

This patch enable CAAM support for i.MX8M platforms.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

caam: enable support for iMX7ULP

Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

cmd: blob: Instantiate RNG before running CMD_BLOB

U-Boot can instantiate CAAM RNG if needed by crypto operations.
Call sec_init() prior running a blob operation to ensure
RNG is correctly instantiated.

Make sure CAAM clock is enabled and check if a job ring is
available for that operation.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

imx: imx7 Support for Manufacturing Protection

This code was originally developed by Raul Cardenas <raul.casas@nxp.com>
and modified to be applied in U-Boot imx_v2017.03.

More information about the initial submission can be seen
in the link below:
https://lists.denx.de/pipermail/u-boot/2016-February/245273.html

i.MX7D has an a protection feature for Manufacturing process.
This feature uses asymmetric encryption to sign and verify
authenticated software handled between parties. This command
enables the use of such feature.

The private key is unique and generated once per device.
And it is stored in secure memory and only accessible by CAAM.
Therefore, the public key generation and signature functions
are the only functions available for the user.

The manufacturing-protection authentication process can be used to
authenticate the chip to the OEM's server.

Command usage:

Print the public key for the device.
- mfgprot pubk

Generates Signature over given data.
- mfgprot sign <data_address> <data_size>

Signed-off-by: Raul Ulises Cardenas <raul.casas@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto/fsl: instantiate the RNG with prediciton resistance

If it is already instantiated tear it down first and then reinstanciate
it again with prediction resistance.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: don't regenerate secure keys

The secure keys (TDKEK, JDKEK, TDSK) can only be generated once after a
POR. Otherwise the RNG4 will throw an error.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: support newer SEC modules

Since Era 10, the version registers changed. Add the version registers
and use them on newer modules.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: export caam_get_era()

We need the era in other modules, too. For example, to get the RNG
version.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

armv8: lx2160a: add icid setup for platform devices

Add ICID setup for the platform devices contained on this chip: usb,
sata, sdhc, sec.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

fsl_sec: fix register layout on Layerscape architectures

On Layerscape architectures the SEC memory map is 1MB and the
register blocks contained in it are 64KB aligned, not 4KB as
the ccsr_sec structure currently assumes. Fix the layout of
the structure for these architectures.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Bharat Bhushan <bharat.bhushan@nxp.com>
Reviewed-by: Prabhakar Kushwaha <prabhakar.kushwaha@nxp.com>

include: Drop <common.h> from include lists

At this point, we don't need to have <common.h> be included because of
properties in the header itself, it only includes other common header
files. We've also audited the code enough at this point that we can drop
<common.h> from being included in headers and rely on code to have the
correct inclusions themselves, or at least <common.h>.

Signed-off-by: Tom Rini <trini@konsulko.com>

imx: fsl_sec: preprocessor casting issue with addresses involving math

The sec_in32 preprocessor is defined as follows in include/fsl_sec.h file:
When address "a" is calculated using math for ex: addition of base address and
an offset, then casting is applied only to the first address which in this
example is base address.

caam_ccbvid_reg = sec_in32(CONFIG_SYS_FSL_SEC_ADDR + CAAM_CCBVID_OFFSET)
resolves to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET)
instead it should resolve to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)(CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET))

Thus add parenthesis around the address "a" so that however the address is
calculated, the casting is applied to the final calculated address.

Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

global: Migrate CONFIG_SYS_FSL* symbols to the CFG_SYS namespace

Migrate all of COFIG_SYS_FSL* to the CFG_SYS namespace.

Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

i.MX6SX: crypto/fsl: fix entropy delay value

RNG Hardware error is reported due to incorrect entropy delay

rng self test are run to determine the correct ent_dly.
test is executed with different voltage and temperature to identify the
worst case value for ent_dly. after adding a margin value(1000),
ent_dly should be at least 12000.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>

crypto/fsl: i.MX8: Enable Job ring driver model.

i.MX8(QM/QXP) - added support for JR driver model.
sec is initialized based on job ring information processed
from device tree.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>

imx8m: Add DEK blob encapsulation for imx8m

Add DEK blob encapsulation support for IMX8M through "dek_blob" command.
On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob
for encrypted boot.
The DEK blob is encapsulated by OP-TEE through a trusted application call.
U-boot sends and receives the DEK and the DEK blob binaries through OP-TEE
dynamic shared memory.

To enable the DEK blob encapsulation, add to the defconfig:
CONFIG_SECURE_BOOT=y
CONFIG_FAT_WRITE=y
CONFIG_CMD_DEKBLOB=y

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add secure memory vid 3 support

In i.MX8M platforms the secure memory block has a newer version
than those used in i.MX6/7 platforms, this patch update the driver
to use the correct registers offsets.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Fix build warnings pointer casting

Enabling CAAM driver for i.MX8M platforms, a 64 bits architecture,
lead to casting warnings: from/to pointer to/from integer with
different size. This patch fix these warnings

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add CAAM support to i.MX8M platforms

This patch enable CAAM support for i.MX8M platforms.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

caam: enable support for iMX7ULP

Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

cmd: blob: Instantiate RNG before running CMD_BLOB

U-Boot can instantiate CAAM RNG if needed by crypto operations.
Call sec_init() prior running a blob operation to ensure
RNG is correctly instantiated.

Make sure CAAM clock is enabled and check if a job ring is
available for that operation.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

imx: imx7 Support for Manufacturing Protection

This code was originally developed by Raul Cardenas <raul.casas@nxp.com>
and modified to be applied in U-Boot imx_v2017.03.

More information about the initial submission can be seen
in the link below:
https://lists.denx.de/pipermail/u-boot/2016-February/245273.html

i.MX7D has an a protection feature for Manufacturing process.
This feature uses asymmetric encryption to sign and verify
authenticated software handled between parties. This command
enables the use of such feature.

The private key is unique and generated once per device.
And it is stored in secure memory and only accessible by CAAM.
Therefore, the public key generation and signature functions
are the only functions available for the user.

The manufacturing-protection authentication process can be used to
authenticate the chip to the OEM's server.

Command usage:

Print the public key for the device.
- mfgprot pubk

Generates Signature over given data.
- mfgprot sign <data_address> <data_size>

Signed-off-by: Raul Ulises Cardenas <raul.casas@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto/fsl: instantiate the RNG with prediciton resistance

If it is already instantiated tear it down first and then reinstanciate
it again with prediction resistance.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: don't regenerate secure keys

The secure keys (TDKEK, JDKEK, TDSK) can only be generated once after a
POR. Otherwise the RNG4 will throw an error.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: support newer SEC modules

Since Era 10, the version registers changed. Add the version registers
and use them on newer modules.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: export caam_get_era()

We need the era in other modules, too. For example, to get the RNG
version.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

armv8: lx2160a: add icid setup for platform devices

Add ICID setup for the platform devices contained on this chip: usb,
sata, sdhc, sec.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

fsl_sec: fix register layout on Layerscape architectures

On Layerscape architectures the SEC memory map is 1MB and the
register blocks contained in it are 64KB aligned, not 4KB as
the ccsr_sec structure currently assumes. Fix the layout of
the structure for these architectures.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Bharat Bhushan <bharat.bhushan@nxp.com>
Reviewed-by: Prabhakar Kushwaha <prabhakar.kushwaha@nxp.com>

include: Drop <common.h> from include lists

At this point, we don't need to have <common.h> be included because of
properties in the header itself, it only includes other common header
files. We've also audited the code enough at this point that we can drop
<common.h> from being included in headers and rely on code to have the
correct inclusions themselves, or at least <common.h>.

Signed-off-by: Tom Rini <trini@konsulko.com>

imx: fsl_sec: preprocessor casting issue with addresses involving math

The sec_in32 preprocessor is defined as follows in include/fsl_sec.h file:
When address "a" is calculated using math for ex: addition of base address and
an offset, then casting is applied only to the first address which in this
example is base address.

caam_ccbvid_reg = sec_in32(CONFIG_SYS_FSL_SEC_ADDR + CAAM_CCBVID_OFFSET)
resolves to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET)
instead it should resolve to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)(CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET))

Thus add parenthesis around the address "a" so that however the address is
calculated, the casting is applied to the final calculated address.

Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

global: Migrate CONFIG_SYS_FSL* symbols to the CFG_SYS namespace

Migrate all of COFIG_SYS_FSL* to the CFG_SYS namespace.

Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

i.MX6SX: crypto/fsl: fix entropy delay value

RNG Hardware error is reported due to incorrect entropy delay

rng self test are run to determine the correct ent_dly.
test is executed with different voltage and temperature to identify the
worst case value for ent_dly. after adding a margin value(1000),
ent_dly should be at least 12000.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>

crypto/fsl: i.MX8: Enable Job ring driver model.

i.MX8(QM/QXP) - added support for JR driver model.
sec is initialized based on job ring information processed
from device tree.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>

imx8m: Add DEK blob encapsulation for imx8m

Add DEK blob encapsulation support for IMX8M through "dek_blob" command.
On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob
for encrypted boot.
The DEK blob is encapsulated by OP-TEE through a trusted application call.
U-boot sends and receives the DEK and the DEK blob binaries through OP-TEE
dynamic shared memory.

To enable the DEK blob encapsulation, add to the defconfig:
CONFIG_SECURE_BOOT=y
CONFIG_FAT_WRITE=y
CONFIG_CMD_DEKBLOB=y

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add secure memory vid 3 support

In i.MX8M platforms the secure memory block has a newer version
than those used in i.MX6/7 platforms, this patch update the driver
to use the correct registers offsets.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Fix build warnings pointer casting

Enabling CAAM driver for i.MX8M platforms, a 64 bits architecture,
lead to casting warnings: from/to pointer to/from integer with
different size. This patch fix these warnings

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add CAAM support to i.MX8M platforms

This patch enable CAAM support for i.MX8M platforms.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

caam: enable support for iMX7ULP

Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

cmd: blob: Instantiate RNG before running CMD_BLOB

U-Boot can instantiate CAAM RNG if needed by crypto operations.
Call sec_init() prior running a blob operation to ensure
RNG is correctly instantiated.

Make sure CAAM clock is enabled and check if a job ring is
available for that operation.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

imx: imx7 Support for Manufacturing Protection

This code was originally developed by Raul Cardenas <raul.casas@nxp.com>
and modified to be applied in U-Boot imx_v2017.03.

More information about the initial submission can be seen
in the link below:
https://lists.denx.de/pipermail/u-boot/2016-February/245273.html

i.MX7D has an a protection feature for Manufacturing process.
This feature uses asymmetric encryption to sign and verify
authenticated software handled between parties. This command
enables the use of such feature.

The private key is unique and generated once per device.
And it is stored in secure memory and only accessible by CAAM.
Therefore, the public key generation and signature functions
are the only functions available for the user.

The manufacturing-protection authentication process can be used to
authenticate the chip to the OEM's server.

Command usage:

Print the public key for the device.
- mfgprot pubk

Generates Signature over given data.
- mfgprot sign <data_address> <data_size>

Signed-off-by: Raul Ulises Cardenas <raul.casas@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto/fsl: instantiate the RNG with prediciton resistance

If it is already instantiated tear it down first and then reinstanciate
it again with prediction resistance.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: don't regenerate secure keys

The secure keys (TDKEK, JDKEK, TDSK) can only be generated once after a
POR. Otherwise the RNG4 will throw an error.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: support newer SEC modules

Since Era 10, the version registers changed. Add the version registers
and use them on newer modules.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: export caam_get_era()

We need the era in other modules, too. For example, to get the RNG
version.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

armv8: lx2160a: add icid setup for platform devices

Add ICID setup for the platform devices contained on this chip: usb,
sata, sdhc, sec.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

fsl_sec: fix register layout on Layerscape architectures

On Layerscape architectures the SEC memory map is 1MB and the
register blocks contained in it are 64KB aligned, not 4KB as
the ccsr_sec structure currently assumes. Fix the layout of
the structure for these architectures.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Bharat Bhushan <bharat.bhushan@nxp.com>
Reviewed-by: Prabhakar Kushwaha <prabhakar.kushwaha@nxp.com>

include: Drop <common.h> from include lists

At this point, we don't need to have <common.h> be included because of
properties in the header itself, it only includes other common header
files. We've also audited the code enough at this point that we can drop
<common.h> from being included in headers and rely on code to have the
correct inclusions themselves, or at least <common.h>.

Signed-off-by: Tom Rini <trini@konsulko.com>

imx: fsl_sec: preprocessor casting issue with addresses involving math

The sec_in32 preprocessor is defined as follows in include/fsl_sec.h file:
When address "a" is calculated using math for ex: addition of base address and
an offset, then casting is applied only to the first address which in this
example is base address.

caam_ccbvid_reg = sec_in32(CONFIG_SYS_FSL_SEC_ADDR + CAAM_CCBVID_OFFSET)
resolves to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET)
instead it should resolve to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)(CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET))

Thus add parenthesis around the address "a" so that however the address is
calculated, the casting is applied to the final calculated address.

Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

global: Migrate CONFIG_SYS_FSL* symbols to the CFG_SYS namespace

Migrate all of COFIG_SYS_FSL* to the CFG_SYS namespace.

Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

i.MX6SX: crypto/fsl: fix entropy delay value

RNG Hardware error is reported due to incorrect entropy delay

rng self test are run to determine the correct ent_dly.
test is executed with different voltage and temperature to identify the
worst case value for ent_dly. after adding a margin value(1000),
ent_dly should be at least 12000.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>

crypto/fsl: i.MX8: Enable Job ring driver model.

i.MX8(QM/QXP) - added support for JR driver model.
sec is initialized based on job ring information processed
from device tree.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>

imx8m: Add DEK blob encapsulation for imx8m

Add DEK blob encapsulation support for IMX8M through "dek_blob" command.
On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob
for encrypted boot.
The DEK blob is encapsulated by OP-TEE through a trusted application call.
U-boot sends and receives the DEK and the DEK blob binaries through OP-TEE
dynamic shared memory.

To enable the DEK blob encapsulation, add to the defconfig:
CONFIG_SECURE_BOOT=y
CONFIG_FAT_WRITE=y
CONFIG_CMD_DEKBLOB=y

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add secure memory vid 3 support

In i.MX8M platforms the secure memory block has a newer version
than those used in i.MX6/7 platforms, this patch update the driver
to use the correct registers offsets.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Fix build warnings pointer casting

Enabling CAAM driver for i.MX8M platforms, a 64 bits architecture,
lead to casting warnings: from/to pointer to/from integer with
different size. This patch fix these warnings

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add CAAM support to i.MX8M platforms

This patch enable CAAM support for i.MX8M platforms.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

caam: enable support for iMX7ULP

Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

cmd: blob: Instantiate RNG before running CMD_BLOB

U-Boot can instantiate CAAM RNG if needed by crypto operations.
Call sec_init() prior running a blob operation to ensure
RNG is correctly instantiated.

Make sure CAAM clock is enabled and check if a job ring is
available for that operation.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

imx: imx7 Support for Manufacturing Protection

This code was originally developed by Raul Cardenas <raul.casas@nxp.com>
and modified to be applied in U-Boot imx_v2017.03.

More information about the initial submission can be seen
in the link below:
https://lists.denx.de/pipermail/u-boot/2016-February/245273.html

i.MX7D has an a protection feature for Manufacturing process.
This feature uses asymmetric encryption to sign and verify
authenticated software handled between parties. This command
enables the use of such feature.

The private key is unique and generated once per device.
And it is stored in secure memory and only accessible by CAAM.
Therefore, the public key generation and signature functions
are the only functions available for the user.

The manufacturing-protection authentication process can be used to
authenticate the chip to the OEM's server.

Command usage:

Print the public key for the device.
- mfgprot pubk

Generates Signature over given data.
- mfgprot sign <data_address> <data_size>

Signed-off-by: Raul Ulises Cardenas <raul.casas@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto/fsl: instantiate the RNG with prediciton resistance

If it is already instantiated tear it down first and then reinstanciate
it again with prediction resistance.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: don't regenerate secure keys

The secure keys (TDKEK, JDKEK, TDSK) can only be generated once after a
POR. Otherwise the RNG4 will throw an error.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: support newer SEC modules

Since Era 10, the version registers changed. Add the version registers
and use them on newer modules.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: export caam_get_era()

We need the era in other modules, too. For example, to get the RNG
version.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

armv8: lx2160a: add icid setup for platform devices

Add ICID setup for the platform devices contained on this chip: usb,
sata, sdhc, sec.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

fsl_sec: fix register layout on Layerscape architectures

On Layerscape architectures the SEC memory map is 1MB and the
register blocks contained in it are 64KB aligned, not 4KB as
the ccsr_sec structure currently assumes. Fix the layout of
the structure for these architectures.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Bharat Bhushan <bharat.bhushan@nxp.com>
Reviewed-by: Prabhakar Kushwaha <prabhakar.kushwaha@nxp.com>

include: Drop <common.h> from include lists

At this point, we don't need to have <common.h> be included because of
properties in the header itself, it only includes other common header
files. We've also audited the code enough at this point that we can drop
<common.h> from being included in headers and rely on code to have the
correct inclusions themselves, or at least <common.h>.

Signed-off-by: Tom Rini <trini@konsulko.com>

imx: fsl_sec: preprocessor casting issue with addresses involving math

The sec_in32 preprocessor is defined as follows in include/fsl_sec.h file:
When address "a" is calculated using math for ex: addition of base address and
an offset, then casting is applied only to the first address which in this
example is base address.

caam_ccbvid_reg = sec_in32(CONFIG_SYS_FSL_SEC_ADDR + CAAM_CCBVID_OFFSET)
resolves to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET)
instead it should resolve to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)(CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET))

Thus add parenthesis around the address "a" so that however the address is
calculated, the casting is applied to the final calculated address.

Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

global: Migrate CONFIG_SYS_FSL* symbols to the CFG_SYS namespace

Migrate all of COFIG_SYS_FSL* to the CFG_SYS namespace.

Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

i.MX6SX: crypto/fsl: fix entropy delay value

RNG Hardware error is reported due to incorrect entropy delay

rng self test are run to determine the correct ent_dly.
test is executed with different voltage and temperature to identify the
worst case value for ent_dly. after adding a margin value(1000),
ent_dly should be at least 12000.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>

crypto/fsl: i.MX8: Enable Job ring driver model.

i.MX8(QM/QXP) - added support for JR driver model.
sec is initialized based on job ring information processed
from device tree.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>

imx8m: Add DEK blob encapsulation for imx8m

Add DEK blob encapsulation support for IMX8M through "dek_blob" command.
On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob
for encrypted boot.
The DEK blob is encapsulated by OP-TEE through a trusted application call.
U-boot sends and receives the DEK and the DEK blob binaries through OP-TEE
dynamic shared memory.

To enable the DEK blob encapsulation, add to the defconfig:
CONFIG_SECURE_BOOT=y
CONFIG_FAT_WRITE=y
CONFIG_CMD_DEKBLOB=y

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add secure memory vid 3 support

In i.MX8M platforms the secure memory block has a newer version
than those used in i.MX6/7 platforms, this patch update the driver
to use the correct registers offsets.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Fix build warnings pointer casting

Enabling CAAM driver for i.MX8M platforms, a 64 bits architecture,
lead to casting warnings: from/to pointer to/from integer with
different size. This patch fix these warnings

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add CAAM support to i.MX8M platforms

This patch enable CAAM support for i.MX8M platforms.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

caam: enable support for iMX7ULP

Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

cmd: blob: Instantiate RNG before running CMD_BLOB

U-Boot can instantiate CAAM RNG if needed by crypto operations.
Call sec_init() prior running a blob operation to ensure
RNG is correctly instantiated.

Make sure CAAM clock is enabled and check if a job ring is
available for that operation.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

imx: imx7 Support for Manufacturing Protection

This code was originally developed by Raul Cardenas <raul.casas@nxp.com>
and modified to be applied in U-Boot imx_v2017.03.

More information about the initial submission can be seen
in the link below:
https://lists.denx.de/pipermail/u-boot/2016-February/245273.html

i.MX7D has an a protection feature for Manufacturing process.
This feature uses asymmetric encryption to sign and verify
authenticated software handled between parties. This command
enables the use of such feature.

The private key is unique and generated once per device.
And it is stored in secure memory and only accessible by CAAM.
Therefore, the public key generation and signature functions
are the only functions available for the user.

The manufacturing-protection authentication process can be used to
authenticate the chip to the OEM's server.

Command usage:

Print the public key for the device.
- mfgprot pubk

Generates Signature over given data.
- mfgprot sign <data_address> <data_size>

Signed-off-by: Raul Ulises Cardenas <raul.casas@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto/fsl: instantiate the RNG with prediciton resistance

If it is already instantiated tear it down first and then reinstanciate
it again with prediction resistance.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: don't regenerate secure keys

The secure keys (TDKEK, JDKEK, TDSK) can only be generated once after a
POR. Otherwise the RNG4 will throw an error.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: support newer SEC modules

Since Era 10, the version registers changed. Add the version registers
and use them on newer modules.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: export caam_get_era()

We need the era in other modules, too. For example, to get the RNG
version.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

armv8: lx2160a: add icid setup for platform devices

Add ICID setup for the platform devices contained on this chip: usb,
sata, sdhc, sec.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

fsl_sec: fix register layout on Layerscape architectures

On Layerscape architectures the SEC memory map is 1MB and the
register blocks contained in it are 64KB aligned, not 4KB as
the ccsr_sec structure currently assumes. Fix the layout of
the structure for these architectures.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Bharat Bhushan <bharat.bhushan@nxp.com>
Reviewed-by: Prabhakar Kushwaha <prabhakar.kushwaha@nxp.com>

include: Drop <common.h> from include lists

At this point, we don't need to have <common.h> be included because of
properties in the header itself, it only includes other common header
files. We've also audited the code enough at this point that we can drop
<common.h> from being included in headers and rely on code to have the
correct inclusions themselves, or at least <common.h>.

Signed-off-by: Tom Rini <trini@konsulko.com>

imx: fsl_sec: preprocessor casting issue with addresses involving math

The sec_in32 preprocessor is defined as follows in include/fsl_sec.h file:
When address "a" is calculated using math for ex: addition of base address and
an offset, then casting is applied only to the first address which in this
example is base address.

caam_ccbvid_reg = sec_in32(CONFIG_SYS_FSL_SEC_ADDR + CAAM_CCBVID_OFFSET)
resolves to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET)
instead it should resolve to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)(CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET))

Thus add parenthesis around the address "a" so that however the address is
calculated, the casting is applied to the final calculated address.

Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

global: Migrate CONFIG_SYS_FSL* symbols to the CFG_SYS namespace

Migrate all of COFIG_SYS_FSL* to the CFG_SYS namespace.

Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

i.MX6SX: crypto/fsl: fix entropy delay value

RNG Hardware error is reported due to incorrect entropy delay

rng self test are run to determine the correct ent_dly.
test is executed with different voltage and temperature to identify the
worst case value for ent_dly. after adding a margin value(1000),
ent_dly should be at least 12000.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>

crypto/fsl: i.MX8: Enable Job ring driver model.

i.MX8(QM/QXP) - added support for JR driver model.
sec is initialized based on job ring information processed
from device tree.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>

imx8m: Add DEK blob encapsulation for imx8m

Add DEK blob encapsulation support for IMX8M through "dek_blob" command.
On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob
for encrypted boot.
The DEK blob is encapsulated by OP-TEE through a trusted application call.
U-boot sends and receives the DEK and the DEK blob binaries through OP-TEE
dynamic shared memory.

To enable the DEK blob encapsulation, add to the defconfig:
CONFIG_SECURE_BOOT=y
CONFIG_FAT_WRITE=y
CONFIG_CMD_DEKBLOB=y

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add secure memory vid 3 support

In i.MX8M platforms the secure memory block has a newer version
than those used in i.MX6/7 platforms, this patch update the driver
to use the correct registers offsets.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Fix build warnings pointer casting

Enabling CAAM driver for i.MX8M platforms, a 64 bits architecture,
lead to casting warnings: from/to pointer to/from integer with
different size. This patch fix these warnings

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add CAAM support to i.MX8M platforms

This patch enable CAAM support for i.MX8M platforms.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

caam: enable support for iMX7ULP

Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

cmd: blob: Instantiate RNG before running CMD_BLOB

U-Boot can instantiate CAAM RNG if needed by crypto operations.
Call sec_init() prior running a blob operation to ensure
RNG is correctly instantiated.

Make sure CAAM clock is enabled and check if a job ring is
available for that operation.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

imx: imx7 Support for Manufacturing Protection

This code was originally developed by Raul Cardenas <raul.casas@nxp.com>
and modified to be applied in U-Boot imx_v2017.03.

More information about the initial submission can be seen
in the link below:
https://lists.denx.de/pipermail/u-boot/2016-February/245273.html

i.MX7D has an a protection feature for Manufacturing process.
This feature uses asymmetric encryption to sign and verify
authenticated software handled between parties. This command
enables the use of such feature.

The private key is unique and generated once per device.
And it is stored in secure memory and only accessible by CAAM.
Therefore, the public key generation and signature functions
are the only functions available for the user.

The manufacturing-protection authentication process can be used to
authenticate the chip to the OEM's server.

Command usage:

Print the public key for the device.
- mfgprot pubk

Generates Signature over given data.
- mfgprot sign <data_address> <data_size>

Signed-off-by: Raul Ulises Cardenas <raul.casas@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto/fsl: instantiate the RNG with prediciton resistance

If it is already instantiated tear it down first and then reinstanciate
it again with prediction resistance.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: don't regenerate secure keys

The secure keys (TDKEK, JDKEK, TDSK) can only be generated once after a
POR. Otherwise the RNG4 will throw an error.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: support newer SEC modules

Since Era 10, the version registers changed. Add the version registers
and use them on newer modules.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: export caam_get_era()

We need the era in other modules, too. For example, to get the RNG
version.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

armv8: lx2160a: add icid setup for platform devices

Add ICID setup for the platform devices contained on this chip: usb,
sata, sdhc, sec.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

fsl_sec: fix register layout on Layerscape architectures

On Layerscape architectures the SEC memory map is 1MB and the
register blocks contained in it are 64KB aligned, not 4KB as
the ccsr_sec structure currently assumes. Fix the layout of
the structure for these architectures.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Bharat Bhushan <bharat.bhushan@nxp.com>
Reviewed-by: Prabhakar Kushwaha <prabhakar.kushwaha@nxp.com>

include: Drop <common.h> from include lists

At this point, we don't need to have <common.h> be included because of
properties in the header itself, it only includes other common header
files. We've also audited the code enough at this point that we can drop
<common.h> from being included in headers and rely on code to have the
correct inclusions themselves, or at least <common.h>.

Signed-off-by: Tom Rini <trini@konsulko.com>

imx: fsl_sec: preprocessor casting issue with addresses involving math

The sec_in32 preprocessor is defined as follows in include/fsl_sec.h file:
When address "a" is calculated using math for ex: addition of base address and
an offset, then casting is applied only to the first address which in this
example is base address.

caam_ccbvid_reg = sec_in32(CONFIG_SYS_FSL_SEC_ADDR + CAAM_CCBVID_OFFSET)
resolves to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET)
instead it should resolve to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)(CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET))

Thus add parenthesis around the address "a" so that however the address is
calculated, the casting is applied to the final calculated address.

Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

global: Migrate CONFIG_SYS_FSL* symbols to the CFG_SYS namespace

Migrate all of COFIG_SYS_FSL* to the CFG_SYS namespace.

Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

i.MX6SX: crypto/fsl: fix entropy delay value

RNG Hardware error is reported due to incorrect entropy delay

rng self test are run to determine the correct ent_dly.
test is executed with different voltage and temperature to identify the
worst case value for ent_dly. after adding a margin value(1000),
ent_dly should be at least 12000.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>

crypto/fsl: i.MX8: Enable Job ring driver model.

i.MX8(QM/QXP) - added support for JR driver model.
sec is initialized based on job ring information processed
from device tree.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>

imx8m: Add DEK blob encapsulation for imx8m

Add DEK blob encapsulation support for IMX8M through "dek_blob" command.
On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob
for encrypted boot.
The DEK blob is encapsulated by OP-TEE through a trusted application call.
U-boot sends and receives the DEK and the DEK blob binaries through OP-TEE
dynamic shared memory.

To enable the DEK blob encapsulation, add to the defconfig:
CONFIG_SECURE_BOOT=y
CONFIG_FAT_WRITE=y
CONFIG_CMD_DEKBLOB=y

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add secure memory vid 3 support

In i.MX8M platforms the secure memory block has a newer version
than those used in i.MX6/7 platforms, this patch update the driver
to use the correct registers offsets.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Fix build warnings pointer casting

Enabling CAAM driver for i.MX8M platforms, a 64 bits architecture,
lead to casting warnings: from/to pointer to/from integer with
different size. This patch fix these warnings

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add CAAM support to i.MX8M platforms

This patch enable CAAM support for i.MX8M platforms.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

caam: enable support for iMX7ULP

Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

cmd: blob: Instantiate RNG before running CMD_BLOB

U-Boot can instantiate CAAM RNG if needed by crypto operations.
Call sec_init() prior running a blob operation to ensure
RNG is correctly instantiated.

Make sure CAAM clock is enabled and check if a job ring is
available for that operation.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

imx: imx7 Support for Manufacturing Protection

This code was originally developed by Raul Cardenas <raul.casas@nxp.com>
and modified to be applied in U-Boot imx_v2017.03.

More information about the initial submission can be seen
in the link below:
https://lists.denx.de/pipermail/u-boot/2016-February/245273.html

i.MX7D has an a protection feature for Manufacturing process.
This feature uses asymmetric encryption to sign and verify
authenticated software handled between parties. This command
enables the use of such feature.

The private key is unique and generated once per device.
And it is stored in secure memory and only accessible by CAAM.
Therefore, the public key generation and signature functions
are the only functions available for the user.

The manufacturing-protection authentication process can be used to
authenticate the chip to the OEM's server.

Command usage:

Print the public key for the device.
- mfgprot pubk

Generates Signature over given data.
- mfgprot sign <data_address> <data_size>

Signed-off-by: Raul Ulises Cardenas <raul.casas@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto/fsl: instantiate the RNG with prediciton resistance

If it is already instantiated tear it down first and then reinstanciate
it again with prediction resistance.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: don't regenerate secure keys

The secure keys (TDKEK, JDKEK, TDSK) can only be generated once after a
POR. Otherwise the RNG4 will throw an error.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: support newer SEC modules

Since Era 10, the version registers changed. Add the version registers
and use them on newer modules.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: export caam_get_era()

We need the era in other modules, too. For example, to get the RNG
version.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

armv8: lx2160a: add icid setup for platform devices

Add ICID setup for the platform devices contained on this chip: usb,
sata, sdhc, sec.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

fsl_sec: fix register layout on Layerscape architectures

On Layerscape architectures the SEC memory map is 1MB and the
register blocks contained in it are 64KB aligned, not 4KB as
the ccsr_sec structure currently assumes. Fix the layout of
the structure for these architectures.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Bharat Bhushan <bharat.bhushan@nxp.com>
Reviewed-by: Prabhakar Kushwaha <prabhakar.kushwaha@nxp.com>

include: Drop <common.h> from include lists

At this point, we don't need to have <common.h> be included because of
properties in the header itself, it only includes other common header
files. We've also audited the code enough at this point that we can drop
<common.h> from being included in headers and rely on code to have the
correct inclusions themselves, or at least <common.h>.

Signed-off-by: Tom Rini <trini@konsulko.com>

imx: fsl_sec: preprocessor casting issue with addresses involving math

The sec_in32 preprocessor is defined as follows in include/fsl_sec.h file:
When address "a" is calculated using math for ex: addition of base address and
an offset, then casting is applied only to the first address which in this
example is base address.

caam_ccbvid_reg = sec_in32(CONFIG_SYS_FSL_SEC_ADDR + CAAM_CCBVID_OFFSET)
resolves to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET)
instead it should resolve to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)(CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET))

Thus add parenthesis around the address "a" so that however the address is
calculated, the casting is applied to the final calculated address.

Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

global: Migrate CONFIG_SYS_FSL* symbols to the CFG_SYS namespace

Migrate all of COFIG_SYS_FSL* to the CFG_SYS namespace.

Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

i.MX6SX: crypto/fsl: fix entropy delay value

RNG Hardware error is reported due to incorrect entropy delay

rng self test are run to determine the correct ent_dly.
test is executed with different voltage and temperature to identify the
worst case value for ent_dly. after adding a margin value(1000),
ent_dly should be at least 12000.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>

crypto/fsl: i.MX8: Enable Job ring driver model.

i.MX8(QM/QXP) - added support for JR driver model.
sec is initialized based on job ring information processed
from device tree.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>

imx8m: Add DEK blob encapsulation for imx8m

Add DEK blob encapsulation support for IMX8M through "dek_blob" command.
On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob
for encrypted boot.
The DEK blob is encapsulated by OP-TEE through a trusted application call.
U-boot sends and receives the DEK and the DEK blob binaries through OP-TEE
dynamic shared memory.

To enable the DEK blob encapsulation, add to the defconfig:
CONFIG_SECURE_BOOT=y
CONFIG_FAT_WRITE=y
CONFIG_CMD_DEKBLOB=y

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add secure memory vid 3 support

In i.MX8M platforms the secure memory block has a newer version
than those used in i.MX6/7 platforms, this patch update the driver
to use the correct registers offsets.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Fix build warnings pointer casting

Enabling CAAM driver for i.MX8M platforms, a 64 bits architecture,
lead to casting warnings: from/to pointer to/from integer with
different size. This patch fix these warnings

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add CAAM support to i.MX8M platforms

This patch enable CAAM support for i.MX8M platforms.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

caam: enable support for iMX7ULP

Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

cmd: blob: Instantiate RNG before running CMD_BLOB

U-Boot can instantiate CAAM RNG if needed by crypto operations.
Call sec_init() prior running a blob operation to ensure
RNG is correctly instantiated.

Make sure CAAM clock is enabled and check if a job ring is
available for that operation.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

imx: imx7 Support for Manufacturing Protection

This code was originally developed by Raul Cardenas <raul.casas@nxp.com>
and modified to be applied in U-Boot imx_v2017.03.

More information about the initial submission can be seen
in the link below:
https://lists.denx.de/pipermail/u-boot/2016-February/245273.html

i.MX7D has an a protection feature for Manufacturing process.
This feature uses asymmetric encryption to sign and verify
authenticated software handled between parties. This command
enables the use of such feature.

The private key is unique and generated once per device.
And it is stored in secure memory and only accessible by CAAM.
Therefore, the public key generation and signature functions
are the only functions available for the user.

The manufacturing-protection authentication process can be used to
authenticate the chip to the OEM's server.

Command usage:

Print the public key for the device.
- mfgprot pubk

Generates Signature over given data.
- mfgprot sign <data_address> <data_size>

Signed-off-by: Raul Ulises Cardenas <raul.casas@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto/fsl: instantiate the RNG with prediciton resistance

If it is already instantiated tear it down first and then reinstanciate
it again with prediction resistance.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: don't regenerate secure keys

The secure keys (TDKEK, JDKEK, TDSK) can only be generated once after a
POR. Otherwise the RNG4 will throw an error.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: support newer SEC modules

Since Era 10, the version registers changed. Add the version registers
and use them on newer modules.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

crypto/fsl: export caam_get_era()

We need the era in other modules, too. For example, to get the RNG
version.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

armv8: lx2160a: add icid setup for platform devices

Add ICID setup for the platform devices contained on this chip: usb,
sata, sdhc, sec.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>

fsl_sec: fix register layout on Layerscape architectures

On Layerscape architectures the SEC memory map is 1MB and the
register blocks contained in it are 64KB aligned, not 4KB as
the ccsr_sec structure currently assumes. Fix the layout of
the structure for these architectures.

Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Bharat Bhushan <bharat.bhushan@nxp.com>
Reviewed-by: Prabhakar Kushwaha <prabhakar.kushwaha@nxp.com>

include: Drop <common.h> from include lists

At this point, we don't need to have <common.h> be included because of
properties in the header itself, it only includes other common header
files. We've also audited the code enough at this point that we can drop
<common.h> from being included in headers and rely on code to have the
correct inclusions themselves, or at least <common.h>.

Signed-off-by: Tom Rini <trini@konsulko.com>

imx: fsl_sec: preprocessor casting issue with addresses involving math

The sec_in32 preprocessor is defined as follows in include/fsl_sec.h file:
When address "a" is calculated using math for ex: addition of base address and
an offset, then casting is applied only to the first address which in this
example is base address.

caam_ccbvid_reg = sec_in32(CONFIG_SYS_FSL_SEC_ADDR + CAAM_CCBVID_OFFSET)
resolves to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET)
instead it should resolve to:
caam_ccbvid_reg = in_le32((ulong *)(ulong)(CONFIG_SYS_FSL_SEC_ADDR +
CAAM_CCBVID_OFFSET))

Thus add parenthesis around the address "a" so that however the address is
calculated, the casting is applied to the final calculated address.

Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

global: Migrate CONFIG_SYS_FSL* symbols to the CFG_SYS namespace

Migrate all of COFIG_SYS_FSL* to the CFG_SYS namespace.

Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

i.MX6SX: crypto/fsl: fix entropy delay value

RNG Hardware error is reported due to incorrect entropy delay

rng self test are run to determine the correct ent_dly.
test is executed with different voltage and temperature to identify the
worst case value for ent_dly. after adding a margin value(1000),
ent_dly should be at least 12000.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>

crypto/fsl: i.MX8: Enable Job ring driver model.

i.MX8(QM/QXP) - added support for JR driver model.
sec is initialized based on job ring information processed
from device tree.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>

imx8m: Add DEK blob encapsulation for imx8m

Add DEK blob encapsulation support for IMX8M through "dek_blob" command.
On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob
for encrypted boot.
The DEK blob is encapsulated by OP-TEE through a trusted application call.
U-boot sends and receives the DEK and the DEK blob binaries through OP-TEE
dynamic shared memory.

To enable the DEK blob encapsulation, add to the defconfig:
CONFIG_SECURE_BOOT=y
CONFIG_FAT_WRITE=y
CONFIG_CMD_DEKBLOB=y

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add secure memory vid 3 support

In i.MX8M platforms the secure memory block has a newer version
than those used in i.MX6/7 platforms, this patch update the driver
to use the correct registers offsets.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Fix build warnings pointer casting

Enabling CAAM driver for i.MX8M platforms, a 64 bits architecture,
lead to casting warnings: from/to pointer to/from integer with
different size. This patch fix these warnings

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

crypto: caam: Add CAAM support to i.MX8M platforms

This patch enable CAAM support for i.MX8M platforms.

Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

caam: enable support for iMX7ULP

Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

cmd: blob: Instantiate RNG before running CMD_BLOB

U-Boot can instantiate CAAM RNG if needed by crypto operations.
Call sec_init() prior running a blob operation to ensure
RNG is correctly instantiated.

Make sure CAAM clock is enabled and check if a job ring is
available for that operation.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

imx: imx7 Support for Manufacturing Protection

This code was originally developed by Raul Cardenas <raul.casas@nxp.com>
and modified to be applied in U-Boot imx_v2017.03.

More information about the initial submission can be seen
in the link below:
https://lists.denx.de/pipermail/u-boot/2016-February/245273.html

i.MX7D has an a protection feature for Manufacturing process.
This feature uses asymmetric encryption to sign and verify
authenticated software handled between parties. This command
enables the use of such feature.

The private key is unique and generated once per device.
And it is stored in secure memory and only accessible by CAAM.
Therefore, the public key generation and signature functions
are the only functions available for the user.

The manufacturing-protection authentication process can be used to
authenticate the chip to the OEM's server.

Command usage:

Print the public key for the device.
- mfgprot pubk

Generates Signature over given data.
- mfgprot sign <data_address> <data_size>

Signed-off-by: Raul Ulises Cardenas <raul.casas@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>