Chain of Trust is enabled for ARM platforms (LS1021 and LS1043). Compile time Secure Boot targets are removed. In board_late_init(), fsl_setenv_chain_of_trust() is called which will perform the following: - If boot mode is non-secure, return (No Change) - If boot mode is secure, set the following environmet variables: bootdelay = 0 (To disable Boot Prompt) bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute Boot script)
Signed-off-by: Aneesh Bansal aneesh.bansal@freescale.com --- arch/arm/cpu/armv8/fsl-layerscape/soc.c | 4 ++++ board/freescale/common/Makefile | 1 + board/freescale/common/fsl_chain_of_trust.c | 17 +++++++++++++++++ board/freescale/ls1021aqds/ls1021aqds.c | 4 ++++ board/freescale/ls1021atwr/ls1021atwr.c | 4 ++++ configs/ls1021aqds_nor_SECURE_BOOT_defconfig | 7 ------- configs/ls1021atwr_nor_SECURE_BOOT_defconfig | 7 ------- configs/ls1043ardb_SECURE_BOOT_defconfig | 9 --------- include/fsl_validate.h | 2 ++ 9 files changed, 32 insertions(+), 23 deletions(-) delete mode 100644 configs/ls1021aqds_nor_SECURE_BOOT_defconfig delete mode 100644 configs/ls1021atwr_nor_SECURE_BOOT_defconfig delete mode 100644 configs/ls1043ardb_SECURE_BOOT_defconfig
diff --git a/arch/arm/cpu/armv8/fsl-layerscape/soc.c b/arch/arm/cpu/armv8/fsl-layerscape/soc.c index 23d6b73..2f92b55 100644 --- a/arch/arm/cpu/armv8/fsl-layerscape/soc.c +++ b/arch/arm/cpu/armv8/fsl-layerscape/soc.c @@ -12,6 +12,7 @@ #include <asm/io.h> #include <asm/global_data.h> #include <asm/arch-fsl-layerscape/config.h> +#include <fsl_validate.h>
DECLARE_GLOBAL_DATA_PTR;
@@ -241,6 +242,9 @@ int board_late_init(void) #ifdef CONFIG_SCSI_AHCI_PLAT sata_init(); #endif +#ifdef CONFIG_CHAIN_OF_TRUST + fsl_setenv_chain_of_trust(); +#endif
return 0; } diff --git a/board/freescale/common/Makefile b/board/freescale/common/Makefile index 9af8782..eef518e 100644 --- a/board/freescale/common/Makefile +++ b/board/freescale/common/Makefile @@ -74,5 +74,6 @@ obj-$(CONFIG_P5040DS) += p_corenet/ obj-$(CONFIG_LAYERSCAPE_NS_ACCESS) += ns_access.o
obj-$(CONFIG_CMD_ESBC_VALIDATE) += fsl_validate.o cmd_esbc_validate.o +obj-$(CONFIG_CHAIN_OF_TRUST) += fsl_chain_of_trust.o
endif diff --git a/board/freescale/common/fsl_chain_of_trust.c b/board/freescale/common/fsl_chain_of_trust.c index ff67bd7..ecfcc82 100644 --- a/board/freescale/common/fsl_chain_of_trust.c +++ b/board/freescale/common/fsl_chain_of_trust.c @@ -51,3 +51,20 @@ int fsl_check_boot_mode_secure(void) #endif return 0; } + +int fsl_setenv_chain_of_trust(void) +{ + /* Check Boot Mode + * If Boot Mode is Non-Secure, no changes are required + */ + if (fsl_check_boot_mode_secure() == 0) + return 0; + + /* If Boot mode is Secure, set the environment variables + * bootdelay = 0 (To disable Boot Prompt) + * bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute Boot script) + */ + setenv("bootdelay", "0"); + setenv("bootcmd", CONFIG_CHAIN_BOOT_CMD); + return 0; +} diff --git a/board/freescale/ls1021aqds/ls1021aqds.c b/board/freescale/ls1021aqds/ls1021aqds.c index be3358a..5f4ec9d 100644 --- a/board/freescale/ls1021aqds/ls1021aqds.c +++ b/board/freescale/ls1021aqds/ls1021aqds.c @@ -22,6 +22,7 @@ #include <fsl_sec.h> #include <spl.h> #include <fsl_devdis.h> +#include <fsl_validate.h>
#include "../common/sleep.h" #include "../common/qixis.h" @@ -369,6 +370,9 @@ int board_late_init(void) #ifdef CONFIG_SCSI_AHCI_PLAT ls1021a_sata_init(); #endif +#ifdef CONFIG_CHAIN_OF_TRUST + fsl_setenv_chain_of_trust(); +#endif
return 0; } diff --git a/board/freescale/ls1021atwr/ls1021atwr.c b/board/freescale/ls1021atwr/ls1021atwr.c index 8eaff5f..b85774c 100644 --- a/board/freescale/ls1021atwr/ls1021atwr.c +++ b/board/freescale/ls1021atwr/ls1021atwr.c @@ -30,6 +30,7 @@ #ifdef CONFIG_U_QE #include "../../../drivers/qe/qe.h" #endif +#include <fsl_validate.h>
DECLARE_GLOBAL_DATA_PTR; @@ -549,6 +550,9 @@ int board_late_init(void) #ifdef CONFIG_SCSI_AHCI_PLAT ls1021a_sata_init(); #endif +#ifdef CONFIG_CHAIN_OF_TRUST + fsl_setenv_chain_of_trust(); +#endif
return 0; } diff --git a/configs/ls1021aqds_nor_SECURE_BOOT_defconfig b/configs/ls1021aqds_nor_SECURE_BOOT_defconfig deleted file mode 100644 index 025a8f2..0000000 --- a/configs/ls1021aqds_nor_SECURE_BOOT_defconfig +++ /dev/null @@ -1,7 +0,0 @@ -CONFIG_ARM=y -CONFIG_TARGET_LS1021AQDS=y -CONFIG_SYS_EXTRA_OPTIONS="SECURE_BOOT" -# CONFIG_CMD_SETEXPR is not set -CONFIG_NETDEVICES=y -CONFIG_E1000=y -CONFIG_SYS_NS16550=y diff --git a/configs/ls1021atwr_nor_SECURE_BOOT_defconfig b/configs/ls1021atwr_nor_SECURE_BOOT_defconfig deleted file mode 100644 index bf19c33..0000000 --- a/configs/ls1021atwr_nor_SECURE_BOOT_defconfig +++ /dev/null @@ -1,7 +0,0 @@ -CONFIG_ARM=y -CONFIG_TARGET_LS1021ATWR=y -CONFIG_SYS_EXTRA_OPTIONS="SECURE_BOOT" -# CONFIG_CMD_SETEXPR is not set -CONFIG_NETDEVICES=y -CONFIG_E1000=y -CONFIG_SYS_NS16550=y diff --git a/configs/ls1043ardb_SECURE_BOOT_defconfig b/configs/ls1043ardb_SECURE_BOOT_defconfig deleted file mode 100644 index d9d6c97..0000000 --- a/configs/ls1043ardb_SECURE_BOOT_defconfig +++ /dev/null @@ -1,9 +0,0 @@ -CONFIG_ARM=y -CONFIG_TARGET_LS1043ARDB=y -CONFIG_SYS_EXTRA_OPTIONS="SYS_FSL_DDR4, SECURE_BOOT" -CONFIG_SYS_NS16550=y -CONFIG_DEFAULT_DEVICE_TREE="fsl-ls1043a-rdb" -CONFIG_OF_CONTROL=y -CONFIG_DM=y -CONFIG_SPI_FLASH=y -CONFIG_DM_SPI=y \ No newline at end of file diff --git a/include/fsl_validate.h b/include/fsl_validate.h index ad14867..83efcf4 100644 --- a/include/fsl_validate.h +++ b/include/fsl_validate.h @@ -205,4 +205,6 @@ int fsl_secboot_blob_encap(cmd_tbl_t *cmdtp, int flag, int argc, int fsl_secboot_blob_decap(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[]);
+int fsl_check_boot_mode_secure(void); +int fsl_setenv_chain_of_trust(void); #endif