As things stand currently, there is only one PowerPC platform that enables the options for CHAIN_OF_TRUST. From the board header files, remove a number of never-set options. Remove board specific values from arch/powerpc/include/asm/fsl_secure_boot.h as well. Rework include/config_fsl_chain_trust.h to not abuse the CONFIG namespace for constructing CHAIN_BOOT_CMD. Migrate all of the configurable addresses to Kconfig.
If any platforms are re-introduced with secure boot support, everything required should still be here, but now in Kconfig, or requires migration of an option to Kconfig.
Cc: Peng Fan peng.fan@nxp.com Signed-off-by: Tom Rini trini@konsulko.com --- arch/Kconfig.nxp | 40 +++++++++++++++++++ arch/powerpc/include/asm/fsl_secure_boot.h | 43 +-------------------- board/freescale/common/fsl_chain_of_trust.c | 5 ++- configs/T2080QDS_SECURE_BOOT_defconfig | 1 + include/config_fsl_chain_trust.h | 35 +++++++---------- include/configs/P1010RDB.h | 4 +- include/configs/T104xRDB.h | 8 ---- include/configs/corenet_ds.h | 9 ----- 8 files changed, 61 insertions(+), 84 deletions(-)
diff --git a/arch/Kconfig.nxp b/arch/Kconfig.nxp index 5ec0ee076eb1..7a35560282fb 100644 --- a/arch/Kconfig.nxp +++ b/arch/Kconfig.nxp @@ -74,6 +74,46 @@ config SPL_UBOOT_KEY_HASH 41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b. Otherwise leave this empty.
+if PPC + +config BOOTSCRIPT_COPY_RAM + bool "Secure boot copies boot script to RAM" + help + On systems that support chain of trust booting, a number of addresses + are required to set variables that are used in the copying and then + verification of different parts of the system. If enabled, the subsequent + options are for what location to use in each step. + +config BS_ADDR_DEVICE + hex "Address in RAM for bs_device" + depends on BOOTSCRIPT_COPY_RAM + +config BS_SIZE + hex "The size of bs_size which is the amount read from bs_device" + depends on BOOTSCRIPT_COPY_RAM + +config BS_ADDR_RAM + hex "Address in RAM for bs_ram" + depends on BOOTSCRIPT_COPY_RAM + +config BS_HDR_ADDR_DEVICE + hex "Address in RAM for bs_hdr_device" + depends on BOOTSCRIPT_COPY_RAM + +config BS_HDR_SIZE + hex "The size of bs_hdr_size which is the amount read from bs_hdr_device" + depends on BOOTSCRIPT_COPY_RAM + +config BS_HDR_ADDR_RAM + hex "Address in RAM for bs_hdr_ram" + depends on BOOTSCRIPT_COPY_RAM + +config BOOTSCRIPT_HDR_ADDR + hex "CONFIG_BOOTSCRIPT_HDR_ADDR" + default BS_ADDR_RAM if BOOTSCRIPT_COPY_RAM + +endif + config SYS_FSL_SRK_LE def_bool y depends on ARM diff --git a/arch/powerpc/include/asm/fsl_secure_boot.h b/arch/powerpc/include/asm/fsl_secure_boot.h index c062fa5c191c..a96a1ac5d77e 100644 --- a/arch/powerpc/include/asm/fsl_secure_boot.h +++ b/arch/powerpc/include/asm/fsl_secure_boot.h @@ -10,19 +10,12 @@ #ifdef CONFIG_NXP_ESBC #if defined(CONFIG_FSL_CORENET) #define CONFIG_SYS_PBI_FLASH_BASE 0xc0000000 -#elif defined(CONFIG_TARGET_BSC9132QDS) -#define CONFIG_SYS_PBI_FLASH_BASE 0xc8000000 -#elif defined(CONFIG_TARGET_C29XPCIE) -#define CONFIG_SYS_PBI_FLASH_BASE 0xcc000000 #else #define CONFIG_SYS_PBI_FLASH_BASE 0xce000000 #endif #define CONFIG_SYS_PBI_FLASH_WINDOW 0xcff80000
-#if defined(CONFIG_TARGET_B4860QDS) || \ - defined(CONFIG_TARGET_B4420QDS) || \ - defined(CONFIG_TARGET_T4240QDS) || \ - defined(CONFIG_TARGET_T2080QDS) || \ +#if defined(CONFIG_TARGET_T2080QDS) || \ defined(CONFIG_TARGET_T2080RDB) || \ defined(CONFIG_TARGET_T1042RDB) || \ defined(CONFIG_TARGET_T1042D4RDB) || \ @@ -78,40 +71,6 @@ #endif /* ifdef CONFIG_SPL_BUILD */
#ifndef CONFIG_SPL_BUILD -/* - * fsl_setenv_chain_of_trust() must be called from - * board_late_init() - */ - -/* If Boot Script is not on NOR and is required to be copied on RAM */ -#ifdef CONFIG_BOOTSCRIPT_COPY_RAM -#define CONFIG_BS_HDR_ADDR_RAM 0x00010000 -#define CONFIG_BS_HDR_ADDR_DEVICE 0x00800000 -#define CONFIG_BS_HDR_SIZE 0x00002000 -#define CONFIG_BS_ADDR_RAM 0x00012000 -#define CONFIG_BS_ADDR_DEVICE 0x00802000 -#define CONFIG_BS_SIZE 0x00001000 - -#define CONFIG_BOOTSCRIPT_HDR_ADDR CONFIG_BS_HDR_ADDR_RAM -#else - -/* The bootscript header address is different for B4860 because the NOR - * mapping is different on B4 due to reduced NOR size. - */ -#if defined(CONFIG_TARGET_B4860QDS) || defined(CONFIG_TARGET_B4420QDS) -#define CONFIG_BOOTSCRIPT_HDR_ADDR 0xecc00000 -#elif defined(CONFIG_FSL_CORENET) -#define CONFIG_BOOTSCRIPT_HDR_ADDR 0xe8e00000 -#elif defined(CONFIG_TARGET_BSC9132QDS) -#define CONFIG_BOOTSCRIPT_HDR_ADDR 0x88020000 -#elif defined(CONFIG_TARGET_C29XPCIE) -#define CONFIG_BOOTSCRIPT_HDR_ADDR 0xec020000 -#else -#define CONFIG_BOOTSCRIPT_HDR_ADDR 0xee020000 -#endif - -#endif /* #ifdef CONFIG_BOOTSCRIPT_COPY_RAM */ - #include <config_fsl_chain_trust.h> #endif /* #ifndef CONFIG_SPL_BUILD */ #endif /* #ifdef CONFIG_CHAIN_OF_TRUST */ diff --git a/board/freescale/common/fsl_chain_of_trust.c b/board/freescale/common/fsl_chain_of_trust.c index 7ffb315bc935..d31fb821817c 100644 --- a/board/freescale/common/fsl_chain_of_trust.c +++ b/board/freescale/common/fsl_chain_of_trust.c @@ -12,6 +12,7 @@ #include <fsl_sfp.h> #include <log.h> #include <dm/root.h> +#include <asm/fsl_secure_boot.h>
#if defined(CONFIG_SPL_BUILD) && defined(CONFIG_SPL_FRAMEWORK) #include <spl.h> @@ -76,14 +77,14 @@ int fsl_setenv_chain_of_trust(void)
/* If Boot mode is Secure, set the environment variables * bootdelay = 0 (To disable Boot Prompt) - * bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute Boot script) + * bootcmd = CHAIN_BOOT_CMD (Validate and execute Boot script) */ env_set("bootdelay", "-2");
#ifdef CONFIG_ARM env_set("secureboot", "y"); #else - env_set("bootcmd", CONFIG_CHAIN_BOOT_CMD); + env_set("bootcmd", CHAIN_BOOT_CMD); #endif
return 0; diff --git a/configs/T2080QDS_SECURE_BOOT_defconfig b/configs/T2080QDS_SECURE_BOOT_defconfig index eebe06f8b5b4..4454377a6cb9 100644 --- a/configs/T2080QDS_SECURE_BOOT_defconfig +++ b/configs/T2080QDS_SECURE_BOOT_defconfig @@ -7,6 +7,7 @@ CONFIG_MPC85xx=y CONFIG_TARGET_T2080QDS=y CONFIG_MPC85XX_HAVE_RESET_VECTOR=y CONFIG_ENABLE_36BIT_PHYS=y +CONFIG_BOOTSCRIPT_HDR_ADDR=0xee020000 CONFIG_FSL_USE_PCA9547_MUX=y CONFIG_VID=y CONFIG_VID_FLS_ENV="t208xqds_vdd_mv" diff --git a/include/config_fsl_chain_trust.h b/include/config_fsl_chain_trust.h index dd01e9668941..380c906ba834 100644 --- a/include/config_fsl_chain_trust.h +++ b/include/config_fsl_chain_trust.h @@ -18,21 +18,21 @@ */
#ifdef CONFIG_USE_BOOTARGS -#define CONFIG_SET_BOOTARGS "setenv bootargs '" CONFIG_BOOTARGS" ';" +#define SET_BOOTARGS "setenv bootargs '" CONFIG_BOOTARGS" ';" #else -#define CONFIG_SET_BOOTARGS "setenv bootargs 'root=/dev/ram " \ +#define SET_BOOTARGS "setenv bootargs 'root=/dev/ram " \ "rw console=ttyS0,115200 ramdisk_size=600000';" #endif
-#define CONFIG_SECBOOT \ +#define SECBOOT \ "setenv bs_hdraddr " __stringify(CONFIG_BOOTSCRIPT_HDR_ADDR)";" \ - CONFIG_SET_BOOTARGS \ + SET_BOOTARGS \ "esbc_validate $bs_hdraddr;" \ "source $img_addr;" \ "esbc_halt\0"
#ifdef CONFIG_BOOTSCRIPT_COPY_RAM -#define CONFIG_BS_COPY_ENV \ +#define BS_COPY_ENV \ "setenv bs_hdr_ram " __stringify(CONFIG_BS_HDR_ADDR_RAM)";" \ "setenv bs_hdr_device " __stringify(CONFIG_BS_HDR_ADDR_DEVICE)";" \ "setenv bs_hdr_size " __stringify(CONFIG_BS_HDR_SIZE)";" \ @@ -43,33 +43,28 @@ /* For secure boot flow, default environment used will be used */ #if defined(CONFIG_SYS_RAMBOOT) || defined(CONFIG_NAND_BOOT) || \ defined(CONFIG_SD_BOOT) -#if defined(CONFIG_RAMBOOT_NAND) || defined(CONFIG_NAND_BOOT) -#define CONFIG_BS_COPY_CMD \ +#if defined(CONFIG_NAND_BOOT) +#define BS_COPY_CMD \ "nand read $bs_hdr_ram $bs_hdr_device $bs_hdr_size ;" \ "nand read $bs_ram $bs_device $bs_size ;" #elif defined(CONFIG_SD_BOOT) -#define CONFIG_BS_COPY_CMD \ +#define BS_COPY_CMD \ "mmc read $bs_hdr_ram $bs_hdr_device $bs_hdr_size ;" \ "mmc read $bs_ram $bs_device $bs_size ;" #endif #else -#define CONFIG_BS_COPY_CMD \ +#define BS_COPY_CMD \ "cp.b $bs_hdr_device $bs_hdr_ram $bs_hdr_size ;" \ "cp.b $bs_device $bs_ram $bs_size ;" #endif +#else /* !CONFIG_BOOTSCRIPT_COPY_RAM */ +#define BS_COPY_ENV +#define BS_COPY_CMD #endif /* CONFIG_BOOTSCRIPT_COPY_RAM */
-#ifndef CONFIG_BS_COPY_ENV -#define CONFIG_BS_COPY_ENV -#endif - -#ifndef CONFIG_BS_COPY_CMD -#define CONFIG_BS_COPY_CMD -#endif - -#define CONFIG_CHAIN_BOOT_CMD CONFIG_BS_COPY_ENV \ - CONFIG_BS_COPY_CMD \ - CONFIG_SECBOOT +#define CHAIN_BOOT_CMD BS_COPY_ENV \ + BS_COPY_CMD \ + SECBOOT
#endif #endif diff --git a/include/configs/P1010RDB.h b/include/configs/P1010RDB.h index 200b88050cc7..19aebb810c7b 100644 --- a/include/configs/P1010RDB.h +++ b/include/configs/P1010RDB.h @@ -53,7 +53,6 @@ #endif
#ifdef CONFIG_NAND_SECBOOT /* NAND Boot */ -#define CONFIG_RAMBOOT_NAND #define CONFIG_RESET_VECTOR_ADDRESS 0x110bfffc #endif
@@ -348,8 +347,7 @@ extern unsigned long get_sdram_size(void); FTIM2_GPCM_TWP(0x1f)) #define CONFIG_SYS_CS3_FTIM3 0x0
-#if defined(CONFIG_RAMBOOT_SDCARD) || defined(CONFIG_RAMBOOT_SPIFLASH) || \ - defined(CONFIG_RAMBOOT_NAND) +#if defined(CONFIG_RAMBOOT_SDCARD) || defined(CONFIG_RAMBOOT_SPIFLASH) #define CONFIG_SYS_RAMBOOT #else #undef CONFIG_SYS_RAMBOOT diff --git a/include/configs/T104xRDB.h b/include/configs/T104xRDB.h index f1738b32c5d6..1c2052608ec5 100644 --- a/include/configs/T104xRDB.h +++ b/include/configs/T104xRDB.h @@ -66,14 +66,6 @@ #define CONFIG_PCIE3 /* PCIE controller 3 */ #define CONFIG_PCIE4 /* PCIE controller 4 */
-#if defined(CONFIG_SPIFLASH) -#elif defined(CONFIG_MTD_RAW_NAND) -#ifdef CONFIG_NXP_ESBC -#define CONFIG_RAMBOOT_NAND -#define CONFIG_BOOTSCRIPT_COPY_RAM -#endif -#endif - /* * These can be toggled for performance analysis, otherwise use default. */ diff --git a/include/configs/corenet_ds.h b/include/configs/corenet_ds.h index 51bc772e2386..6a4fd90ded9a 100644 --- a/include/configs/corenet_ds.h +++ b/include/configs/corenet_ds.h @@ -15,17 +15,8 @@ #include "../board/freescale/common/ics307_clk.h"
#ifdef CONFIG_RAMBOOT_PBL -#ifdef CONFIG_NXP_ESBC #define CONFIG_RAMBOOT_TEXT_BASE CONFIG_SYS_TEXT_BASE #define CONFIG_RESET_VECTOR_ADDRESS 0xfffffffc -#ifdef CONFIG_MTD_RAW_NAND -#define CONFIG_RAMBOOT_NAND -#endif -#define CONFIG_BOOTSCRIPT_COPY_RAM -#else -#define CONFIG_RAMBOOT_TEXT_BASE CONFIG_SYS_TEXT_BASE -#define CONFIG_RESET_VECTOR_ADDRESS 0xfffffffc -#endif #endif
#ifdef CONFIG_SRIO_PCIE_BOOT_SLAVE