[PATCH 1/4] arch/Kconfig.nxp: Re-organize slightly
Make all of the CHAIN_OF_TRUST options be under a single menu and add a comment for the rest, so the resulting config file reads more clearly. Remove duplicate CHAIN_OF_TRUST options from board/congatec/common/Kconfig. Remove duplicate NXP_ESBC config questions and move to arch/Kconfig.nxp.
Signed-off-by: Tom Rini trini@konsulko.com --- arch/Kconfig.nxp | 30 +++++++++++------ arch/arm/cpu/armv7/ls102xa/Kconfig | 6 ---- arch/arm/cpu/armv8/fsl-layerscape/Kconfig | 15 +++------ arch/powerpc/cpu/mpc85xx/Kconfig | 6 ---- board/congatec/common/Kconfig | 41 ----------------------- 5 files changed, 24 insertions(+), 74 deletions(-)
diff --git a/arch/Kconfig.nxp b/arch/Kconfig.nxp index 1e26f1dc5372..f72c513aa6a8 100644 --- a/arch/Kconfig.nxp +++ b/arch/Kconfig.nxp @@ -1,7 +1,13 @@ -config CHAIN_OF_TRUST +config NXP_ESBC + bool "NXP ESBC (secure boot) functionality" + help + Enable Freescale Secure Boot feature. Normally selected by defconfig. + If unsure, do not change. + +menu "Chain of trust / secure boot options" depends on !FIT_SIGNATURE && NXP_ESBC - imply CMD_BLOB - imply CMD_HASH if ARM + +config CHAIN_OF_TRUST select FSL_CAAM select FSL_SEC_MON select SPL_BOARD_INIT if (ARM && SPL) @@ -11,12 +17,12 @@ config CHAIN_OF_TRUST select ENV_IS_NOWHERE select CMD_EXT4 if ARM select CMD_EXT4_WRITE if ARM - bool - default y + imply CMD_BLOB + imply CMD_HASH if ARM + def_bool y
config CMD_ESBC_VALIDATE bool "Enable the 'esbc_validate' and 'esbc_halt' commands" - depends on CHAIN_OF_TRUST default y help This option enables two commands used for secure booting: @@ -35,15 +41,14 @@ config ESBC_ADDR_64BIT
config SYS_FSL_SFP_BE def_bool y - depends on CHAIN_OF_TRUST && (PPC || FSL_LSCH2 || ARCH_LS1021A) + depends on PPC || FSL_LSCH2 || ARCH_LS1021A
config SYS_FSL_SFP_LE def_bool y - depends on CHAIN_OF_TRUST && !SYS_FSL_SFP_BE + depends on !SYS_FSL_SFP_BE
choice prompt "SFP IP revision" - depends on CHAIN_OF_TRUST default SYS_FSL_SFP_VER_3_0 if PPC default SYS_FSL_SFP_VER_3_4
@@ -60,11 +65,14 @@ endchoice
config SYS_FSL_SRK_LE def_bool y - depends on CHAIN_OF_TRUST && ARM + depends on ARM
config KEY_REVOCATION def_bool y - depends on CHAIN_OF_TRUST + +endmenu + +comment "Other functionality shared between NXP SoCs"
config DEEP_SLEEP bool "Enable SoC deep sleep feature" diff --git a/arch/arm/cpu/armv7/ls102xa/Kconfig b/arch/arm/cpu/armv7/ls102xa/Kconfig index c496e6439199..a901360fa7d8 100644 --- a/arch/arm/cpu/armv7/ls102xa/Kconfig +++ b/arch/arm/cpu/armv7/ls102xa/Kconfig @@ -41,12 +41,6 @@ config MAX_CPUS cores, count the reserved ports. This will allocate enough memory in spin table to properly handle all cores.
-config NXP_ESBC - bool "NXP_ESBC" - help - Enable Freescale Secure Boot feature. Normally selected - by defconfig. If unsure, do not change. - config SYS_CCI400_OFFSET hex "Offset for CCI400 base" depends on SYS_FSL_HAS_CCI400 diff --git a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig index 7f08733a35b6..602b624dca52 100644 --- a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig +++ b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig @@ -26,7 +26,7 @@ config ARCH_LS1012A config ARCH_LS1028A bool select ARMV8_SET_SMPEN - select ESBC_HDR_LS + select ESBC_HDR_LS if CHAIN_OF_TRUST select FSL_LAYERSCAPE select FSL_LSCH3 select GICV3 @@ -139,7 +139,7 @@ config ARCH_LS1088A bool select ARMV8_SET_SMPEN select ARM_ERRATA_855873 if !TFABOOT - select ESBC_HDR_LS + select ESBC_HDR_LS if CHAIN_OF_TRUST select FSL_IFC select FSL_LAYERSCAPE select FSL_LSCH3 @@ -189,7 +189,7 @@ config ARCH_LS2080A select ARM_ERRATA_828024 select ARM_ERRATA_829520 select ARM_ERRATA_833471 - select ESBC_HDR_LS + select ESBC_HDR_LS if CHAIN_OF_TRUST select FSL_IFC select FSL_LAYERSCAPE select FSL_LSCH3 @@ -242,7 +242,7 @@ config ARCH_LS2080A config ARCH_LX2162A bool select ARMV8_SET_SMPEN - select ESBC_HDR_LS + select ESBC_HDR_LS if CHAIN_OF_TRUST select FSL_DDR_BIST select FSL_DDR_INTERACTIVE select FSL_LAYERSCAPE @@ -281,7 +281,7 @@ config ARCH_LX2162A config ARCH_LX2160A bool select ARMV8_SET_SMPEN - select ESBC_HDR_LS + select ESBC_HDR_LS if CHAIN_OF_TRUST select FSL_DDR_BIST select FSL_DDR_INTERACTIVE select FSL_LAYERSCAPE @@ -461,11 +461,6 @@ config EMC2305 Enable the EMC2305 fan controller for configuration of fan speed.
-config NXP_ESBC - bool "NXP_ESBC" - help - Enable Freescale Secure Boot feature - config QSPI_AHB_INIT bool "Init the QSPI AHB bus" help diff --git a/arch/powerpc/cpu/mpc85xx/Kconfig b/arch/powerpc/cpu/mpc85xx/Kconfig index 0ef5e730bdc2..e7003d3b647e 100644 --- a/arch/powerpc/cpu/mpc85xx/Kconfig +++ b/arch/powerpc/cpu/mpc85xx/Kconfig @@ -827,12 +827,6 @@ config FSL_LAW config HETROGENOUS_CLUSTERS bool
-config NXP_ESBC - bool "NXP_ESBC" - help - Enable Freescale Secure Boot feature. Normally selected - by defconfig. If unsure, do not change. - config MAX_CPUS int "Maximum number of CPUs permitted for MPC85xx" default 12 if ARCH_T4240 diff --git a/board/congatec/common/Kconfig b/board/congatec/common/Kconfig index d4a238de99bc..a1f2139219b1 100644 --- a/board/congatec/common/Kconfig +++ b/board/congatec/common/Kconfig @@ -1,44 +1,3 @@ -if !ARCH_IMX8M && !ARCH_IMX8 - -config CHAIN_OF_TRUST - depends on !FIT_SIGNATURE && SECURE_BOOT - imply CMD_BLOB - imply CMD_HASH if ARM - select FSL_CAAM - select SPL_BOARD_INIT if (ARM && SPL) - select SHA_HW_ACCEL - select SHA_PROG_HW_ACCEL - select ENV_IS_NOWHERE - select CMD_EXT4 if ARM - select CMD_EXT4_WRITE if ARM - bool - default y - -config CMD_ESBC_VALIDATE - bool "Enable the 'esbc_validate' and 'esbc_halt' commands" - default y if CHAIN_OF_TRUST - help - This option enables two commands used for secure booting: - - esbc_validate - validate signature using RSA verification - esbc_halt - put the core in spin loop (Secure Boot Only) - -endif - -config VOL_MONITOR_LTC3882_READ - depends on VID - bool "Enable the LTC3882 voltage monitor read" - help - This option enables LTC3882 voltage monitor read - functionality. It is used by common VID driver. - -config VOL_MONITOR_LTC3882_SET - depends on VID - bool "Enable the LTC3882 voltage monitor set" - help - This option enables LTC3882 voltage monitor set - functionality. It is used by common VID driver. - config USB_TCPC bool "USB Typec port controller simple driver" help
Move setting of SPL_UBOOT_KEY_HASH to a non-NULL value to Kconfig. As part of this, change fsl_secboot_validate(...) to check that it is passed a non-empty string, rather than non-NULL.
Cc: Peng Fan peng.fan@nxp.com Cc: Priyanka Jain priyanka.jain@nxp.com Cc: Kshitiz Varshney kshitiz.varshney@nxp.com Signed-off-by: Tom Rini trini@konsulko.com --- arch/Kconfig.nxp | 11 +++++++++++ arch/arm/include/asm/fsl_secure_boot.h | 13 ------------- arch/powerpc/include/asm/fsl_secure_boot.h | 10 ---------- board/freescale/common/fsl_validate.c | 2 +- 4 files changed, 12 insertions(+), 24 deletions(-)
diff --git a/arch/Kconfig.nxp b/arch/Kconfig.nxp index f72c513aa6a8..5ec0ee076eb1 100644 --- a/arch/Kconfig.nxp +++ b/arch/Kconfig.nxp @@ -63,6 +63,17 @@ config SYS_FSL_SFP_VER_3_4
endchoice
+config SPL_UBOOT_KEY_HASH + string "Non-SRK key hash for U-Boot public/private key pair" + depends on SPL + default "" + help + Set the key hash for U-Boot here if public/private key pair used to + sign U-boot are different from the SRK hash put in the fuse. Example + of a key hash is + 41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b. + Otherwise leave this empty. + config SYS_FSL_SRK_LE def_bool y depends on ARM diff --git a/arch/arm/include/asm/fsl_secure_boot.h b/arch/arm/include/asm/fsl_secure_boot.h index 09c88841e0c0..9c9e1dab9a41 100644 --- a/arch/arm/include/asm/fsl_secure_boot.h +++ b/arch/arm/include/asm/fsl_secure_boot.h @@ -8,19 +8,6 @@ #define __FSL_SECURE_BOOT_H
#ifdef CONFIG_CHAIN_OF_TRUST -#ifdef CONFIG_SPL_BUILD -/* - * Define the key hash for U-Boot here if public/private key pair used to - * sign U-boot are different from the SRK hash put in the fuse - * Example of defining KEY_HASH is - * #define CONFIG_SPL_UBOOT_KEY_HASH \ - * "41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b" - * else leave it defined as NULL - */ - -#define CONFIG_SPL_UBOOT_KEY_HASH NULL -#endif /* ifdef CONFIG_SPL_BUILD */ - #ifndef CONFIG_SPL_BUILD #ifndef CONFIG_SYS_RAMBOOT /* The key used for verification of next level images diff --git a/arch/powerpc/include/asm/fsl_secure_boot.h b/arch/powerpc/include/asm/fsl_secure_boot.h index 9ae4c590f1d5..c062fa5c191c 100644 --- a/arch/powerpc/include/asm/fsl_secure_boot.h +++ b/arch/powerpc/include/asm/fsl_secure_boot.h @@ -75,16 +75,6 @@ #define CONFIG_SPL_SPAACT_ADDR 0x2f000000 #define CONFIG_SPL_JR0_LIODN_S 454 #define CONFIG_SPL_JR0_LIODN_NS 458 -/* - * Define the key hash for U-Boot here if public/private key pair used to - * sign U-boot are different from the SRK hash put in the fuse - * Example of defining KEY_HASH is - * #define CONFIG_SPL_UBOOT_KEY_HASH \ - * "41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b" - * else leave it defined as NULL - */ - -#define CONFIG_SPL_UBOOT_KEY_HASH NULL #endif /* ifdef CONFIG_SPL_BUILD */
#ifndef CONFIG_SPL_BUILD diff --git a/board/freescale/common/fsl_validate.c b/board/freescale/common/fsl_validate.c index 34875d0b8f25..f1a0b0cfc34c 100644 --- a/board/freescale/common/fsl_validate.c +++ b/board/freescale/common/fsl_validate.c @@ -871,7 +871,7 @@ int fsl_secboot_validate(uintptr_t haddr, char *arg_hash_str, int ret, i, hash_cmd = 0; u32 srk_hash[8];
- if (arg_hash_str != NULL) { + if (strlen(arg_hash_str) != 0) { const char *cp = arg_hash_str; int i = 0;
The way that secure boot is implemented today on NXP ARM platforms does not reuse the elements found in include/config_fsl_chain_trust.h to construct CONFIG_SECBOOT but instead board header files have their environment setup as needed and then fsl_setenv_chain_of_trust() will set secureboot in the environment. Remove a large number of unused defines here.
Cc: Peng Fan peng.fan@nxp.com Signed-off-by: Tom Rini trini@konsulko.com --- arch/arm/include/asm/fsl_secure_boot.h | 71 -------------------------- include/config_fsl_chain_trust.h | 25 --------- 2 files changed, 96 deletions(-)
diff --git a/arch/arm/include/asm/fsl_secure_boot.h b/arch/arm/include/asm/fsl_secure_boot.h index 9c9e1dab9a41..a4f4961fc877 100644 --- a/arch/arm/include/asm/fsl_secure_boot.h +++ b/arch/arm/include/asm/fsl_secure_boot.h @@ -24,76 +24,6 @@
#endif
-#ifdef CONFIG_ARCH_LS2080A -#define CONFIG_EXTRA_ENV \ - "setenv fdt_high 0xa0000000;" \ - "setenv initrd_high 0xcfffffff;" \ - "setenv hwconfig 'fsl_ddr:ctlr_intlv=null,bank_intlv=null';" -#else -#define CONFIG_EXTRA_ENV \ - "setenv fdt_high 0xffffffff;" \ - "setenv initrd_high 0xffffffff;" \ - "setenv hwconfig 'fsl_ddr:ctlr_intlv=null,bank_intlv=null';" -#endif - -/* Copying Bootscript and Header to DDR from NOR for LS2 and for rest, from - * Non-XIP Memory (Nand/SD)*/ -#if defined(CONFIG_SYS_RAMBOOT) || defined(CONFIG_FSL_LSCH3) || \ - defined(CONFIG_SD_BOOT) || defined(CONFIG_NAND_BOOT) -#define CONFIG_BOOTSCRIPT_COPY_RAM -#endif -/* The address needs to be modified according to NOR, NAND, SD and - * DDR memory map - */ -#ifdef CONFIG_FSL_LSCH3 -#ifdef CONFIG_QSPI_BOOT -#define CONFIG_BS_ADDR_DEVICE 0x20600000 -#define CONFIG_BS_HDR_ADDR_DEVICE 0x20640000 -#else /* NOR BOOT */ -#define CONFIG_BS_ADDR_DEVICE 0x580600000 -#define CONFIG_BS_HDR_ADDR_DEVICE 0x580640000 -#endif /*ifdef CONFIG_QSPI_BOOT */ -#define CONFIG_BS_SIZE 0x00001000 -#define CONFIG_BS_HDR_SIZE 0x00004000 -#define CONFIG_BS_ADDR_RAM 0xa0600000 -#define CONFIG_BS_HDR_ADDR_RAM 0xa0640000 -#else -#ifdef CONFIG_SD_BOOT -/* For SD boot address and size are assigned in terms of sector - * offset and no. of sectors respectively. - */ -#define CONFIG_BS_ADDR_DEVICE 0x00003000 -#define CONFIG_BS_HDR_ADDR_DEVICE 0x00003200 -#define CONFIG_BS_SIZE 0x00000008 -#define CONFIG_BS_HDR_SIZE 0x00000010 -#elif defined(CONFIG_NAND_BOOT) -#define CONFIG_BS_ADDR_DEVICE 0x00600000 -#define CONFIG_BS_HDR_ADDR_DEVICE 0x00640000 -#define CONFIG_BS_SIZE 0x00001000 -#define CONFIG_BS_HDR_SIZE 0x00002000 -#elif defined(CONFIG_QSPI_BOOT) -#define CONFIG_BS_ADDR_DEVICE 0x40600000 -#define CONFIG_BS_HDR_ADDR_DEVICE 0x40640000 -#define CONFIG_BS_SIZE 0x00001000 -#define CONFIG_BS_HDR_SIZE 0x00002000 -#else /* Default NOR Boot */ -#define CONFIG_BS_ADDR_DEVICE 0x60600000 -#define CONFIG_BS_HDR_ADDR_DEVICE 0x60640000 -#define CONFIG_BS_SIZE 0x00001000 -#define CONFIG_BS_HDR_SIZE 0x00002000 -#endif -#define CONFIG_BS_ADDR_RAM 0x81000000 -#define CONFIG_BS_HDR_ADDR_RAM 0x81020000 -#endif - -#ifdef CONFIG_BOOTSCRIPT_COPY_RAM -#define CONFIG_BOOTSCRIPT_ADDR CONFIG_BS_ADDR_RAM -#define CONFIG_BOOTSCRIPT_HDR_ADDR CONFIG_BS_HDR_ADDR_RAM -#else -#define CONFIG_BOOTSCRIPT_HDR_ADDR CONFIG_BS_HDR_ADDR_DEVICE -/* BOOTSCRIPT_ADDR is not required */ -#endif - #ifdef CONFIG_FSL_LS_PPA /* Define the key hash here if SRK used for signing PPA image is * different from SRK hash put in SFP used for U-Boot. @@ -104,7 +34,6 @@ #define PPA_KEY_HASH NULL #endif /* ifdef CONFIG_FSL_LS_PPA */
-#include <config_fsl_chain_trust.h> #endif /* #ifndef CONFIG_SPL_BUILD */ #endif /* #ifdef CONFIG_CHAIN_OF_TRUST */ #endif diff --git a/include/config_fsl_chain_trust.h b/include/config_fsl_chain_trust.h index 3922241be005..dd01e9668941 100644 --- a/include/config_fsl_chain_trust.h +++ b/include/config_fsl_chain_trust.h @@ -10,10 +10,6 @@
#ifdef CONFIG_CHAIN_OF_TRUST
-#ifndef CONFIG_EXTRA_ENV -#define CONFIG_EXTRA_ENV "" -#endif - /* * Control should not reach back to uboot after validation of images * for secure boot flow and therefore bootscript should have @@ -21,14 +17,6 @@ * after validating images, core should just spin. */
-/* - * Define the key hash for boot script here if public/private key pair used to - * sign bootscript are different from the SRK hash put in the fuse - * Example of defining KEY_HASH is - * #define CONFIG_BOOTSCRIPT_KEY_HASH \ - * "41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b" - */ - #ifdef CONFIG_USE_BOOTARGS #define CONFIG_SET_BOOTARGS "setenv bootargs '" CONFIG_BOOTARGS" ';" #else @@ -36,25 +24,12 @@ "rw console=ttyS0,115200 ramdisk_size=600000';" #endif
- -#ifdef CONFIG_BOOTSCRIPT_KEY_HASH #define CONFIG_SECBOOT \ "setenv bs_hdraddr " __stringify(CONFIG_BOOTSCRIPT_HDR_ADDR)";" \ CONFIG_SET_BOOTARGS \ - CONFIG_EXTRA_ENV \ - "esbc_validate $bs_hdraddr " \ - __stringify(CONFIG_BOOTSCRIPT_KEY_HASH)";" \ - "source $img_addr;" \ - "esbc_halt\0" -#else -#define CONFIG_SECBOOT \ - "setenv bs_hdraddr " __stringify(CONFIG_BOOTSCRIPT_HDR_ADDR)";" \ - CONFIG_SET_BOOTARGS \ - CONFIG_EXTRA_ENV \ "esbc_validate $bs_hdraddr;" \ "source $img_addr;" \ "esbc_halt\0" -#endif
#ifdef CONFIG_BOOTSCRIPT_COPY_RAM #define CONFIG_BS_COPY_ENV \
As things stand currently, there is only one PowerPC platform that enables the options for CHAIN_OF_TRUST. From the board header files, remove a number of never-set options. Remove board specific values from arch/powerpc/include/asm/fsl_secure_boot.h as well. Rework include/config_fsl_chain_trust.h to not abuse the CONFIG namespace for constructing CHAIN_BOOT_CMD. Migrate all of the configurable addresses to Kconfig.
If any platforms are re-introduced with secure boot support, everything required should still be here, but now in Kconfig, or requires migration of an option to Kconfig.
Cc: Peng Fan peng.fan@nxp.com Signed-off-by: Tom Rini trini@konsulko.com --- arch/Kconfig.nxp | 40 +++++++++++++++++++ arch/powerpc/include/asm/fsl_secure_boot.h | 43 +-------------------- board/freescale/common/fsl_chain_of_trust.c | 5 ++- configs/T2080QDS_SECURE_BOOT_defconfig | 1 + include/config_fsl_chain_trust.h | 35 +++++++---------- include/configs/P1010RDB.h | 4 +- include/configs/T104xRDB.h | 8 ---- include/configs/corenet_ds.h | 9 ----- 8 files changed, 61 insertions(+), 84 deletions(-)
diff --git a/arch/Kconfig.nxp b/arch/Kconfig.nxp index 5ec0ee076eb1..7a35560282fb 100644 --- a/arch/Kconfig.nxp +++ b/arch/Kconfig.nxp @@ -74,6 +74,46 @@ config SPL_UBOOT_KEY_HASH 41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b. Otherwise leave this empty.
+if PPC + +config BOOTSCRIPT_COPY_RAM + bool "Secure boot copies boot script to RAM" + help + On systems that support chain of trust booting, a number of addresses + are required to set variables that are used in the copying and then + verification of different parts of the system. If enabled, the subsequent + options are for what location to use in each step. + +config BS_ADDR_DEVICE + hex "Address in RAM for bs_device" + depends on BOOTSCRIPT_COPY_RAM + +config BS_SIZE + hex "The size of bs_size which is the amount read from bs_device" + depends on BOOTSCRIPT_COPY_RAM + +config BS_ADDR_RAM + hex "Address in RAM for bs_ram" + depends on BOOTSCRIPT_COPY_RAM + +config BS_HDR_ADDR_DEVICE + hex "Address in RAM for bs_hdr_device" + depends on BOOTSCRIPT_COPY_RAM + +config BS_HDR_SIZE + hex "The size of bs_hdr_size which is the amount read from bs_hdr_device" + depends on BOOTSCRIPT_COPY_RAM + +config BS_HDR_ADDR_RAM + hex "Address in RAM for bs_hdr_ram" + depends on BOOTSCRIPT_COPY_RAM + +config BOOTSCRIPT_HDR_ADDR + hex "CONFIG_BOOTSCRIPT_HDR_ADDR" + default BS_ADDR_RAM if BOOTSCRIPT_COPY_RAM + +endif + config SYS_FSL_SRK_LE def_bool y depends on ARM diff --git a/arch/powerpc/include/asm/fsl_secure_boot.h b/arch/powerpc/include/asm/fsl_secure_boot.h index c062fa5c191c..a96a1ac5d77e 100644 --- a/arch/powerpc/include/asm/fsl_secure_boot.h +++ b/arch/powerpc/include/asm/fsl_secure_boot.h @@ -10,19 +10,12 @@ #ifdef CONFIG_NXP_ESBC #if defined(CONFIG_FSL_CORENET) #define CONFIG_SYS_PBI_FLASH_BASE 0xc0000000 -#elif defined(CONFIG_TARGET_BSC9132QDS) -#define CONFIG_SYS_PBI_FLASH_BASE 0xc8000000 -#elif defined(CONFIG_TARGET_C29XPCIE) -#define CONFIG_SYS_PBI_FLASH_BASE 0xcc000000 #else #define CONFIG_SYS_PBI_FLASH_BASE 0xce000000 #endif #define CONFIG_SYS_PBI_FLASH_WINDOW 0xcff80000
-#if defined(CONFIG_TARGET_B4860QDS) || \ - defined(CONFIG_TARGET_B4420QDS) || \ - defined(CONFIG_TARGET_T4240QDS) || \ - defined(CONFIG_TARGET_T2080QDS) || \ +#if defined(CONFIG_TARGET_T2080QDS) || \ defined(CONFIG_TARGET_T2080RDB) || \ defined(CONFIG_TARGET_T1042RDB) || \ defined(CONFIG_TARGET_T1042D4RDB) || \ @@ -78,40 +71,6 @@ #endif /* ifdef CONFIG_SPL_BUILD */
#ifndef CONFIG_SPL_BUILD -/* - * fsl_setenv_chain_of_trust() must be called from - * board_late_init() - */ - -/* If Boot Script is not on NOR and is required to be copied on RAM */ -#ifdef CONFIG_BOOTSCRIPT_COPY_RAM -#define CONFIG_BS_HDR_ADDR_RAM 0x00010000 -#define CONFIG_BS_HDR_ADDR_DEVICE 0x00800000 -#define CONFIG_BS_HDR_SIZE 0x00002000 -#define CONFIG_BS_ADDR_RAM 0x00012000 -#define CONFIG_BS_ADDR_DEVICE 0x00802000 -#define CONFIG_BS_SIZE 0x00001000 - -#define CONFIG_BOOTSCRIPT_HDR_ADDR CONFIG_BS_HDR_ADDR_RAM -#else - -/* The bootscript header address is different for B4860 because the NOR - * mapping is different on B4 due to reduced NOR size. - */ -#if defined(CONFIG_TARGET_B4860QDS) || defined(CONFIG_TARGET_B4420QDS) -#define CONFIG_BOOTSCRIPT_HDR_ADDR 0xecc00000 -#elif defined(CONFIG_FSL_CORENET) -#define CONFIG_BOOTSCRIPT_HDR_ADDR 0xe8e00000 -#elif defined(CONFIG_TARGET_BSC9132QDS) -#define CONFIG_BOOTSCRIPT_HDR_ADDR 0x88020000 -#elif defined(CONFIG_TARGET_C29XPCIE) -#define CONFIG_BOOTSCRIPT_HDR_ADDR 0xec020000 -#else -#define CONFIG_BOOTSCRIPT_HDR_ADDR 0xee020000 -#endif - -#endif /* #ifdef CONFIG_BOOTSCRIPT_COPY_RAM */ - #include <config_fsl_chain_trust.h> #endif /* #ifndef CONFIG_SPL_BUILD */ #endif /* #ifdef CONFIG_CHAIN_OF_TRUST */ diff --git a/board/freescale/common/fsl_chain_of_trust.c b/board/freescale/common/fsl_chain_of_trust.c index 7ffb315bc935..d31fb821817c 100644 --- a/board/freescale/common/fsl_chain_of_trust.c +++ b/board/freescale/common/fsl_chain_of_trust.c @@ -12,6 +12,7 @@ #include <fsl_sfp.h> #include <log.h> #include <dm/root.h> +#include <asm/fsl_secure_boot.h>
#if defined(CONFIG_SPL_BUILD) && defined(CONFIG_SPL_FRAMEWORK) #include <spl.h> @@ -76,14 +77,14 @@ int fsl_setenv_chain_of_trust(void)
/* If Boot mode is Secure, set the environment variables * bootdelay = 0 (To disable Boot Prompt) - * bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute Boot script) + * bootcmd = CHAIN_BOOT_CMD (Validate and execute Boot script) */ env_set("bootdelay", "-2");
#ifdef CONFIG_ARM env_set("secureboot", "y"); #else - env_set("bootcmd", CONFIG_CHAIN_BOOT_CMD); + env_set("bootcmd", CHAIN_BOOT_CMD); #endif
return 0; diff --git a/configs/T2080QDS_SECURE_BOOT_defconfig b/configs/T2080QDS_SECURE_BOOT_defconfig index eebe06f8b5b4..4454377a6cb9 100644 --- a/configs/T2080QDS_SECURE_BOOT_defconfig +++ b/configs/T2080QDS_SECURE_BOOT_defconfig @@ -7,6 +7,7 @@ CONFIG_MPC85xx=y CONFIG_TARGET_T2080QDS=y CONFIG_MPC85XX_HAVE_RESET_VECTOR=y CONFIG_ENABLE_36BIT_PHYS=y +CONFIG_BOOTSCRIPT_HDR_ADDR=0xee020000 CONFIG_FSL_USE_PCA9547_MUX=y CONFIG_VID=y CONFIG_VID_FLS_ENV="t208xqds_vdd_mv" diff --git a/include/config_fsl_chain_trust.h b/include/config_fsl_chain_trust.h index dd01e9668941..380c906ba834 100644 --- a/include/config_fsl_chain_trust.h +++ b/include/config_fsl_chain_trust.h @@ -18,21 +18,21 @@ */
#ifdef CONFIG_USE_BOOTARGS -#define CONFIG_SET_BOOTARGS "setenv bootargs '" CONFIG_BOOTARGS" ';" +#define SET_BOOTARGS "setenv bootargs '" CONFIG_BOOTARGS" ';" #else -#define CONFIG_SET_BOOTARGS "setenv bootargs 'root=/dev/ram " \ +#define SET_BOOTARGS "setenv bootargs 'root=/dev/ram " \ "rw console=ttyS0,115200 ramdisk_size=600000';" #endif
-#define CONFIG_SECBOOT \ +#define SECBOOT \ "setenv bs_hdraddr " __stringify(CONFIG_BOOTSCRIPT_HDR_ADDR)";" \ - CONFIG_SET_BOOTARGS \ + SET_BOOTARGS \ "esbc_validate $bs_hdraddr;" \ "source $img_addr;" \ "esbc_halt\0"
#ifdef CONFIG_BOOTSCRIPT_COPY_RAM -#define CONFIG_BS_COPY_ENV \ +#define BS_COPY_ENV \ "setenv bs_hdr_ram " __stringify(CONFIG_BS_HDR_ADDR_RAM)";" \ "setenv bs_hdr_device " __stringify(CONFIG_BS_HDR_ADDR_DEVICE)";" \ "setenv bs_hdr_size " __stringify(CONFIG_BS_HDR_SIZE)";" \ @@ -43,33 +43,28 @@ /* For secure boot flow, default environment used will be used */ #if defined(CONFIG_SYS_RAMBOOT) || defined(CONFIG_NAND_BOOT) || \ defined(CONFIG_SD_BOOT) -#if defined(CONFIG_RAMBOOT_NAND) || defined(CONFIG_NAND_BOOT) -#define CONFIG_BS_COPY_CMD \ +#if defined(CONFIG_NAND_BOOT) +#define BS_COPY_CMD \ "nand read $bs_hdr_ram $bs_hdr_device $bs_hdr_size ;" \ "nand read $bs_ram $bs_device $bs_size ;" #elif defined(CONFIG_SD_BOOT) -#define CONFIG_BS_COPY_CMD \ +#define BS_COPY_CMD \ "mmc read $bs_hdr_ram $bs_hdr_device $bs_hdr_size ;" \ "mmc read $bs_ram $bs_device $bs_size ;" #endif #else -#define CONFIG_BS_COPY_CMD \ +#define BS_COPY_CMD \ "cp.b $bs_hdr_device $bs_hdr_ram $bs_hdr_size ;" \ "cp.b $bs_device $bs_ram $bs_size ;" #endif +#else /* !CONFIG_BOOTSCRIPT_COPY_RAM */ +#define BS_COPY_ENV +#define BS_COPY_CMD #endif /* CONFIG_BOOTSCRIPT_COPY_RAM */
-#ifndef CONFIG_BS_COPY_ENV -#define CONFIG_BS_COPY_ENV -#endif - -#ifndef CONFIG_BS_COPY_CMD -#define CONFIG_BS_COPY_CMD -#endif - -#define CONFIG_CHAIN_BOOT_CMD CONFIG_BS_COPY_ENV \ - CONFIG_BS_COPY_CMD \ - CONFIG_SECBOOT +#define CHAIN_BOOT_CMD BS_COPY_ENV \ + BS_COPY_CMD \ + SECBOOT
#endif #endif diff --git a/include/configs/P1010RDB.h b/include/configs/P1010RDB.h index 200b88050cc7..19aebb810c7b 100644 --- a/include/configs/P1010RDB.h +++ b/include/configs/P1010RDB.h @@ -53,7 +53,6 @@ #endif
#ifdef CONFIG_NAND_SECBOOT /* NAND Boot */ -#define CONFIG_RAMBOOT_NAND #define CONFIG_RESET_VECTOR_ADDRESS 0x110bfffc #endif
@@ -348,8 +347,7 @@ extern unsigned long get_sdram_size(void); FTIM2_GPCM_TWP(0x1f)) #define CONFIG_SYS_CS3_FTIM3 0x0
-#if defined(CONFIG_RAMBOOT_SDCARD) || defined(CONFIG_RAMBOOT_SPIFLASH) || \ - defined(CONFIG_RAMBOOT_NAND) +#if defined(CONFIG_RAMBOOT_SDCARD) || defined(CONFIG_RAMBOOT_SPIFLASH) #define CONFIG_SYS_RAMBOOT #else #undef CONFIG_SYS_RAMBOOT diff --git a/include/configs/T104xRDB.h b/include/configs/T104xRDB.h index f1738b32c5d6..1c2052608ec5 100644 --- a/include/configs/T104xRDB.h +++ b/include/configs/T104xRDB.h @@ -66,14 +66,6 @@ #define CONFIG_PCIE3 /* PCIE controller 3 */ #define CONFIG_PCIE4 /* PCIE controller 4 */
-#if defined(CONFIG_SPIFLASH) -#elif defined(CONFIG_MTD_RAW_NAND) -#ifdef CONFIG_NXP_ESBC -#define CONFIG_RAMBOOT_NAND -#define CONFIG_BOOTSCRIPT_COPY_RAM -#endif -#endif - /* * These can be toggled for performance analysis, otherwise use default. */ diff --git a/include/configs/corenet_ds.h b/include/configs/corenet_ds.h index 51bc772e2386..6a4fd90ded9a 100644 --- a/include/configs/corenet_ds.h +++ b/include/configs/corenet_ds.h @@ -15,17 +15,8 @@ #include "../board/freescale/common/ics307_clk.h"
#ifdef CONFIG_RAMBOOT_PBL -#ifdef CONFIG_NXP_ESBC #define CONFIG_RAMBOOT_TEXT_BASE CONFIG_SYS_TEXT_BASE #define CONFIG_RESET_VECTOR_ADDRESS 0xfffffffc -#ifdef CONFIG_MTD_RAW_NAND -#define CONFIG_RAMBOOT_NAND -#endif -#define CONFIG_BOOTSCRIPT_COPY_RAM -#else -#define CONFIG_RAMBOOT_TEXT_BASE CONFIG_SYS_TEXT_BASE -#define CONFIG_RESET_VECTOR_ADDRESS 0xfffffffc -#endif #endif
#ifdef CONFIG_SRIO_PCIE_BOOT_SLAVE
On Fri, Jun 17, 2022 at 04:24:31PM -0400, Tom Rini wrote:
Make all of the CHAIN_OF_TRUST options be under a single menu and add a comment for the rest, so the resulting config file reads more clearly. Remove duplicate CHAIN_OF_TRUST options from board/congatec/common/Kconfig. Remove duplicate NXP_ESBC config questions and move to arch/Kconfig.nxp.
Signed-off-by: Tom Rini trini@konsulko.com
For the series, applied to u-boot/next, thanks!
participants (1)
-
Tom Rini