[U-Boot] [PATCH 1/2] board: ls1043ardb: move sec_init to board_init
sec_init() which was earlier called in misc_init_r() is now done in board_init() before PPA init as SEC block will be used during PPA image validation.
Signed-off-by: Aneesh Bansal aneesh.bansal@nxp.com --- The patchset is dependent on http://patchwork.ozlabs.org/patch/571339/
board/freescale/ls1043ardb/ls1043ardb.c | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-)
diff --git a/board/freescale/ls1043ardb/ls1043ardb.c b/board/freescale/ls1043ardb/ls1043ardb.c index eff09aa..aa2c962 100644 --- a/board/freescale/ls1043ardb/ls1043ardb.c +++ b/board/freescale/ls1043ardb/ls1043ardb.c @@ -117,6 +117,23 @@ int board_init(void) enable_layerscape_ns_access(); #endif
+#ifdef CONFIG_SECURE_BOOT + /* In case of Secure Boot, the IBR configures the SMMU + * to allow only Secure transactions. + * SMMU must be reset in bypass mode. + * Set the ClientPD bit and Clear the USFCFG Bit + */ + u32 val; + val = (in_le32(SMMU_SCR0) | SCR0_CLIENTPD_MASK) & ~(SCR0_USFCFG_MASK); + out_le32(SMMU_SCR0, val); + val = (in_le32(SMMU_NSCR0) | SCR0_CLIENTPD_MASK) & ~(SCR0_USFCFG_MASK); + out_le32(SMMU_NSCR0, val); +#endif + +#ifdef CONFIG_FSL_CAAM + sec_init(); +#endif + #ifdef CONFIG_FSL_LS_PPA ppa_init_pre(&ppa_entry);
@@ -136,21 +153,6 @@ int config_board_mux(void) int misc_init_r(void) { config_board_mux(); -#ifdef CONFIG_SECURE_BOOT - /* In case of Secure Boot, the IBR configures the SMMU - * to allow only Secure transactions. - * SMMU must be reset in bypass mode. - * Set the ClientPD bit and Clear the USFCFG Bit - */ - u32 val; - val = (in_le32(SMMU_SCR0) | SCR0_CLIENTPD_MASK) & ~(SCR0_USFCFG_MASK); - out_le32(SMMU_SCR0, val); - val = (in_le32(SMMU_NSCR0) | SCR0_CLIENTPD_MASK) & ~(SCR0_USFCFG_MASK); - out_le32(SMMU_NSCR0, val); -#endif -#ifdef CONFIG_FSL_CAAM - return sec_init(); -#endif return 0; } #endif
As part of Secure Boot Chain of trust, PPA image must be validated before the image is started. The code for the same has been added.
Signed-off-by: Aneesh Bansal aneesh.bansal@nxp.com --- The patchset is dependent on http://patchwork.ozlabs.org/patch/571339/
arch/arm/cpu/armv8/fsl-layerscape/ppa.c | 22 ++++++++++++++++++++++ arch/arm/include/asm/fsl_secure_boot.h | 16 ++++++++++++++++ 2 files changed, 38 insertions(+)
diff --git a/arch/arm/cpu/armv8/fsl-layerscape/ppa.c b/arch/arm/cpu/armv8/fsl-layerscape/ppa.c index db767f9..804c4d7 100644 --- a/arch/arm/cpu/armv8/fsl-layerscape/ppa.c +++ b/arch/arm/cpu/armv8/fsl-layerscape/ppa.c @@ -18,6 +18,9 @@ #include <asm/arch/immap_lsch2.h> #endif #include <asm/arch/ppa.h> +#ifdef CONFIG_CHAIN_OF_TRUST +#include <fsl_validate.h> +#endif
DECLARE_GLOBAL_DATA_PTR;
@@ -69,12 +72,31 @@ static int parse_ppa_firmware_fit_image(const void **raw_image_addr, int conf_node_off, fw_node_off; char *conf_node_name = NULL;
+#ifdef CONFIG_CHAIN_OF_TRUST + int ret; + uintptr_t ppa_esbc_hdr = CONFIG_SYS_LS_PPA_ESBC_ADDR; + uintptr_t ppa_img_addr = 0; +#endif + #ifdef CONFIG_SYS_LS_PPA_FW_IN_NOR fit_hdr = (void *)CONFIG_SYS_LS_PPA_FW_ADDR; #else #error "No CONFIG_SYS_LS_PPA_FW_IN_xxx defined" #endif
+#ifdef CONFIG_CHAIN_OF_TRUST + ppa_img_addr = (uintptr_t)fit_hdr; + if (fsl_check_boot_mode_secure() != 0) { + ret = fsl_secboot_validate(ppa_esbc_hdr, + CONFIG_PPA_KEY_HASH, + &ppa_img_addr); + if (ret != 0) + printf("PPA validation failed\n"); + else + printf("PPA validation Successful\n"); + } +#endif + conf_node_name = LS_PPA_FIT_CNF_NAME;
if (fdt_check_header(fit_hdr)) { diff --git a/arch/arm/include/asm/fsl_secure_boot.h b/arch/arm/include/asm/fsl_secure_boot.h index 0da0599..d275dd1 100644 --- a/arch/arm/include/asm/fsl_secure_boot.h +++ b/arch/arm/include/asm/fsl_secure_boot.h @@ -56,6 +56,22 @@ /* The address needs to be modified according to NOR memory map */ #define CONFIG_BOOTSCRIPT_HDR_ADDR 0x600a0000
+#ifdef CONFIG_SYS_LS_PPA_FW_IN_NOR +#ifdef CONFIG_LS1043A +#define CONFIG_SYS_LS_PPA_ESBC_ADDR 0x600c0000 +#endif +#else +#error "No CONFIG_SYS_LS_PPA_FW_IN_xxx defined" +#endif + +/* Define the key hash here if SRK used for signing PPA image is + * different from SRK hash put in SFP used for U-Boot. + * Example + * #define CONFIG_PPA_KEY_HASH \ + * "41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b" + */ +#define CONFIG_PPA_KEY_HASH NULL + #include <config_fsl_chain_trust.h> #endif /* #ifdef CONFIG_CHAIN_OF_TRUST */ #endif
On 02/23/2016 01:32 AM, Aneesh Bansal wrote:
sec_init() which was earlier called in misc_init_r() is now done in board_init() before PPA init as SEC block will be used during PPA image validation.
Signed-off-by: Aneesh Bansal aneesh.bansal@nxp.com
The patchset is dependent on http://patchwork.ozlabs.org/patch/571339/
board/freescale/ls1043ardb/ls1043ardb.c | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-)
Aneesh,
The dependence patch has been merged. Please rebase and reverify your patch set. Thanks.
York
participants (2)
-
Aneesh Bansal -
york sun