[PATCH v12 00/13] fpga: zynqmp: Adding support of loading authenticated images
This patchset introduces support for the authenticated and encrypted FPGA images on ZynqMP boards, besides that introducing common way to pass the compatible property to any fpga driver.
It bases on the initial work by Jorge Ramirez-Ortiz jorge@foundries.io https://patchwork.ozlabs.org/project/uboot/patch/20211015091506.2602-1-jorge... https://patchwork.ozlabs.org/project/uboot/patch/20211005111324.19749-3-jorg...
Changes in v12: - define the function only if FPGA_LOAD_SECURE enabled; - convert "compatible" to flags only if FPGA_LOAD_SECURE enabled; - fix a commit message - remove obsolete debug() message - exclude all secure-related code if FPGA_LOAD_SECURE is disabled - reduce the size of SPL if FPGA_LOAD_SECURE disabled.
Changes in v11: - Fix treating an incoming FPGA image with empty flags parameter as legacy. - add Tested-by records.
Changes in v10: - move FPGA flags to macros; - initialize xilinx_desc structs directly, removing *_DESC macros; - initialize flags for mach-zynq; - fix mixed types of return value; - made the message about ignoring legacy compatibe option as debug; - fix grammar - Support DDR images only if FPGA_LOAD_SECURE enabled. - Support ENC images only if FPGA_LOAD_SECURE enabled.
Changes in v9: - remove an alien commit from a patchset :)
Changes in v8: - Michal Simek's suggestions addressed: -- introduce the compatible flags in xilinx_desc; -- pass a binary compatible flag instead of "compatible" property to an FPGA driver. - Optimize a zynqmp_load() function.
Changes in v7: - apply Michal Simek's suggestions As I applied changes on Oleksandr's patches, I indicated it by specifying myself as co-author in the commits logs. I am not sure if that is the convention of marking it.
Changes in v6: - add support for the encrypted bitfiles.
Changes in v5: - replace ifdef with if() where it's possible.
Changes in v4: - change interface to xilinx_desc->operations->open() callback. - fix a bug from previous version of the patchset in dereferencing of a parent fpga_desc structure.
Changes in v3: - remove the patch which introduced CMD_SPL_FPGA_LOAD_SECURE. - fix mixing definitions/declarations. - replace strcmp() calls with more secure strncmp(). - document the "u-boot,zynqmp-fpga-ddrauth" compatible string. - fix code style by check-patch recommendations.
Changes in v2: - add function fit_fpga_load() to simplify calls of fpga_load() from contexts without a compatible attribute. - move all ZynqMP-specific logic to drivers/fpga/zynqmppl.c - prepare for passing a "compatible" FDT property to any fpga driver.
Adrian Fiergolski (1): fpga: zynqmp: support loading encrypted bitfiles
Oleksandr Suvorov (12): fpga: add option for loading FPGA secure bitstreams fpga: xilinx: add missed identifier names fpga: xilinx: add bitstream flags to driver desc fpga: zynqmp: add str2flags call fpga: xilinx: pass compatible flags to xilinx_load() fpga: pass compatible flags to fpga_load() fpga: add fpga_compatible2flag spl: fit: pass real compatible flags to fpga_load() fpga: xilinx: pass compatible flags to load() callback fpga: zynqmp: reduce zynqmppl_load() code fpga: zynqmp: add bitstream compatible checking fpga: zynqmp: support loading authenticated images
arch/arm/mach-zynq/cpu.c | 1 + board/xilinx/versal/board.c | 5 +- board/xilinx/zynqmp/zynqmp.c | 5 +- boot/Kconfig | 4 +- boot/image-board.c | 4 +- cmd/Kconfig | 3 +- cmd/fpga.c | 8 +-- common/spl/spl_fit.c | 17 +++-- doc/uImage.FIT/source_file_format.txt | 7 +- drivers/fpga/Kconfig | 14 ++++ drivers/fpga/fpga.c | 33 ++++++++- drivers/fpga/spartan2.c | 2 +- drivers/fpga/spartan3.c | 2 +- drivers/fpga/versalpl.c | 2 +- drivers/fpga/virtex2.c | 2 +- drivers/fpga/xilinx.c | 8 +-- drivers/fpga/zynqmppl.c | 99 ++++++++++++++++++++++----- drivers/fpga/zynqpl.c | 2 +- include/fpga.h | 4 +- include/versalpl.h | 3 - include/xilinx.h | 21 ++++-- include/zynqmppl.h | 9 ++- 22 files changed, 199 insertions(+), 56 deletions(-)
It allows using this feature without enabling the "fpga loads" command.
Signed-off-by: Oleksandr Suvorov oleksandr.suvorov@foundries.io Co-developed-by: Adrian Fiergolski adrian.fiergolski@fastree3d.com Signed-off-by: Adrian Fiergolski adrian.fiergolski@fastree3d.com Tested-by: Ricardo Salveti ricardo@foundries.io Tested-by: Adrian Fiergolski adrian.fiergolski@fastree3d.com ---
(no changes since v1)
cmd/Kconfig | 3 ++- drivers/fpga/Kconfig | 14 ++++++++++++++ drivers/fpga/fpga.c | 2 +- drivers/fpga/xilinx.c | 2 +- drivers/fpga/zynqmppl.c | 4 ++-- 5 files changed, 20 insertions(+), 5 deletions(-)
diff --git a/cmd/Kconfig b/cmd/Kconfig index d5f842136cf..cefeca018d2 100644 --- a/cmd/Kconfig +++ b/cmd/Kconfig @@ -1036,8 +1036,9 @@ config CMD_FPGA_LOADP a partial bitstream.
config CMD_FPGA_LOAD_SECURE - bool "fpga loads - loads secure bitstreams (Xilinx only)" + bool "fpga loads - loads secure bitstreams" depends on CMD_FPGA + select FPGA_LOAD_SECURE help Enables the fpga loads command which is used to load secure (authenticated or encrypted or both) bitstreams on to FPGA. diff --git a/drivers/fpga/Kconfig b/drivers/fpga/Kconfig index 76719517f54..4561ee72dd0 100644 --- a/drivers/fpga/Kconfig +++ b/drivers/fpga/Kconfig @@ -91,4 +91,18 @@ config FPGA_ZYNQPL Enable FPGA driver for loading bitstream in BIT and BIN format on Xilinx Zynq devices.
+config FPGA_LOAD_SECURE + bool "Enable loading secure bitstreams" + depends on FPGA + help + Enables the fpga loads() functions that are used to load secure + (authenticated or encrypted or both) bitstreams on to FPGA. + +config SPL_FPGA_LOAD_SECURE + bool "Enable loading secure bitstreams for SPL" + depends on SPL_FPGA + help + Enables the fpga loads() functions that are used to load secure + (authenticated or encrypted or both) bitstreams on to FPGA. + endmenu diff --git a/drivers/fpga/fpga.c b/drivers/fpga/fpga.c index fe3dfa12335..3b0a44b2420 100644 --- a/drivers/fpga/fpga.c +++ b/drivers/fpga/fpga.c @@ -220,7 +220,7 @@ int fpga_fsload(int devnum, const void *buf, size_t size, } #endif
-#if defined(CONFIG_CMD_FPGA_LOAD_SECURE) +#if CONFIG_IS_ENABLED(FPGA_LOAD_SECURE) int fpga_loads(int devnum, const void *buf, size_t size, struct fpga_secure_info *fpga_sec_info) { diff --git a/drivers/fpga/xilinx.c b/drivers/fpga/xilinx.c index cbebefb55fe..6bc1bc491fb 100644 --- a/drivers/fpga/xilinx.c +++ b/drivers/fpga/xilinx.c @@ -172,7 +172,7 @@ int xilinx_loadfs(xilinx_desc *desc, const void *buf, size_t bsize, } #endif
-#if defined(CONFIG_CMD_FPGA_LOAD_SECURE) +#if CONFIG_IS_ENABLED(FPGA_LOAD_SECURE) int xilinx_loads(xilinx_desc *desc, const void *buf, size_t bsize, struct fpga_secure_info *fpga_sec_info) { diff --git a/drivers/fpga/zynqmppl.c b/drivers/fpga/zynqmppl.c index 6b394869dbf..8ff12bf50a0 100644 --- a/drivers/fpga/zynqmppl.c +++ b/drivers/fpga/zynqmppl.c @@ -245,7 +245,7 @@ static int zynqmp_load(xilinx_desc *desc, const void *buf, size_t bsize, return ret; }
-#if defined(CONFIG_CMD_FPGA_LOAD_SECURE) && !defined(CONFIG_SPL_BUILD) +#if CONFIG_IS_ENABLED(FPGA_LOAD_SECURE) static int zynqmp_loads(xilinx_desc *desc, const void *buf, size_t bsize, struct fpga_secure_info *fpga_sec_info) { @@ -306,7 +306,7 @@ static int zynqmp_pcap_info(xilinx_desc *desc)
struct xilinx_fpga_op zynqmp_op = { .load = zynqmp_load, -#if defined(CONFIG_CMD_FPGA_LOAD_SECURE) && !defined(CONFIG_SPL_BUILD) +#if CONFIG_IS_ENABLED(FPGA_LOAD_SECURE) .loads = zynqmp_loads, #endif .info = zynqmp_pcap_info,
Function definition arguments should also have identifier names. Add missed ones to struct xilinx_fpga_op callbacks, unifying code.
Signed-off-by: Oleksandr Suvorov oleksandr.suvorov@foundries.io Tested-by: Ricardo Salveti ricardo@foundries.io Tested-by: Adrian Fiergolski adrian.fiergolski@fastree3d.com ---
(no changes since v1)
include/xilinx.h | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/include/xilinx.h b/include/xilinx.h index ab4537becfa..362943bc717 100644 --- a/include/xilinx.h +++ b/include/xilinx.h @@ -48,12 +48,14 @@ typedef struct { /* typedef xilinx_desc */ } xilinx_desc; /* end, typedef xilinx_desc */
struct xilinx_fpga_op { - int (*load)(xilinx_desc *, const void *, size_t, bitstream_type); - int (*loadfs)(xilinx_desc *, const void *, size_t, fpga_fs_info *); + int (*load)(xilinx_desc *desc, const void *buf, size_t bsize, + bitstream_type bstype); + int (*loadfs)(xilinx_desc *desc, const void *buf, size_t bsize, + fpga_fs_info *fpga_fsinfo); int (*loads)(xilinx_desc *desc, const void *buf, size_t bsize, struct fpga_secure_info *fpga_sec_info); - int (*dump)(xilinx_desc *, const void *, size_t); - int (*info)(xilinx_desc *); + int (*dump)(xilinx_desc *desc, const void *buf, size_t bsize); + int (*info)(xilinx_desc *desc); };
/* Generic Xilinx Functions
Store a set of supported bitstream types in xilinx_desc structure. It will be used to determine whether an FPGA image is able to be loaded with a given driver.
Signed-off-by: Oleksandr Suvorov oleksandr.suvorov@foundries.io Tested-by: Ricardo Salveti ricardo@foundries.io Tested-by: Adrian Fiergolski adrian.fiergolski@fastree3d.com ---
(no changes since v10)
Changes in v10: - move FPGA flags to macros; - initialize xilinx_desc structs directly, removing *_DESC macros; - initialize flags for mach-zynq;
arch/arm/mach-zynq/cpu.c | 1 + board/xilinx/versal/board.c | 5 ++++- board/xilinx/zynqmp/zynqmp.c | 5 ++++- include/versalpl.h | 3 --- include/xilinx.h | 4 ++++ include/zynqmppl.h | 3 +-- 6 files changed, 14 insertions(+), 7 deletions(-)
diff --git a/arch/arm/mach-zynq/cpu.c b/arch/arm/mach-zynq/cpu.c index 69b818f24b8..ac595ee0a27 100644 --- a/arch/arm/mach-zynq/cpu.c +++ b/arch/arm/mach-zynq/cpu.c @@ -22,6 +22,7 @@ xilinx_desc fpga = { .family = xilinx_zynq, .iface = devcfg, .operations = &zynq_op, + .flags = FPGA_LEGACY, }; #endif
diff --git a/board/xilinx/versal/board.c b/board/xilinx/versal/board.c index 81663e0cd0e..d8f39be56c8 100644 --- a/board/xilinx/versal/board.c +++ b/board/xilinx/versal/board.c @@ -27,7 +27,10 @@ DECLARE_GLOBAL_DATA_PTR;
#if defined(CONFIG_FPGA_VERSALPL) -static xilinx_desc versalpl = XILINX_VERSAL_DESC; +static xilinx_desc versalpl = { + xilinx_versal, csu_dma, 1, &versal_op, 0, &versal_op, NULL, + FPGA_LEGACY +}; #endif
int board_init(void) diff --git a/board/xilinx/zynqmp/zynqmp.c b/board/xilinx/zynqmp/zynqmp.c index 106c3953e1f..3faa3a00fc9 100644 --- a/board/xilinx/zynqmp/zynqmp.c +++ b/board/xilinx/zynqmp/zynqmp.c @@ -48,7 +48,10 @@ DECLARE_GLOBAL_DATA_PTR;
#if CONFIG_IS_ENABLED(FPGA) && defined(CONFIG_FPGA_ZYNQMPPL) -static xilinx_desc zynqmppl = XILINX_ZYNQMP_DESC; +static xilinx_desc zynqmppl = { + xilinx_zynqmp, csu_dma, 1, &zynqmp_op, 0, &zynqmp_op, NULL, + ZYNQMP_FPGA_FLAGS +}; #endif
int __maybe_unused psu_uboot_init(void) diff --git a/include/versalpl.h b/include/versalpl.h index b94c82e6e66..0cc101be2f8 100644 --- a/include/versalpl.h +++ b/include/versalpl.h @@ -14,7 +14,4 @@
extern struct xilinx_fpga_op versal_op;
-#define XILINX_VERSAL_DESC \ -{ xilinx_versal, csu_dma, 1, &versal_op, 0, &versal_op } - #endif /* _VERSALPL_H_ */ diff --git a/include/xilinx.h b/include/xilinx.h index 362943bc717..d9e4b8da968 100644 --- a/include/xilinx.h +++ b/include/xilinx.h @@ -37,6 +37,9 @@ typedef enum { /* typedef xilinx_family */ max_xilinx_type /* insert all new types before this */ } xilinx_family; /* end, typedef xilinx_family */
+/* FPGA bitstream supported types */ +#define FPGA_LEGACY BIT(0) + typedef struct { /* typedef xilinx_desc */ xilinx_family family; /* part type */ xilinx_iface iface; /* interface type */ @@ -45,6 +48,7 @@ typedef struct { /* typedef xilinx_desc */ int cookie; /* implementation specific cookie */ struct xilinx_fpga_op *operations; /* operations */ char *name; /* device name in bitstream */ + int flags; /* compatible flags */ } xilinx_desc; /* end, typedef xilinx_desc */
struct xilinx_fpga_op { diff --git a/include/zynqmppl.h b/include/zynqmppl.h index 35cfe17d444..8401a850afb 100644 --- a/include/zynqmppl.h +++ b/include/zynqmppl.h @@ -25,7 +25,6 @@
extern struct xilinx_fpga_op zynqmp_op;
-#define XILINX_ZYNQMP_DESC \ -{ xilinx_zynqmp, csu_dma, 1, &zynqmp_op, 0, &zynqmp_op } +#define ZYNQMP_FPGA_FLAGS (FPGA_LEGACY)
#endif /* _ZYNQMPPL_H_ */
Add a call to convert FPGA "compatible" string to a binary flag.
Signed-off-by: Oleksandr Suvorov oleksandr.suvorov@foundries.io Tested-by: Ricardo Salveti ricardo@foundries.io Tested-by: Adrian Fiergolski adrian.fiergolski@fastree3d.com ---
(no changes since v1)
drivers/fpga/zynqmppl.c | 11 ++++++++++- include/xilinx.h | 3 +++ 2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/drivers/fpga/zynqmppl.c b/drivers/fpga/zynqmppl.c index 8ff12bf50a0..19d079c9d9f 100644 --- a/drivers/fpga/zynqmppl.c +++ b/drivers/fpga/zynqmppl.c @@ -304,10 +304,19 @@ static int zynqmp_pcap_info(xilinx_desc *desc) return ret; }
+static int __maybe_unused zynqmp_str2flag(xilinx_desc *desc, const char *str) +{ + if (!strncmp(str, "u-boot,fpga-legacy", 18)) + return FPGA_LEGACY; + + return 0; +} + struct xilinx_fpga_op zynqmp_op = { .load = zynqmp_load, + .info = zynqmp_pcap_info, #if CONFIG_IS_ENABLED(FPGA_LOAD_SECURE) .loads = zynqmp_loads, + .str2flag = zynqmp_str2flag, #endif - .info = zynqmp_pcap_info, }; diff --git a/include/xilinx.h b/include/xilinx.h index d9e4b8da968..ff5486d98a7 100644 --- a/include/xilinx.h +++ b/include/xilinx.h @@ -60,6 +60,9 @@ struct xilinx_fpga_op { struct fpga_secure_info *fpga_sec_info); int (*dump)(xilinx_desc *desc, const void *buf, size_t bsize); int (*info)(xilinx_desc *desc); +#if CONFIG_IS_ENABLED(FPGA_LOAD_SECURE) + int (*str2flag)(xilinx_desc *desc, const char *string); +#endif };
/* Generic Xilinx Functions
This flag is used to check whether a Xilinx FPGA driver is able to load a particular FPGA bitstream image.
Signed-off-by: Oleksandr Suvorov oleksandr.suvorov@foundries.io Tested-by: Ricardo Salveti ricardo@foundries.io Tested-by: Adrian Fiergolski adrian.fiergolski@fastree3d.com ---
(no changes since v1)
drivers/fpga/fpga.c | 2 +- drivers/fpga/xilinx.c | 2 +- include/xilinx.h | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/fpga/fpga.c b/drivers/fpga/fpga.c index 3b0a44b2420..efbac9f0c47 100644 --- a/drivers/fpga/fpga.c +++ b/drivers/fpga/fpga.c @@ -263,7 +263,7 @@ int fpga_load(int devnum, const void *buf, size_t bsize, bitstream_type bstype) case fpga_xilinx: #if defined(CONFIG_FPGA_XILINX) ret_val = xilinx_load(desc->devdesc, buf, bsize, - bstype); + bstype, 0); #else fpga_no_sup((char *)__func__, "Xilinx devices"); #endif diff --git a/drivers/fpga/xilinx.c b/drivers/fpga/xilinx.c index 6bc1bc491fb..5dd721575ec 100644 --- a/drivers/fpga/xilinx.c +++ b/drivers/fpga/xilinx.c @@ -139,7 +139,7 @@ int fpga_loadbitstream(int devnum, char *fpgadata, size_t size, }
int xilinx_load(xilinx_desc *desc, const void *buf, size_t bsize, - bitstream_type bstype) + bitstream_type bstype, int flags) { if (!xilinx_validate (desc, (char *)__FUNCTION__)) { printf ("%s: Invalid device descriptor\n", __FUNCTION__); diff --git a/include/xilinx.h b/include/xilinx.h index ff5486d98a7..0bbf14d8a1d 100644 --- a/include/xilinx.h +++ b/include/xilinx.h @@ -68,7 +68,7 @@ struct xilinx_fpga_op { /* Generic Xilinx Functions *********************************************************************/ int xilinx_load(xilinx_desc *desc, const void *image, size_t size, - bitstream_type bstype); + bitstream_type bstype, int flags); int xilinx_dump(xilinx_desc *desc, const void *buf, size_t bsize); int xilinx_info(xilinx_desc *desc); int xilinx_loadfs(xilinx_desc *desc, const void *buf, size_t bsize,
These flags may be used to check whether an FPGA driver is able to load a particular FPGA bitstream image.
Signed-off-by: Oleksandr Suvorov oleksandr.suvorov@foundries.io Tested-by: Ricardo Salveti ricardo@foundries.io Tested-by: Adrian Fiergolski adrian.fiergolski@fastree3d.com ---
(no changes since v1)
boot/image-board.c | 4 ++-- cmd/fpga.c | 8 ++++---- common/spl/spl_fit.c | 6 ++++-- drivers/fpga/fpga.c | 5 +++-- drivers/fpga/xilinx.c | 2 +- include/fpga.h | 2 +- 6 files changed, 15 insertions(+), 12 deletions(-)
diff --git a/boot/image-board.c b/boot/image-board.c index cfc1c658e3a..9110617be26 100644 --- a/boot/image-board.c +++ b/boot/image-board.c @@ -703,14 +703,14 @@ int boot_get_fpga(int argc, char *const argv[], bootm_headers_t *images, img_len, BIT_FULL); if (err) err = fpga_load(devnum, (const void *)img_data, - img_len, BIT_FULL); + img_len, BIT_FULL, 0); } else { name = "partial"; err = fpga_loadbitstream(devnum, (char *)img_data, img_len, BIT_PARTIAL); if (err) err = fpga_load(devnum, (const void *)img_data, - img_len, BIT_PARTIAL); + img_len, BIT_PARTIAL, 0); }
if (err) diff --git a/cmd/fpga.c b/cmd/fpga.c index 3fdd0b35e80..c4651dd403e 100644 --- a/cmd/fpga.c +++ b/cmd/fpga.c @@ -178,7 +178,7 @@ static int do_fpga_load(struct cmd_tbl *cmdtp, int flag, int argc, if (ret) return ret;
- return fpga_load(dev, (void *)fpga_data, data_size, BIT_FULL); + return fpga_load(dev, (void *)fpga_data, data_size, BIT_FULL, 0); }
static int do_fpga_loadb(struct cmd_tbl *cmdtp, int flag, int argc, @@ -209,7 +209,7 @@ static int do_fpga_loadp(struct cmd_tbl *cmdtp, int flag, int argc, if (ret) return ret;
- return fpga_load(dev, (void *)fpga_data, data_size, BIT_PARTIAL); + return fpga_load(dev, (void *)fpga_data, data_size, BIT_PARTIAL, 0); } #endif
@@ -315,7 +315,7 @@ static int do_fpga_loadmk(struct cmd_tbl *cmdtp, int flag, int argc, data_size = image_get_data_size(hdr); } return fpga_load(dev, (void *)data, data_size, - BIT_FULL); + BIT_FULL, 0); } #endif #if defined(CONFIG_FIT) @@ -355,7 +355,7 @@ static int do_fpga_loadmk(struct cmd_tbl *cmdtp, int flag, int argc, return CMD_RET_FAILURE; }
- return fpga_load(dev, fit_data, data_size, BIT_FULL); + return fpga_load(dev, fit_data, data_size, BIT_FULL, 0); } #endif default: diff --git a/common/spl/spl_fit.c b/common/spl/spl_fit.c index 1bbf824684a..3c5a91916cc 100644 --- a/common/spl/spl_fit.c +++ b/common/spl/spl_fit.c @@ -581,6 +581,8 @@ static int spl_fit_upload_fpga(struct spl_fit_info *ctx, int node, { const char *compatible; int ret; + int devnum = 0; + int flags = 0;
debug("FPGA bitstream at: %x, size: %x\n", (u32)fpga_image->load_addr, fpga_image->size); @@ -591,8 +593,8 @@ static int spl_fit_upload_fpga(struct spl_fit_info *ctx, int node, else if (strcmp(compatible, "u-boot,fpga-legacy")) printf("Ignoring compatible = %s property\n", compatible);
- ret = fpga_load(0, (void *)fpga_image->load_addr, fpga_image->size, - BIT_FULL); + ret = fpga_load(devnum, (void *)fpga_image->load_addr, + fpga_image->size, BIT_FULL, flags); if (ret) { printf("%s: Cannot load the image to the FPGA\n", __func__); return ret; diff --git a/drivers/fpga/fpga.c b/drivers/fpga/fpga.c index efbac9f0c47..185bd547cb5 100644 --- a/drivers/fpga/fpga.c +++ b/drivers/fpga/fpga.c @@ -252,7 +252,8 @@ int fpga_loads(int devnum, const void *buf, size_t size, /* * Generic multiplexing code */ -int fpga_load(int devnum, const void *buf, size_t bsize, bitstream_type bstype) +int fpga_load(int devnum, const void *buf, size_t bsize, bitstream_type bstype, + int flags) { int ret_val = FPGA_FAIL; /* assume failure */ const fpga_desc *desc = fpga_validate(devnum, buf, bsize, @@ -263,7 +264,7 @@ int fpga_load(int devnum, const void *buf, size_t bsize, bitstream_type bstype) case fpga_xilinx: #if defined(CONFIG_FPGA_XILINX) ret_val = xilinx_load(desc->devdesc, buf, bsize, - bstype, 0); + bstype, flags); #else fpga_no_sup((char *)__func__, "Xilinx devices"); #endif diff --git a/drivers/fpga/xilinx.c b/drivers/fpga/xilinx.c index 5dd721575ec..d9951ca3ecf 100644 --- a/drivers/fpga/xilinx.c +++ b/drivers/fpga/xilinx.c @@ -135,7 +135,7 @@ int fpga_loadbitstream(int devnum, char *fpgadata, size_t size, dataptr += 4; printf(" bytes in bitstream = %d\n", swapsize);
- return fpga_load(devnum, dataptr, swapsize, bstype); + return fpga_load(devnum, dataptr, swapsize, bstype, 0); }
int xilinx_load(xilinx_desc *desc, const void *buf, size_t bsize, diff --git a/include/fpga.h b/include/fpga.h index ec5144334df..6365e1569e3 100644 --- a/include/fpga.h +++ b/include/fpga.h @@ -64,7 +64,7 @@ int fpga_count(void); const fpga_desc *const fpga_get_desc(int devnum); int fpga_is_partial_data(int devnum, size_t img_len); int fpga_load(int devnum, const void *buf, size_t bsize, - bitstream_type bstype); + bitstream_type bstype, int flags); int fpga_fsload(int devnum, const void *buf, size_t size, fpga_fs_info *fpga_fsinfo); int fpga_loads(int devnum, const void *buf, size_t size,
Add a "compatible" string to binary flag converter, which uses a callback str2flag() of given FPGA driver if available.
Signed-off-by: Oleksandr Suvorov oleksandr.suvorov@foundries.io Tested-by: Ricardo Salveti ricardo@foundries.io Tested-by: Adrian Fiergolski adrian.fiergolski@fastree3d.com ---
Changes in v12: - define the function only if FPGA_LOAD_SECURE enabled;
Changes in v10: - fix mixed types of return value;
drivers/fpga/fpga.c | 26 ++++++++++++++++++++++++++ include/fpga.h | 1 + 2 files changed, 27 insertions(+)
diff --git a/drivers/fpga/fpga.c b/drivers/fpga/fpga.c index 185bd547cb5..4db5c0a91e9 100644 --- a/drivers/fpga/fpga.c +++ b/drivers/fpga/fpga.c @@ -357,3 +357,29 @@ int fpga_info(int devnum)
return fpga_dev_info(devnum); } + +#if CONFIG_IS_ENABLED(FPGA_LOAD_SECURE) +int fpga_compatible2flag(int devnum, const char *compatible) +{ + const fpga_desc * const desc = fpga_get_desc(devnum); + + if (!desc) + return 0; + + switch (desc->devtype) { +#if defined(CONFIG_FPGA_XILINX) + case fpga_xilinx: + { + xilinx_desc *xdesc = (xilinx_desc *)desc->devdesc; + + if (xdesc->operations && xdesc->operations->str2flag) + return xdesc->operations->str2flag(xdesc, compatible); + } +#endif + default: + break; + } + + return 0; +} +#endif diff --git a/include/fpga.h b/include/fpga.h index 6365e1569e3..13b1bbee3ca 100644 --- a/include/fpga.h +++ b/include/fpga.h @@ -75,5 +75,6 @@ int fpga_dump(int devnum, const void *buf, size_t bsize); int fpga_info(int devnum); const fpga_desc *const fpga_validate(int devnum, const void *buf, size_t bsize, char *fn); +int fpga_compatible2flag(int devnum, const char *compatible);
#endif /* _FPGA_H_ */
Convert taken FPGA image "compatible" string to a binary compatible flag and pass it to an FPGA driver.
Signed-off-by: Oleksandr Suvorov oleksandr.suvorov@foundries.io Tested-by: Ricardo Salveti ricardo@foundries.io Tested-by: Adrian Fiergolski adrian.fiergolski@fastree3d.com ---
Changes in v12: - convert "compatible" to flags only if FPGA_LOAD_SECURE enabled;
Changes in v10: - made the message about ignoring legacy compatibe option as debug;
common/spl/spl_fit.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/common/spl/spl_fit.c b/common/spl/spl_fit.c index 3c5a91916cc..a35be529656 100644 --- a/common/spl/spl_fit.c +++ b/common/spl/spl_fit.c @@ -588,10 +588,15 @@ static int spl_fit_upload_fpga(struct spl_fit_info *ctx, int node, (u32)fpga_image->load_addr, fpga_image->size);
compatible = fdt_getprop(ctx->fit, node, "compatible", NULL); - if (!compatible) + if (!compatible) { warn_deprecated("'fpga' image without 'compatible' property"); - else if (strcmp(compatible, "u-boot,fpga-legacy")) - printf("Ignoring compatible = %s property\n", compatible); + } else { + if (CONFIG_IS_ENABLED(FPGA_LOAD_SECURE)) + flags = fpga_compatible2flag(devnum, compatible); + if (strcmp(compatible, "u-boot,fpga-legacy")) + debug("Ignoring compatible = %s property\n", + compatible); + }
ret = fpga_load(devnum, (void *)fpga_image->load_addr, fpga_image->size, BIT_FULL, flags);
These flags may be used to check whether an FPGA driver is able to load a particular FPGA bitstream image.
Signed-off-by: Oleksandr Suvorov oleksandr.suvorov@foundries.io Tested-by: Ricardo Salveti ricardo@foundries.io Tested-by: Adrian Fiergolski adrian.fiergolski@fastree3d.com ---
(no changes since v1)
drivers/fpga/spartan2.c | 2 +- drivers/fpga/spartan3.c | 2 +- drivers/fpga/versalpl.c | 2 +- drivers/fpga/virtex2.c | 2 +- drivers/fpga/xilinx.c | 2 +- drivers/fpga/zynqmppl.c | 2 +- drivers/fpga/zynqpl.c | 2 +- include/xilinx.h | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/drivers/fpga/spartan2.c b/drivers/fpga/spartan2.c index 3435400e58b..328740f3f35 100644 --- a/drivers/fpga/spartan2.c +++ b/drivers/fpga/spartan2.c @@ -41,7 +41,7 @@ static int spartan2_ss_dump(xilinx_desc *desc, const void *buf, size_t bsize); /* ------------------------------------------------------------------------- */ /* Spartan-II Generic Implementation */ static int spartan2_load(xilinx_desc *desc, const void *buf, size_t bsize, - bitstream_type bstype) + bitstream_type bstype, int flags) { int ret_val = FPGA_FAIL;
diff --git a/drivers/fpga/spartan3.c b/drivers/fpga/spartan3.c index 4850c99352d..918f6db5065 100644 --- a/drivers/fpga/spartan3.c +++ b/drivers/fpga/spartan3.c @@ -45,7 +45,7 @@ static int spartan3_ss_dump(xilinx_desc *desc, const void *buf, size_t bsize); /* ------------------------------------------------------------------------- */ /* Spartan-II Generic Implementation */ static int spartan3_load(xilinx_desc *desc, const void *buf, size_t bsize, - bitstream_type bstype) + bitstream_type bstype, int flags) { int ret_val = FPGA_FAIL;
diff --git a/drivers/fpga/versalpl.c b/drivers/fpga/versalpl.c index c44a7d34557..d3876a8f541 100644 --- a/drivers/fpga/versalpl.c +++ b/drivers/fpga/versalpl.c @@ -27,7 +27,7 @@ static ulong versal_align_dma_buffer(ulong *buf, u32 len) }
static int versal_load(xilinx_desc *desc, const void *buf, size_t bsize, - bitstream_type bstype) + bitstream_type bstype, int flags) { ulong bin_buf; int ret; diff --git a/drivers/fpga/virtex2.c b/drivers/fpga/virtex2.c index b3e0537bab0..83b90298cad 100644 --- a/drivers/fpga/virtex2.c +++ b/drivers/fpga/virtex2.c @@ -94,7 +94,7 @@ static int virtex2_ss_load(xilinx_desc *desc, const void *buf, size_t bsize); static int virtex2_ss_dump(xilinx_desc *desc, const void *buf, size_t bsize);
static int virtex2_load(xilinx_desc *desc, const void *buf, size_t bsize, - bitstream_type bstype) + bitstream_type bstype, int flags) { int ret_val = FPGA_FAIL;
diff --git a/drivers/fpga/xilinx.c b/drivers/fpga/xilinx.c index d9951ca3ecf..8170c3368ef 100644 --- a/drivers/fpga/xilinx.c +++ b/drivers/fpga/xilinx.c @@ -151,7 +151,7 @@ int xilinx_load(xilinx_desc *desc, const void *buf, size_t bsize, return FPGA_FAIL; }
- return desc->operations->load(desc, buf, bsize, bstype); + return desc->operations->load(desc, buf, bsize, bstype, flags); }
#if defined(CONFIG_CMD_FPGA_LOADFS) diff --git a/drivers/fpga/zynqmppl.c b/drivers/fpga/zynqmppl.c index 19d079c9d9f..a0624567882 100644 --- a/drivers/fpga/zynqmppl.c +++ b/drivers/fpga/zynqmppl.c @@ -200,7 +200,7 @@ static int zynqmp_validate_bitstream(xilinx_desc *desc, const void *buf, }
static int zynqmp_load(xilinx_desc *desc, const void *buf, size_t bsize, - bitstream_type bstype) + bitstream_type bstype, int flags) { ALLOC_CACHE_ALIGN_BUFFER(u32, bsizeptr, 1); u32 swap = 0; diff --git a/drivers/fpga/zynqpl.c b/drivers/fpga/zynqpl.c index 2de40109a81..d8ebd542abd 100644 --- a/drivers/fpga/zynqpl.c +++ b/drivers/fpga/zynqpl.c @@ -371,7 +371,7 @@ static int zynq_validate_bitstream(xilinx_desc *desc, const void *buf, }
static int zynq_load(xilinx_desc *desc, const void *buf, size_t bsize, - bitstream_type bstype) + bitstream_type bstype, int flags) { unsigned long ts; /* Timestamp */ u32 isr_status, swap; diff --git a/include/xilinx.h b/include/xilinx.h index 0bbf14d8a1d..e5f6db33fa2 100644 --- a/include/xilinx.h +++ b/include/xilinx.h @@ -53,7 +53,7 @@ typedef struct { /* typedef xilinx_desc */
struct xilinx_fpga_op { int (*load)(xilinx_desc *desc, const void *buf, size_t bsize, - bitstream_type bstype); + bitstream_type bstype, int flags); int (*loadfs)(xilinx_desc *desc, const void *buf, size_t bsize, fpga_fs_info *fpga_fsinfo); int (*loads)(xilinx_desc *desc, const void *buf, size_t bsize,
Reduce the function code by calling xilinx_pm_request() once only. Use the same variable bsize_req to store either bstream size in bytes or an address of bstream size according to a type required by the firmware version. Remove obsolete debug().
Signed-off-by: Oleksandr Suvorov oleksandr.suvorov@foundries.io Tested-by: Ricardo Salveti ricardo@foundries.io Tested-by: Adrian Fiergolski adrian.fiergolski@fastree3d.com ---
Changes in v12: - fix a commit message - remove obsolete debug() message
drivers/fpga/zynqmppl.c | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-)
diff --git a/drivers/fpga/zynqmppl.c b/drivers/fpga/zynqmppl.c index a0624567882..2791f931861 100644 --- a/drivers/fpga/zynqmppl.c +++ b/drivers/fpga/zynqmppl.c @@ -207,38 +207,33 @@ static int zynqmp_load(xilinx_desc *desc, const void *buf, size_t bsize, ulong bin_buf; int ret; u32 buf_lo, buf_hi; + u32 bsize_req = (u32)bsize; u32 ret_payload[PAYLOAD_ARG_CNT]; - bool xilfpga_old = false;
if (zynqmp_firmware_version() <= PMUFW_V1_0) { puts("WARN: PMUFW v1.0 or less is detected\n"); puts("WARN: Not all bitstream formats are supported\n"); puts("WARN: Please upgrade PMUFW\n"); - xilfpga_old = true; if (zynqmp_validate_bitstream(desc, buf, bsize, bsize, &swap)) return FPGA_FAIL; bsizeptr = (u32 *)&bsize; flush_dcache_range((ulong)bsizeptr, (ulong)bsizeptr + sizeof(size_t)); + bsize_req = (u32)(uintptr_t)bsizeptr; bstype |= BIT(ZYNQMP_FPGA_BIT_NS); + } else { + bstype = 0; }
bin_buf = zynqmp_align_dma_buffer((u32 *)buf, bsize, swap);
- debug("%s called!\n", __func__); flush_dcache_range(bin_buf, bin_buf + bsize);
buf_lo = (u32)bin_buf; buf_hi = upper_32_bits(bin_buf);
- if (xilfpga_old) - ret = xilinx_pm_request(PM_FPGA_LOAD, buf_lo, - buf_hi, (u32)(uintptr_t)bsizeptr, - bstype, ret_payload); - else - ret = xilinx_pm_request(PM_FPGA_LOAD, buf_lo, - buf_hi, (u32)bsize, 0, ret_payload); - + ret = xilinx_pm_request(PM_FPGA_LOAD, buf_lo, buf_hi, + bsize_req, bstype, ret_payload); if (ret) printf("PL FPGA LOAD failed with err: 0x%08x\n", ret);
Check whether the FPGA ZynqMP driver supports the given bitstream image type.
Signed-off-by: Oleksandr Suvorov oleksandr.suvorov@foundries.io Tested-by: Ricardo Salveti ricardo@foundries.io Tested-by: Adrian Fiergolski adrian.fiergolski@fastree3d.com ---
Changes in v12: - exclude all secure-related code if FPGA_LOAD_SECURE is disabled
Changes in v10: - fix grammar
drivers/fpga/zynqmppl.c | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+)
diff --git a/drivers/fpga/zynqmppl.c b/drivers/fpga/zynqmppl.c index 2791f931861..feaf34fff11 100644 --- a/drivers/fpga/zynqmppl.c +++ b/drivers/fpga/zynqmppl.c @@ -199,6 +199,28 @@ static int zynqmp_validate_bitstream(xilinx_desc *desc, const void *buf, return 0; }
+#if CONFIG_IS_ENABLED(FPGA_LOAD_SECURE) +static int zynqmp_check_compatible(xilinx_desc *desc, int flags) +{ + /* If no flags set, the image is legacy */ + if (!flags) + return 0; + + /* For legacy bitstream images no need for other methods exist */ + if ((flags & desc->flags) && flags == FPGA_LEGACY) + return 0; + + /* + * Other images are handled in secure callback loads(). Check + * callback existence besides image type support. + */ + if (desc->operations->loads && (flags & desc->flags)) + return 0; + + return FPGA_FAIL; +} +#endif + static int zynqmp_load(xilinx_desc *desc, const void *buf, size_t bsize, bitstream_type bstype, int flags) { @@ -210,6 +232,18 @@ static int zynqmp_load(xilinx_desc *desc, const void *buf, size_t bsize, u32 bsize_req = (u32)bsize; u32 ret_payload[PAYLOAD_ARG_CNT];
+#if CONFIG_IS_ENABLED(FPGA_LOAD_SECURE) + ret = zynqmp_check_compatible(desc, flags); + if (ret) { + if (ret != -ENODATA) { + puts("Missing loads() operation or unsupported bitstream type\n"); + return FPGA_FAIL; + } + /* If flags is not set, the image treats as legacy */ + flags = FPGA_LEGACY; + } +#endif + if (zynqmp_firmware_version() <= PMUFW_V1_0) { puts("WARN: PMUFW v1.0 or less is detected\n"); puts("WARN: Not all bitstream formats are supported\n");
Add supporting new compatible string "u-boot,zynqmp-fpga-ddrauth" to handle loading authenticated images (DDR).
Based on solution by Jorge Ramirez-Ortiz jorge@foundries.io Signed-off-by: Oleksandr Suvorov oleksandr.suvorov@foundries.io Tested-by: Ricardo Salveti ricardo@foundries.io ---
(no changes since v11)
Changes in v11: - Fix treating an incoming FPGA image with empty flags parameter as legacy.
Changes in v10: - Support DDR images only if FPGA_LOAD_SECURE enabled.
boot/Kconfig | 4 ++-- doc/uImage.FIT/source_file_format.txt | 5 ++++- drivers/fpga/zynqmppl.c | 31 ++++++++++++++++++++++----- include/xilinx.h | 1 + include/zynqmppl.h | 4 ++++ 5 files changed, 37 insertions(+), 8 deletions(-)
diff --git a/boot/Kconfig b/boot/Kconfig index 17438b566d5..59d0c65c944 100644 --- a/boot/Kconfig +++ b/boot/Kconfig @@ -210,8 +210,8 @@ config SPL_LOAD_FIT 1. "loadables" images, other than FDTs, which do not have a "load" property will not be loaded. This limitation also applies to FPGA images with the correct "compatible" string. - 2. For FPGA images, only the "compatible" = "u-boot,fpga-legacy" - loading method is supported. + 2. For FPGA images, the supported "compatible" list is in the + doc/uImage.FIT/source_file_format.txt. 3. FDTs are only loaded for images with an "os" property of "u-boot". "linux" images are also supported with Falcon boot mode.
diff --git a/doc/uImage.FIT/source_file_format.txt b/doc/uImage.FIT/source_file_format.txt index f93ac6d1c7b..461e2af2a84 100644 --- a/doc/uImage.FIT/source_file_format.txt +++ b/doc/uImage.FIT/source_file_format.txt @@ -184,7 +184,10 @@ the '/images' node should have the following layout: Mandatory for types: "firmware", and "kernel". - compatible : compatible method for loading image. Mandatory for types: "fpga", and images that do not specify a load address. - To use the generic fpga loading routine, use "u-boot,fpga-legacy". + Supported compatible methods: + "u-boot,fpga-legacy" - the generic fpga loading routine. + "u-boot,zynqmp-fpga-ddrauth" - signed non-encrypted FPGA bitstream for + Xilinx Zynq UltraScale+ (ZymqMP) device.
Optional nodes: - hash-1 : Each hash sub-node represents separate hash or checksum diff --git a/drivers/fpga/zynqmppl.c b/drivers/fpga/zynqmppl.c index feaf34fff11..200076c8c6a 100644 --- a/drivers/fpga/zynqmppl.c +++ b/drivers/fpga/zynqmppl.c @@ -9,6 +9,7 @@ #include <common.h> #include <compiler.h> #include <cpu_func.h> +#include <fpga.h> #include <log.h> #include <zynqmppl.h> #include <zynqmp_firmware.h> @@ -202,9 +203,12 @@ static int zynqmp_validate_bitstream(xilinx_desc *desc, const void *buf, #if CONFIG_IS_ENABLED(FPGA_LOAD_SECURE) static int zynqmp_check_compatible(xilinx_desc *desc, int flags) { - /* If no flags set, the image is legacy */ + /* + * If no flags set, the image may be legacy, but we need to + * signal caller this situation with specific error code. + */ if (!flags) - return 0; + return -ENODATA;
/* For legacy bitstream images no need for other methods exist */ if ((flags & desc->flags) && flags == FPGA_LEGACY) @@ -217,7 +221,7 @@ static int zynqmp_check_compatible(xilinx_desc *desc, int flags) if (desc->operations->loads && (flags & desc->flags)) return 0;
- return FPGA_FAIL; + return -ENODEV; } #endif
@@ -231,8 +235,9 @@ static int zynqmp_load(xilinx_desc *desc, const void *buf, size_t bsize, u32 buf_lo, buf_hi; u32 bsize_req = (u32)bsize; u32 ret_payload[PAYLOAD_ARG_CNT]; - #if CONFIG_IS_ENABLED(FPGA_LOAD_SECURE) + struct fpga_secure_info info = { 0 }; + ret = zynqmp_check_compatible(desc, flags); if (ret) { if (ret != -ENODATA) { @@ -242,6 +247,19 @@ static int zynqmp_load(xilinx_desc *desc, const void *buf, size_t bsize, /* If flags is not set, the image treats as legacy */ flags = FPGA_LEGACY; } + + switch (flags) { + case FPGA_LEGACY: + break; /* Handle the legacy image later in this function */ + case FPGA_XILINX_ZYNQMP_DDRAUTH: + /* DDR authentication */ + info.authflag = ZYNQMP_FPGA_AUTH_DDR; + info.encflag = FPGA_NO_ENC_OR_NO_AUTH; + return desc->operations->loads(desc, buf, bsize, &info); + default: + printf("Unsupported bitstream type %d\n", flags); + return FPGA_FAIL; + } #endif
if (zynqmp_firmware_version() <= PMUFW_V1_0) { @@ -337,7 +355,10 @@ static int __maybe_unused zynqmp_str2flag(xilinx_desc *desc, const char *str) { if (!strncmp(str, "u-boot,fpga-legacy", 18)) return FPGA_LEGACY; - +#if CONFIG_IS_ENABLED(FPGA_LOAD_SECURE) + if (!strncmp(str, "u-boot,zynqmp-fpga-ddrauth", 26)) + return FPGA_XILINX_ZYNQMP_DDRAUTH; +#endif return 0; }
diff --git a/include/xilinx.h b/include/xilinx.h index e5f6db33fa2..97ee12cec42 100644 --- a/include/xilinx.h +++ b/include/xilinx.h @@ -39,6 +39,7 @@ typedef enum { /* typedef xilinx_family */
/* FPGA bitstream supported types */ #define FPGA_LEGACY BIT(0) +#define FPGA_XILINX_ZYNQMP_DDRAUTH BIT(1)
typedef struct { /* typedef xilinx_desc */ xilinx_family family; /* part type */ diff --git a/include/zynqmppl.h b/include/zynqmppl.h index 8401a850afb..87ccd2f394c 100644 --- a/include/zynqmppl.h +++ b/include/zynqmppl.h @@ -25,6 +25,10 @@
extern struct xilinx_fpga_op zynqmp_op;
+#if CONFIG_IS_ENABLED(FPGA_LOAD_SECURE) +#define ZYNQMP_FPGA_FLAGS (FPGA_LEGACY | FPGA_XILINX_ZYNQMP_DDRAUTH) +#else #define ZYNQMP_FPGA_FLAGS (FPGA_LEGACY) +#endif
#endif /* _ZYNQMPPL_H_ */
From: Adrian Fiergolski adrian.fiergolski@fastree3d.com
Add supporting new compatible string "u-boot,zynqmp-fpga-enc" to handle loading encrypted bitfiles.
This feature requires encrypted FSBL, as according to UG1085: "The CSU automatically locks out the AES key, stored in either BBRAM or eFUSEs, as a key source to the AES engine if the FSBL is not encrypted. This prevents using the BBRAM or eFUSE as the key source to the AES engine during run-time applications."
Signed-off-by: Adrian Fiergolski adrian.fiergolski@fastree3d.com Co-developed-by: Oleksandr Suvorov oleksandr.suvorov@foundries.io Signed-off-by: Oleksandr Suvorov oleksandr.suvorov@foundries.io Tested-by: Adrian Fiergolski adrian.fiergolski@fastree3d.com ---
Changes in v12: - reduce the size of SPL if FPGA_LOAD_SECURE disabled.
Changes in v11: - add Tested-by records.
Changes in v10: - Support ENC images only if FPGA_LOAD_SECURE enabled.
Changes in v9: - remove an alien commit from a patchset :)
Changes in v8: - Michal Simek's suggestions addressed: -- introduce the compatible flags in xilinx_desc; -- pass a binary compatible flag instead of "compatible" property to an FPGA driver. - Optimize a zynqmp_load() function.
Changes in v7: - apply Michal Simek's suggestions As I applied changes on Oleksandr's patches, I indicated it by specifying myself as co-author in the commits logs. I am not sure if that is the convention of marking it.
Changes in v6: - add support for the encrypted bitfiles.
Changes in v5: - replace ifdef with if() where it's possible.
Changes in v4: - change interface to xilinx_desc->operations->open() callback. - fix a bug from previous version of the patchset in dereferencing of a parent fpga_desc structure.
Changes in v3: - remove the patch which introduced CMD_SPL_FPGA_LOAD_SECURE. - fix mixing definitions/declarations. - replace strcmp() calls with more secure strncmp(). - document the "u-boot,zynqmp-fpga-ddrauth" compatible string. - fix code style by check-patch recommendations.
Changes in v2: - add function fit_fpga_load() to simplify calls of fpga_load() from contexts without a compatible attribute. - move all ZynqMP-specific logic to drivers/fpga/zynqmppl.c - prepare for passing a "compatible" FDT property to any fpga driver.
doc/uImage.FIT/source_file_format.txt | 2 ++ drivers/fpga/zynqmppl.c | 8 ++++++++ include/fpga.h | 1 + include/xilinx.h | 1 + include/zynqmppl.h | 4 +++- 5 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/doc/uImage.FIT/source_file_format.txt b/doc/uImage.FIT/source_file_format.txt index 461e2af2a84..68701118409 100644 --- a/doc/uImage.FIT/source_file_format.txt +++ b/doc/uImage.FIT/source_file_format.txt @@ -188,6 +188,8 @@ the '/images' node should have the following layout: "u-boot,fpga-legacy" - the generic fpga loading routine. "u-boot,zynqmp-fpga-ddrauth" - signed non-encrypted FPGA bitstream for Xilinx Zynq UltraScale+ (ZymqMP) device. + "u-boot,zynqmp-fpga-enc" - encrypted FPGA bitstream for Xilinx Zynq + UltraScale+ (ZynqMP) device.
Optional nodes: - hash-1 : Each hash sub-node represents separate hash or checksum diff --git a/drivers/fpga/zynqmppl.c b/drivers/fpga/zynqmppl.c index 200076c8c6a..a6c8dcdcdcc 100644 --- a/drivers/fpga/zynqmppl.c +++ b/drivers/fpga/zynqmppl.c @@ -256,6 +256,11 @@ static int zynqmp_load(xilinx_desc *desc, const void *buf, size_t bsize, info.authflag = ZYNQMP_FPGA_AUTH_DDR; info.encflag = FPGA_NO_ENC_OR_NO_AUTH; return desc->operations->loads(desc, buf, bsize, &info); + case FPGA_XILINX_ZYNQMP_ENC: + /* Encryption using device key */ + info.authflag = FPGA_NO_ENC_OR_NO_AUTH; + info.encflag = FPGA_ENC_DEV_KEY; + return desc->operations->loads(desc, buf, bsize, &info); default: printf("Unsupported bitstream type %d\n", flags); return FPGA_FAIL; @@ -358,6 +363,9 @@ static int __maybe_unused zynqmp_str2flag(xilinx_desc *desc, const char *str) #if CONFIG_IS_ENABLED(FPGA_LOAD_SECURE) if (!strncmp(str, "u-boot,zynqmp-fpga-ddrauth", 26)) return FPGA_XILINX_ZYNQMP_DDRAUTH; + + if (!strncmp(str, "u-boot,zynqmp-fpga-enc", 22)) + return FPGA_XILINX_ZYNQMP_ENC; #endif return 0; } diff --git a/include/fpga.h b/include/fpga.h index 13b1bbee3ca..a4e16401da7 100644 --- a/include/fpga.h +++ b/include/fpga.h @@ -20,6 +20,7 @@ /* device numbers must be non-negative */ #define FPGA_INVALID_DEVICE -1
+#define FPGA_ENC_DEV_KEY 0 #define FPGA_ENC_USR_KEY 1 #define FPGA_NO_ENC_OR_NO_AUTH 2
diff --git a/include/xilinx.h b/include/xilinx.h index 97ee12cec42..e4e29797988 100644 --- a/include/xilinx.h +++ b/include/xilinx.h @@ -40,6 +40,7 @@ typedef enum { /* typedef xilinx_family */ /* FPGA bitstream supported types */ #define FPGA_LEGACY BIT(0) #define FPGA_XILINX_ZYNQMP_DDRAUTH BIT(1) +#define FPGA_XILINX_ZYNQMP_ENC BIT(2)
typedef struct { /* typedef xilinx_desc */ xilinx_family family; /* part type */ diff --git a/include/zynqmppl.h b/include/zynqmppl.h index 87ccd2f394c..acf75a8f079 100644 --- a/include/zynqmppl.h +++ b/include/zynqmppl.h @@ -26,7 +26,9 @@ extern struct xilinx_fpga_op zynqmp_op;
#if CONFIG_IS_ENABLED(FPGA_LOAD_SECURE) -#define ZYNQMP_FPGA_FLAGS (FPGA_LEGACY | FPGA_XILINX_ZYNQMP_DDRAUTH) +#define ZYNQMP_FPGA_FLAGS (FPGA_LEGACY | \ + FPGA_XILINX_ZYNQMP_DDRAUTH | \ + FPGA_XILINX_ZYNQMP_ENC) #else #define ZYNQMP_FPGA_FLAGS (FPGA_LEGACY) #endif
On 7/22/22 16:16, Oleksandr Suvorov wrote:
Add supporting new compatible string "u-boot,zynqmp-fpga-ddrauth" to handle loading authenticated images (DDR).
Based on solution by Jorge Ramirez-Ortiz jorge@foundries.io Signed-off-by: Oleksandr Suvorov oleksandr.suvorov@foundries.io Tested-by: Ricardo Salveti ricardo@foundries.io
(no changes since v11)
Changes in v11:
- Fix treating an incoming FPGA image with empty flags parameter as legacy.
Changes in v10:
Support DDR images only if FPGA_LOAD_SECURE enabled.
boot/Kconfig | 4 ++-- doc/uImage.FIT/source_file_format.txt | 5 ++++- drivers/fpga/zynqmppl.c | 31 ++++++++++++++++++++++----- include/xilinx.h | 1 + include/zynqmppl.h | 4 ++++ 5 files changed, 37 insertions(+), 8 deletions(-)
diff --git a/boot/Kconfig b/boot/Kconfig index 17438b566d5..59d0c65c944 100644 --- a/boot/Kconfig +++ b/boot/Kconfig @@ -210,8 +210,8 @@ config SPL_LOAD_FIT 1. "loadables" images, other than FDTs, which do not have a "load" property will not be loaded. This limitation also applies to FPGA images with the correct "compatible" string.
2. For FPGA images, only the "compatible" = "u-boot,fpga-legacy"loading method is supported.
2. For FPGA images, the supported "compatible" list is in thedoc/uImage.FIT/source_file_format.txt.
- FDTs are only loaded for images with an "os" property of "u-boot". "linux" images are also supported with Falcon boot mode.
diff --git a/doc/uImage.FIT/source_file_format.txt b/doc/uImage.FIT/source_file_format.txt index f93ac6d1c7b..461e2af2a84 100644 --- a/doc/uImage.FIT/source_file_format.txt +++ b/doc/uImage.FIT/source_file_format.txt @@ -184,7 +184,10 @@ the '/images' node should have the following layout: Mandatory for types: "firmware", and "kernel". - compatible : compatible method for loading image. Mandatory for types: "fpga", and images that do not specify a load address.
- To use the generic fpga loading routine, use "u-boot,fpga-legacy".
Supported compatible methods:
"u-boot,fpga-legacy" - the generic fpga loading routine.
"u-boot,zynqmp-fpga-ddrauth" - signed non-encrypted FPGA bitstream for
Xilinx Zynq UltraScale+ (ZymqMP) device.
Optional nodes:
- hash-1 : Each hash sub-node represents separate hash or checksum
diff --git a/drivers/fpga/zynqmppl.c b/drivers/fpga/zynqmppl.c index feaf34fff11..200076c8c6a 100644 --- a/drivers/fpga/zynqmppl.c +++ b/drivers/fpga/zynqmppl.c @@ -9,6 +9,7 @@ #include <common.h> #include <compiler.h> #include <cpu_func.h> +#include <fpga.h> #include <log.h> #include <zynqmppl.h> #include <zynqmp_firmware.h> @@ -202,9 +203,12 @@ static int zynqmp_validate_bitstream(xilinx_desc *desc, const void *buf, #if CONFIG_IS_ENABLED(FPGA_LOAD_SECURE) static int zynqmp_check_compatible(xilinx_desc *desc, int flags) {
- /* If no flags set, the image is legacy */
- /*
* If no flags set, the image may be legacy, but we need to* signal caller this situation with specific error code.*/
return 0;
return -ENODATA;/* For legacy bitstream images no need for other methods exist */ if ((flags & desc->flags) && flags == FPGA_LEGACY)
@@ -217,7 +221,7 @@ static int zynqmp_check_compatible(xilinx_desc *desc, int flags) if (desc->operations->loads && (flags & desc->flags)) return 0;
- return FPGA_FAIL;
- return -ENODEV; } #endif
@@ -231,8 +235,9 @@ static int zynqmp_load(xilinx_desc *desc, const void *buf, size_t bsize, u32 buf_lo, buf_hi; u32 bsize_req = (u32)bsize; u32 ret_payload[PAYLOAD_ARG_CNT];
- #if CONFIG_IS_ENABLED(FPGA_LOAD_SECURE)
- struct fpga_secure_info info = { 0 };
- ret = zynqmp_check_compatible(desc, flags); if (ret) { if (ret != -ENODATA) {
@@ -242,6 +247,19 @@ static int zynqmp_load(xilinx_desc *desc, const void *buf, size_t bsize, /* If flags is not set, the image treats as legacy */ flags = FPGA_LEGACY; }
- switch (flags) {
- case FPGA_LEGACY:
break; /* Handle the legacy image later in this function */
#if CONFIG_IS_ENABLED(FPGA_LOAD_SECURE)
should be here.
But I have added it myself.
- case FPGA_XILINX_ZYNQMP_DDRAUTH:
/* DDR authentication */info.authflag = ZYNQMP_FPGA_AUTH_DDR;info.encflag = FPGA_NO_ENC_OR_NO_AUTH;return desc->operations->loads(desc, buf, bsize, &info);
and #endif here.
M
On 7/22/22 16:16, Oleksandr Suvorov wrote:
CAUTION: This message has originated from an External Source. Please use proper judgment and caution when opening attachments, clicking links, or responding to this email.
This patchset introduces support for the authenticated and encrypted FPGA images on ZynqMP boards, besides that introducing common way to pass the compatible property to any fpga driver.
It bases on the initial work by Jorge Ramirez-Ortiz jorge@foundries.io https://patchwork.ozlabs.org/project/uboot/patch/20211015091506.2602-1-jorge... https://patchwork.ozlabs.org/project/uboot/patch/20211005111324.19749-3-jorg...
Changes in v12:
- define the function only if FPGA_LOAD_SECURE enabled;
- convert "compatible" to flags only if FPGA_LOAD_SECURE enabled;
- fix a commit message
- remove obsolete debug() message
- exclude all secure-related code if FPGA_LOAD_SECURE is disabled
- reduce the size of SPL if FPGA_LOAD_SECURE disabled.
Changes in v11:
- Fix treating an incoming FPGA image with empty flags parameter as legacy.
- add Tested-by records.
Changes in v10:
- move FPGA flags to macros;
- initialize xilinx_desc structs directly, removing *_DESC macros;
- initialize flags for mach-zynq;
- fix mixed types of return value;
- made the message about ignoring legacy compatibe option as debug;
- fix grammar
- Support DDR images only if FPGA_LOAD_SECURE enabled.
- Support ENC images only if FPGA_LOAD_SECURE enabled.
Changes in v9:
- remove an alien commit from a patchset :)
Changes in v8:
- Michal Simek's suggestions addressed:
-- introduce the compatible flags in xilinx_desc; -- pass a binary compatible flag instead of "compatible" property to an FPGA driver.
- Optimize a zynqmp_load() function.
Changes in v7:
- apply Michal Simek's suggestions As I applied changes on Oleksandr's patches, I indicated it by specifying myself as co-author in the commits logs. I am not sure if that is the convention of marking it.
Changes in v6:
- add support for the encrypted bitfiles.
Changes in v5:
- replace ifdef with if() where it's possible.
Changes in v4:
- change interface to xilinx_desc->operations->open() callback.
- fix a bug from previous version of the patchset in dereferencing of a parent fpga_desc structure.
Changes in v3:
- remove the patch which introduced CMD_SPL_FPGA_LOAD_SECURE.
- fix mixing definitions/declarations.
- replace strcmp() calls with more secure strncmp().
- document the "u-boot,zynqmp-fpga-ddrauth" compatible string.
- fix code style by check-patch recommendations.
Changes in v2:
- add function fit_fpga_load() to simplify calls of fpga_load() from contexts without a compatible attribute.
- move all ZynqMP-specific logic to drivers/fpga/zynqmppl.c
- prepare for passing a "compatible" FDT property to any fpga driver.
Adrian Fiergolski (1): fpga: zynqmp: support loading encrypted bitfiles
Oleksandr Suvorov (12): fpga: add option for loading FPGA secure bitstreams fpga: xilinx: add missed identifier names fpga: xilinx: add bitstream flags to driver desc fpga: zynqmp: add str2flags call fpga: xilinx: pass compatible flags to xilinx_load() fpga: pass compatible flags to fpga_load() fpga: add fpga_compatible2flag spl: fit: pass real compatible flags to fpga_load() fpga: xilinx: pass compatible flags to load() callback fpga: zynqmp: reduce zynqmppl_load() code fpga: zynqmp: add bitstream compatible checking fpga: zynqmp: support loading authenticated images
arch/arm/mach-zynq/cpu.c | 1 + board/xilinx/versal/board.c | 5 +- board/xilinx/zynqmp/zynqmp.c | 5 +- boot/Kconfig | 4 +- boot/image-board.c | 4 +- cmd/Kconfig | 3 +- cmd/fpga.c | 8 +-- common/spl/spl_fit.c | 17 +++-- doc/uImage.FIT/source_file_format.txt | 7 +- drivers/fpga/Kconfig | 14 ++++ drivers/fpga/fpga.c | 33 ++++++++- drivers/fpga/spartan2.c | 2 +- drivers/fpga/spartan3.c | 2 +- drivers/fpga/versalpl.c | 2 +- drivers/fpga/virtex2.c | 2 +- drivers/fpga/xilinx.c | 8 +-- drivers/fpga/zynqmppl.c | 99 ++++++++++++++++++++++----- drivers/fpga/zynqpl.c | 2 +- include/fpga.h | 4 +- include/versalpl.h | 3 - include/xilinx.h | 21 ++++-- include/zynqmppl.h | 9 ++- 22 files changed, 199 insertions(+), 56 deletions(-)
-- 2.36.1
Applied with adding one macro in 12/13.
Thanks, Michal
participants (2)
-
Michal Simek -
Oleksandr Suvorov