[U-Boot] [PATCH 1/3][v4] arm: ls1043ardb: Add SD secure boot target
- Add SD secure boot target for ls1043ardb. - Implement FSL_LSCH2 specific spl_board_init() to setup CAAM stream ID and corresponding stream ID in SMMU. - Change the u-boot size defined by a macro for copying the main U-Boot by SPL to also include the u-boot Secure Boot header size as header is appended to u-boot image. So header will also be copied from SD to DDR. - CONFIG_MAX_SPL_SIZE is limited to 90K.SPL is copied to OCRAM (128K) where 32K are reserved for use by boot ROM and 6K for secure boto header - Error messages during SPL boot are limited to error code numbers instead of strings to reduce the size of SPL image
Signed-off-by: Vinitha Pillai-B57223 vinitha.pillai@nxp.com Signed-off-by: Sumit Garg sumit.garg@nxp.com Signed-off-by: Ruchika Gupta ruchika.gupta@nxp.com --- Changes in v4: Updated Maintainers file
Changes in v3: Moved spl_board_init function to arch/arm/cpu/armv8/fsl-layerscape/spl.c
Changes in v2: Rebased to latest dependent patches: - No change
Dependent patch set: SECURE boot target addition for NOR on LS1043, LS1046 https://patchwork.ozlabs.org/patch/742548/ https://patchwork.ozlabs.org/patch/742552/ https://patchwork.ozlabs.org/patch/742549/ https://patchwork.ozlabs.org/patch/742551/ https://patchwork.ozlabs.org/patch/742550/ https://patchwork.ozlabs.org/patch/742553/ https://patchwork.ozlabs.org/patch/742554/
and SPL size reduction patches https://patchwork.ozlabs.org/patch/744755/ https://patchwork.ozlabs.org/patch/744756/ arch/arm/cpu/armv8/fsl-layerscape/spl.c | 18 ++++++++ arch/arm/include/asm/fsl_secure_boot.h | 9 +++- board/freescale/common/fsl_validate.c | 4 ++ board/freescale/ls1043ardb/MAINTAINERS | 1 + configs/ls1043ardb_sdcard_SECURE_BOOT_defconfig | 57 +++++++++++++++++++++++++ include/configs/ls1043a_common.h | 16 ++++++- 6 files changed, 101 insertions(+), 4 deletions(-) create mode 100644 configs/ls1043ardb_sdcard_SECURE_BOOT_defconfig
diff --git a/arch/arm/cpu/armv8/fsl-layerscape/spl.c b/arch/arm/cpu/armv8/fsl-layerscape/spl.c index 73a8680..dfacf98 100644 --- a/arch/arm/cpu/armv8/fsl-layerscape/spl.c +++ b/arch/arm/cpu/armv8/fsl-layerscape/spl.c @@ -41,6 +41,24 @@ u32 spl_boot_mode(const u32 boot_device) }
#ifdef CONFIG_SPL_BUILD + +void spl_board_init(void) +{ +#if defined(CONFIG_SECURE_BOOT) && defined(CONFIG_FSL_LSCH2) + /* + * In case of Secure Boot, the IBR configures the SMMU + * to allow only Secure transactions. + * SMMU must be reset in bypass mode. + * Set the ClientPD bit and Clear the USFCFG Bit + */ + u32 val; + val = (in_le32(SMMU_SCR0) | SCR0_CLIENTPD_MASK) & ~(SCR0_USFCFG_MASK); + out_le32(SMMU_SCR0, val); + val = (in_le32(SMMU_NSCR0) | SCR0_CLIENTPD_MASK) & ~(SCR0_USFCFG_MASK); + out_le32(SMMU_NSCR0, val); +#endif +} + void board_init_f(ulong dummy) { /* Clear global data */ diff --git a/arch/arm/include/asm/fsl_secure_boot.h b/arch/arm/include/asm/fsl_secure_boot.h index 423c2c4..56a6ba0 100644 --- a/arch/arm/include/asm/fsl_secure_boot.h +++ b/arch/arm/include/asm/fsl_secure_boot.h @@ -27,10 +27,11 @@ #define CONFIG_SPL_UBOOT_KEY_HASH NULL #endif /* ifdef CONFIG_SPL_BUILD */
+#define CONFIG_KEY_REVOCATION + #ifndef CONFIG_SPL_BUILD #define CONFIG_CMD_BLOB #define CONFIG_CMD_HASH -#define CONFIG_KEY_REVOCATION #ifndef CONFIG_SYS_RAMBOOT /* The key used for verification of next level images * is picked up from an Extension Table which has @@ -87,7 +88,11 @@ /* For SD boot address and size are assigned in terms of sector * offset and no. of sectors respectively. */ -#define CONFIG_BS_HDR_ADDR_DEVICE 0x00000900 +#if defined(CONFIG_LS1043A) +#define CONFIG_BS_HDR_ADDR_DEVICE 0x00000920 +#else +#define CONFIG_BS_HDR_ADDR_DEVICE 0x00000900 +#endif #define CONFIG_BS_ADDR_DEVICE 0x00000940 #define CONFIG_BS_HDR_SIZE 0x00000010 #define CONFIG_BS_SIZE 0x00000008 diff --git a/board/freescale/common/fsl_validate.c b/board/freescale/common/fsl_validate.c index 2b723a4..235c6ab 100644 --- a/board/freescale/common/fsl_validate.c +++ b/board/freescale/common/fsl_validate.c @@ -356,6 +356,7 @@ static void fsl_secboot_bootscript_parse_failure(void) */ void fsl_secboot_handle_error(int error) { +#ifndef CONFIG_SPL_BUILD const struct fsl_secboot_errcode *e;
for (e = fsl_secboot_errcodes; e->errcode != ERROR_ESBC_CLIENT_MAX; @@ -363,6 +364,9 @@ void fsl_secboot_handle_error(int error) if (e->errcode == error) printf("ERROR :: %x :: %s\n", error, e->name); } +#else + printf("ERROR :: %x\n", error); +#endif
/* If Boot Mode is secure, transition the SNVS state and issue * reset based on type of failure and ITS setting. diff --git a/board/freescale/ls1043ardb/MAINTAINERS b/board/freescale/ls1043ardb/MAINTAINERS index 0503a3f..8b69892 100644 --- a/board/freescale/ls1043ardb/MAINTAINERS +++ b/board/freescale/ls1043ardb/MAINTAINERS @@ -12,3 +12,4 @@ LS1043A_SECURE_BOOT BOARD M: Ruchika Gupta ruchika.gupta@nxp.com S: Maintained F: configs/ls1043ardb_SECURE_BOOT_defconfig +F: configs/ls1043ardb_sdcard_SECURE_BOOT_defconfig diff --git a/configs/ls1043ardb_sdcard_SECURE_BOOT_defconfig b/configs/ls1043ardb_sdcard_SECURE_BOOT_defconfig new file mode 100644 index 0000000..3f35d64 --- /dev/null +++ b/configs/ls1043ardb_sdcard_SECURE_BOOT_defconfig @@ -0,0 +1,57 @@ +CONFIG_ARM=y +CONFIG_TARGET_LS1043ARDB=y +CONFIG_SPL_LIBCOMMON_SUPPORT=y +CONFIG_SPL_LIBGENERIC_SUPPORT=y +CONFIG_SPL_MMC_SUPPORT=y +CONFIG_SPL_SERIAL_SUPPORT=y +CONFIG_SPL_ENV_SUPPORT=y +CONFIG_SPL_DRIVERS_MISC_SUPPORT=y +CONFIG_SPL_WATCHDOG_SUPPORT=y +CONFIG_DEFAULT_DEVICE_TREE="fsl-ls1043a-rdb" +CONFIG_FIT=y +CONFIG_FIT_VERBOSE=y +CONFIG_OF_BOARD_SETUP=y +CONFIG_SYS_EXTRA_OPTIONS="RAMBOOT_PBL,SPL_FSL_PBL,SD_BOOT" +CONFIG_SECURE_BOOT=y +CONFIG_SD_BOOT=y +CONFIG_BOOTDELAY=10 +CONFIG_SPL=y +CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_USE_SECTOR=y +CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR=0x110 +CONFIG_SPL_MPC8XXX_INIT_DDR_SUPPORT=y +CONFIG_HUSH_PARSER=y +CONFIG_CMD_GPT=y +CONFIG_CMD_MMC=y +CONFIG_CMD_SF=y +CONFIG_CMD_I2C=y +CONFIG_CMD_USB=y +CONFIG_CMD_DHCP=y +CONFIG_CMD_PXE=y +CONFIG_CMD_MII=y +CONFIG_CMD_PING=y +CONFIG_CMD_CACHE=y +CONFIG_CMD_EXT2=y +CONFIG_CMD_FAT=y +# CONFIG_SPL_EFI_PARTITION is not set +CONFIG_OF_CONTROL=y +CONFIG_DM=y +CONFIG_SPL_DM=y +CONFIG_MTD_NOR_FLASH=y +CONFIG_SPI_FLASH=y +CONFIG_NETDEVICES=y +CONFIG_E1000=y +CONFIG_PCI=y +CONFIG_DM_PCI=y +CONFIG_DM_PCI_COMPAT=y +CONFIG_PCIE_LAYERSCAPE=y +CONFIG_SYS_NS16550=y +CONFIG_DM_SPI=y +CONFIG_USB=y +CONFIG_DM_USB=y +CONFIG_USB_XHCI_HCD=y +CONFIG_USB_XHCI_DWC3=y +CONFIG_USB_STORAGE=y +CONFIG_RSA=y +CONFIG_SPL_RSA=y +CONFIG_SPL_CRYPTO_SUPPORT=y +CONFIG_SPL_HASH_SUPPORT=y diff --git a/include/configs/ls1043a_common.h b/include/configs/ls1043a_common.h index 3fb8740..b71456e 100644 --- a/include/configs/ls1043a_common.h +++ b/include/configs/ls1043a_common.h @@ -66,7 +66,7 @@ #define CONFIG_SPL_TARGET "u-boot-with-spl.bin"
#define CONFIG_SPL_TEXT_BASE 0x10000000 -#define CONFIG_SPL_MAX_SIZE 0x1d000 +#define CONFIG_SPL_MAX_SIZE 0x17000 #define CONFIG_SPL_STACK 0x1001e000 #define CONFIG_SPL_PAD_TO 0x1d000
@@ -75,7 +75,19 @@ #define CONFIG_SYS_SPL_MALLOC_SIZE 0x100000 #define CONFIG_SPL_BSS_START_ADDR 0x80100000 #define CONFIG_SPL_BSS_MAX_SIZE 0x80000 -#define CONFIG_SYS_MONITOR_LEN 0xa0000 + +#ifdef CONFIG_SECURE_BOOT +#define CONFIG_U_BOOT_HDR_SIZE (16 << 10) +/* + * HDR would be appended at end of image and copied to DDR along + * with U-Boot image. Here u-boot max. size is 512K. So if binary + * size increases then increase this size in case of secure boot as + * it uses raw u-boot image instead of fit image. + */ +#define CONFIG_SYS_MONITOR_LEN (0x100000 + CONFIG_U_BOOT_HDR_SIZE) +#else +#define CONFIG_SYS_MONITOR_LEN 0x100000 +#endif /* ifdef CONFIG_SECURE_BOOT */ #endif
/* NAND SPL */
Add NAND secure boot target for ls1043ardb.
- Change the u-boot size defined by a macro for copying the main U-Boot by SPL to also include the u-boot Secure Boot header size as header is appended to u-boot image. So header will also be copied from SD to DDR. - MACRO for CONFIG_BOOTSCRIPT_COPY_RAM is enabled to copy Bootscript from NAND to DDR. Offsets for Bootscript on NAND and DDR have been also defined.
Signed-off-by: Vinitha Pillai vinitha.pillai@nxp.com Signed-off-by: Sumit Garg sumit.garg@nxp.com Signed-off-by: Ruchika Gupta ruchika.gupta@nxp.com --- Changes in v4: Updated Maintainers file
Changes in v3: Removed changes to ls1043ardb.c
Changes in v2: - Rebased this patch to the latest dependent patch-set.
Dependent patch set: SECURE boot target addition for NOR on LS1043, LS1046 https://patchwork.ozlabs.org/patch/742548/ https://patchwork.ozlabs.org/patch/742552/ https://patchwork.ozlabs.org/patch/742549/ https://patchwork.ozlabs.org/patch/742551/ https://patchwork.ozlabs.org/patch/742550/ https://patchwork.ozlabs.org/patch/742553/ https://patchwork.ozlabs.org/patch/742554/
and SPL size reduction patches https://patchwork.ozlabs.org/patch/744755/ https://patchwork.ozlabs.org/patch/744756/ arch/arm/include/asm/fsl_secure_boot.h | 7 +++- board/freescale/ls1043ardb/MAINTAINERS | 1 + configs/ls1043ardb_nand_SECURE_BOOT_defconfig | 57 +++++++++++++++++++++++++++ include/config_fsl_chain_trust.h | 9 +++-- include/configs/ls1043a_common.h | 18 ++++++++- include/configs/ls1043ardb.h | 2 +- 6 files changed, 87 insertions(+), 7 deletions(-) create mode 100644 configs/ls1043ardb_nand_SECURE_BOOT_defconfig
diff --git a/arch/arm/include/asm/fsl_secure_boot.h b/arch/arm/include/asm/fsl_secure_boot.h index 56a6ba0..9ca7abe 100644 --- a/arch/arm/include/asm/fsl_secure_boot.h +++ b/arch/arm/include/asm/fsl_secure_boot.h @@ -70,7 +70,7 @@ /* Copying Bootscript and Header to DDR from NOR for LS2 and for rest, from * Non-XIP Memory (Nand/SD)*/ #if defined(CONFIG_SYS_RAMBOOT) || defined(CONFIG_FSL_LSCH3) || \ - defined(CONFIG_SD_BOOT) + defined(CONFIG_SD_BOOT) || defined(CONFIG_NAND_BOOT) #define CONFIG_BOOTSCRIPT_COPY_RAM #endif /* The address needs to be modified according to NOR, NAND, SD and @@ -96,6 +96,11 @@ #define CONFIG_BS_ADDR_DEVICE 0x00000940 #define CONFIG_BS_HDR_SIZE 0x00000010 #define CONFIG_BS_SIZE 0x00000008 +#elif defined(CONFIG_NAND_BOOT) +#define CONFIG_BS_HDR_ADDR_DEVICE 0x00800000 +#define CONFIG_BS_ADDR_DEVICE 0x00802000 +#define CONFIG_BS_HDR_SIZE 0x00002000 +#define CONFIG_BS_SIZE 0x00001000 #elif defined(CONFIG_QSPI_BOOT) #ifdef CONFIG_ARCH_LS1046A #define CONFIG_BS_HDR_ADDR_DEVICE 0x40780000 diff --git a/board/freescale/ls1043ardb/MAINTAINERS b/board/freescale/ls1043ardb/MAINTAINERS index 8b69892..87aa006 100644 --- a/board/freescale/ls1043ardb/MAINTAINERS +++ b/board/freescale/ls1043ardb/MAINTAINERS @@ -13,3 +13,4 @@ M: Ruchika Gupta ruchika.gupta@nxp.com S: Maintained F: configs/ls1043ardb_SECURE_BOOT_defconfig F: configs/ls1043ardb_sdcard_SECURE_BOOT_defconfig +F: configs/ls1043ardb_nand_SECURE_BOOT_defconfig diff --git a/configs/ls1043ardb_nand_SECURE_BOOT_defconfig b/configs/ls1043ardb_nand_SECURE_BOOT_defconfig new file mode 100644 index 0000000..66c89fa --- /dev/null +++ b/configs/ls1043ardb_nand_SECURE_BOOT_defconfig @@ -0,0 +1,57 @@ +CONFIG_ARM=y +CONFIG_TARGET_LS1043ARDB=y +CONFIG_SPL_LIBCOMMON_SUPPORT=y +CONFIG_SPL_LIBGENERIC_SUPPORT=y +CONFIG_SPL_NAND_SUPPORT=y +CONFIG_SPL_SERIAL_SUPPORT=y +CONFIG_SPL_ENV_SUPPORT=y +CONFIG_SPL_DRIVERS_MISC_SUPPORT=y +CONFIG_SPL_WATCHDOG_SUPPORT=y +CONFIG_DEFAULT_DEVICE_TREE="fsl-ls1043a-rdb" +CONFIG_FIT=y +CONFIG_FIT_VERBOSE=y +CONFIG_OF_BOARD_SETUP=y +CONFIG_SYS_EXTRA_OPTIONS="RAMBOOT_PBL,SPL_FSL_PBL,NAND_BOOT" +CONFIG_NAND_BOOT=y +CONFIG_SECURE_BOOT=y +CONFIG_BOOTDELAY=10 +CONFIG_SPL=y +CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_USE_SECTOR=y +CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR=0xf0 +CONFIG_SPL_MPC8XXX_INIT_DDR_SUPPORT=y +CONFIG_HUSH_PARSER=y +CONFIG_CMD_GPT=y +CONFIG_CMD_MMC=y +CONFIG_CMD_SF=y +CONFIG_CMD_I2C=y +CONFIG_CMD_USB=y +CONFIG_CMD_DHCP=y +CONFIG_CMD_PXE=y +CONFIG_CMD_MII=y +CONFIG_CMD_PING=y +CONFIG_CMD_CACHE=y +CONFIG_CMD_EXT2=y +CONFIG_CMD_FAT=y +# CONFIG_SPL_EFI_PARTITION is not set +CONFIG_OF_CONTROL=y +CONFIG_DM=y +CONFIG_SPL_DM=y +CONFIG_MTD_NOR_FLASH=y +CONFIG_SPI_FLASH=y +CONFIG_NETDEVICES=y +CONFIG_E1000=y +CONFIG_PCI=y +CONFIG_DM_PCI=y +CONFIG_DM_PCI_COMPAT=y +CONFIG_PCIE_LAYERSCAPE=y +CONFIG_SYS_NS16550=y +CONFIG_DM_SPI=y +CONFIG_USB=y +CONFIG_DM_USB=y +CONFIG_USB_XHCI_HCD=y +CONFIG_USB_XHCI_DWC3=y +CONFIG_USB_STORAGE=y +CONFIG_RSA=y +CONFIG_SPL_RSA=y +CONFIG_SPL_CRYPTO_SUPPORT=y +CONFIG_SPL_HASH_SUPPORT=y diff --git a/include/config_fsl_chain_trust.h b/include/config_fsl_chain_trust.h index eb45e98..40d323e 100644 --- a/include/config_fsl_chain_trust.h +++ b/include/config_fsl_chain_trust.h @@ -81,17 +81,18 @@ "setenv bs_size " __stringify(CONFIG_BS_SIZE)";"
/* For secure boot flow, default environment used will be used */ -#if defined(CONFIG_SYS_RAMBOOT) -#if defined(CONFIG_RAMBOOT_NAND) +#if defined(CONFIG_SYS_RAMBOOT) || defined(CONFIG_NAND_BOOT) || \ + defined(CONFIG_SD_BOOT) +#if defined(CONFIG_RAMBOOT_NAND) || defined(CONFIG_NAND_BOOT) #define CONFIG_BS_COPY_CMD \ "nand read $bs_hdr_ram $bs_hdr_device $bs_hdr_size ;" \ "nand read $bs_ram $bs_device $bs_size ;" -#endif /* CONFIG_RAMBOOT_NAND */ #elif defined(CONFIG_SD_BOOT) #define CONFIG_BS_COPY_CMD \ "mmc read $bs_hdr_ram $bs_hdr_device $bs_hdr_size ;" \ "mmc read $bs_ram $bs_device $bs_size ;" -#else /* CONFIG_SD_BOOT */ +#endif +#else #define CONFIG_BS_COPY_CMD \ "cp.b $bs_hdr_device $bs_hdr_ram $bs_hdr_size ;" \ "cp.b $bs_device $bs_ram $bs_size ;" diff --git a/include/configs/ls1043a_common.h b/include/configs/ls1043a_common.h index b71456e..202372d 100644 --- a/include/configs/ls1043a_common.h +++ b/include/configs/ls1043a_common.h @@ -105,7 +105,23 @@ #define CONFIG_SPL_BSS_START_ADDR 0x80100000 #define CONFIG_SYS_SPL_MALLOC_SIZE 0x100000 #define CONFIG_SPL_BSS_MAX_SIZE 0x80000 -#define CONFIG_SYS_MONITOR_LEN 0xa0000 + +#ifdef CONFIG_SECURE_BOOT +#define CONFIG_U_BOOT_HDR_SIZE (16 << 10) +#endif /* ifdef CONFIG_SECURE_BOOT */ + +#ifdef CONFIG_U_BOOT_HDR_SIZE +/* + * HDR would be appended at end of image and copied to DDR along + * with U-Boot image. Here u-boot max. size is 512K. So if binary + * size increases then increase this size in case of secure boot as + * it uses raw u-boot image instead of fit image. + */ +#define CONFIG_SYS_MONITOR_LEN (0x100000 + CONFIG_U_BOOT_HDR_SIZE) +#else +#define CONFIG_SYS_MONITOR_LEN 0x100000 +#endif /* ifdef CONFIG_U_BOOT_HDR_SIZE */ + #endif
/* IFC */ diff --git a/include/configs/ls1043ardb.h b/include/configs/ls1043ardb.h index 7ef5c25..6455393 100644 --- a/include/configs/ls1043ardb.h +++ b/include/configs/ls1043ardb.h @@ -149,7 +149,7 @@ #ifdef CONFIG_NAND_BOOT #define CONFIG_SPL_PAD_TO 0x20000 /* block aligned */ #define CONFIG_SYS_NAND_U_BOOT_OFFS CONFIG_SPL_PAD_TO -#define CONFIG_SYS_NAND_U_BOOT_SIZE (640 << 10) +#define CONFIG_SYS_NAND_U_BOOT_SIZE (1024 << 10) #endif
/*
On 04/17/2017 12:32 AM, Ruchika Gupta wrote:
Add NAND secure boot target for ls1043ardb.
- Change the u-boot size defined by a macro for copying the main U-Boot by SPL to also include the u-boot Secure Boot header size as header is appended to u-boot image. So header will also be copied from SD to DDR.
- MACRO for CONFIG_BOOTSCRIPT_COPY_RAM is enabled to copy Bootscript from NAND to DDR. Offsets for Bootscript on NAND and DDR have been also defined.
Signed-off-by: Vinitha Pillai vinitha.pillai@nxp.com Signed-off-by: Sumit Garg sumit.garg@nxp.com Signed-off-by: Ruchika Gupta ruchika.gupta@nxp.com
Changes in v4: Updated Maintainers file
Changes in v3: Removed changes to ls1043ardb.c
Changes in v2:
- Rebased this patch to the latest dependent patch-set.
Reformatted commit message to wrap back at or before 70 characters. Please do the same on your future patches.
Applied to u-boot-fsl-qoriq master, awaiting upstream. Thanks.
York
- Add SD secure boot target for ls1046ardb. - Change the u-boot size defined by a macro for copying the main U-Boot by SPL to also include the u-boot Secure Boot header size as header is appended to u-boot image. So header will also be copied from SD to DDR. - CONFIG_MAX_SPL_SIZE is limited to 90K.SPL is copied to OCRAM (128K) where 32K are reserved for use by boot ROM and 6K for the header - Reduce the size of CAAM driver for SPL Blobification functions and descriptors, that are not required at the time of SPL are disabled. Further error code conversion to strings is disabled for SPL build.
Signed-off-by: Vinitha Pillai vinitha.pillai@nxp.com Signed-off-by: Sumit Garg sumit.garg@nxp.com Signed-off-by: Ruchika Gupta ruchika.gupta@nxp.com --- Changes in v5: Updated MAINTAINERS file
Changes in v4: Removed spl_board_init from board specific file.
Changes in v3: Resend
Changes in v2: - Rebased patches to latest dependent patch set - With the dependent path set , spl imag size increased to 94K. So - additionally reduce the spl image size by removing the functions from - CAAM driver that are not required in SPL flow
Dependent patch set: SECURE boot target addition for NOR on LS1043, LS1046 https://patchwork.ozlabs.org/patch/742548/ https://patchwork.ozlabs.org/patch/742552/ https://patchwork.ozlabs.org/patch/742549/ https://patchwork.ozlabs.org/patch/742551/ https://patchwork.ozlabs.org/patch/742550/ https://patchwork.ozlabs.org/patch/742553/ https://patchwork.ozlabs.org/patch/742554/
and SPL size reduction patches https://patchwork.ozlabs.org/patch/744755/ https://patchwork.ozlabs.org/patch/744756/
arch/arm/include/asm/fsl_secure_boot.h | 2 +- board/freescale/ls1046ardb/MAINTAINERS | 6 ++++ configs/ls1046ardb_sdcard_SECURE_BOOT_defconfig | 45 +++++++++++++++++++++++++ drivers/crypto/fsl/jobdesc.c | 4 +-- drivers/crypto/fsl/jr.c | 19 ++++++----- include/configs/ls1046a_common.h | 17 ++++++++-- 6 files changed, 78 insertions(+), 15 deletions(-) create mode 100644 configs/ls1046ardb_sdcard_SECURE_BOOT_defconfig
diff --git a/arch/arm/include/asm/fsl_secure_boot.h b/arch/arm/include/asm/fsl_secure_boot.h index 9ca7abe..97eab64 100644 --- a/arch/arm/include/asm/fsl_secure_boot.h +++ b/arch/arm/include/asm/fsl_secure_boot.h @@ -88,7 +88,7 @@ /* For SD boot address and size are assigned in terms of sector * offset and no. of sectors respectively. */ -#if defined(CONFIG_LS1043A) +#if defined(CONFIG_LS1043A) || defined(CONFIG_ARCH_LS1046A) #define CONFIG_BS_HDR_ADDR_DEVICE 0x00000920 #else #define CONFIG_BS_HDR_ADDR_DEVICE 0x00000900 diff --git a/board/freescale/ls1046ardb/MAINTAINERS b/board/freescale/ls1046ardb/MAINTAINERS index ff42bef..8148b90 100644 --- a/board/freescale/ls1046ardb/MAINTAINERS +++ b/board/freescale/ls1046ardb/MAINTAINERS @@ -7,3 +7,9 @@ F: include/configs/ls1046ardb.h F: configs/ls1046ardb_qspi_defconfig F: configs/ls1046ardb_sdcard_defconfig F: configs/ls1046ardb_emmc_defconfig + +LS1046A_SECURE_BOOT BOARD +M: Ruchika Gupta ruchika.gupta@nxp.com +S: Maintained +F: configs/ls1046ardb_SECURE_BOOT_defconfig +F: configs/ls1046ardb_sdcard_SECURE_BOOT_defconfig diff --git a/configs/ls1046ardb_sdcard_SECURE_BOOT_defconfig b/configs/ls1046ardb_sdcard_SECURE_BOOT_defconfig new file mode 100644 index 0000000..a41ec80 --- /dev/null +++ b/configs/ls1046ardb_sdcard_SECURE_BOOT_defconfig @@ -0,0 +1,45 @@ +CONFIG_ARM=y +CONFIG_TARGET_LS1046ARDB=y +CONFIG_DEFAULT_DEVICE_TREE="fsl-ls1046a-rdb" +CONFIG_FIT=y +CONFIG_FIT_VERBOSE=y +CONFIG_OF_BOARD_SETUP=y +CONFIG_SYS_EXTRA_OPTIONS="RAMBOOT_PBL,SPL_FSL_PBL" +CONFIG_SECURE_BOOT=y +CONFIG_SD_BOOT=y +CONFIG_BOOTDELAY=10 +CONFIG_SPL=y +CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_USE_SECTOR=y +CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR=0x110 +CONFIG_HUSH_PARSER=y +# CONFIG_CMD_IMLS is not set +CONFIG_CMD_GPT=y +CONFIG_CMD_MMC=y +CONFIG_CMD_SF=y +CONFIG_CMD_I2C=y +CONFIG_CMD_DHCP=y +CONFIG_CMD_MII=y +CONFIG_CMD_PING=y +CONFIG_CMD_CACHE=y +CONFIG_CMD_EXT2=y +CONFIG_CMD_FAT=y +# CONFIG_SPL_EFI_PARTITION is not set +CONFIG_OF_CONTROL=y +CONFIG_DM=y +CONFIG_SPL_DM=y +CONFIG_SPI_FLASH=y +CONFIG_NETDEVICES=y +CONFIG_E1000=y +CONFIG_PCI=y +CONFIG_DM_PCI=y +CONFIG_DM_PCI_COMPAT=y +CONFIG_PCIE_LAYERSCAPE=y +CONFIG_SYS_NS16550=y +CONFIG_DM_SPI=y +CONFIG_FSL_QSPI=y +CONFIG_USB=y +CONFIG_DM_USB=y +CONFIG_RSA=y +CONFIG_SPL_RSA=y +CONFIG_SPL_CRYPTO_SUPPORT=y +CONFIG_SPL_HASH_SUPPORT=y diff --git a/drivers/crypto/fsl/jobdesc.c b/drivers/crypto/fsl/jobdesc.c index 6125bbb..375ff9d 100644 --- a/drivers/crypto/fsl/jobdesc.c +++ b/drivers/crypto/fsl/jobdesc.c @@ -204,7 +204,7 @@ void inline_cnstr_jobdesc_hash(uint32_t *desc, append_store(desc, dma_addr_out, storelen, LDST_CLASS_2_CCB | LDST_SRCDST_BYTE_CONTEXT); } - +#ifndef CONFIG_SPL_BUILD void inline_cnstr_jobdesc_blob_encap(uint32_t *desc, uint8_t *key_idnfr, uint8_t *plain_txt, uint8_t *enc_blob, uint32_t in_sz) @@ -252,7 +252,7 @@ void inline_cnstr_jobdesc_blob_decap(uint32_t *desc, uint8_t *key_idnfr,
append_operation(desc, OP_TYPE_DECAP_PROTOCOL | OP_PCLID_BLOB); } - +#endif /* * Descriptor to instantiate RNG State Handle 0 in normal mode and * load the JDKEK, TDKEK and TDSK registers diff --git a/drivers/crypto/fsl/jr.c b/drivers/crypto/fsl/jr.c index 1b88229..163e729 100644 --- a/drivers/crypto/fsl/jr.c +++ b/drivers/crypto/fsl/jr.c @@ -342,7 +342,9 @@ static void desc_done(uint32_t status, void *arg) { struct result *x = arg; x->status = status; +#ifndef CONFIG_SPL_BUILD caam_jr_strstatus(status); +#endif x->done = 1; }
@@ -436,7 +438,11 @@ static inline int sec_reset_idx(uint8_t sec_idx)
return 0; } - +int sec_reset(void) +{ + return sec_reset_idx(0); +} +#ifndef CONFIG_SPL_BUILD static int instantiate_rng(uint8_t sec_idx) { struct result op; @@ -472,11 +478,6 @@ static int instantiate_rng(uint8_t sec_idx) return ret; }
-int sec_reset(void) -{ - return sec_reset_idx(0); -} - static u8 get_rng_vid(uint8_t sec_idx) { ccsr_sec_t *sec = (void *)SEC_ADDR(sec_idx); @@ -561,7 +562,7 @@ static int rng_init(uint8_t sec_idx)
return ret; } - +#endif int sec_init_idx(uint8_t sec_idx) { ccsr_sec_t *sec = (void *)SEC_ADDR(sec_idx); @@ -634,7 +635,7 @@ int sec_init_idx(uint8_t sec_idx)
pamu_enable(); #endif - +#ifndef CONFIG_SPL_BUILD if (get_rng_vid(sec_idx) >= 4) { if (rng_init(sec_idx) < 0) { printf("SEC%u: RNG instantiation failed\n", sec_idx); @@ -642,7 +643,7 @@ int sec_init_idx(uint8_t sec_idx) } printf("SEC%u: RNG instantiated\n", sec_idx); } - +#endif return ret; }
diff --git a/include/configs/ls1046a_common.h b/include/configs/ls1046a_common.h index b77edda..180cf92 100644 --- a/include/configs/ls1046a_common.h +++ b/include/configs/ls1046a_common.h @@ -24,7 +24,6 @@ #define CONFIG_GICV2
#include <asm/arch/config.h> - /* Link Definitions */ #define CONFIG_SYS_INIT_SP_ADDR (CONFIG_SYS_FSL_OCRAM_BASE + 0xfff0)
@@ -78,7 +77,19 @@ #define CONFIG_SYS_SPL_MALLOC_START (CONFIG_SPL_BSS_START_ADDR + \ CONFIG_SPL_BSS_MAX_SIZE) #define CONFIG_SYS_SPL_MALLOC_SIZE 0x100000 -#define CONFIG_SYS_MONITOR_LEN 0xa0000 + +#ifdef CONFIG_SECURE_BOOT +#define CONFIG_U_BOOT_HDR_SIZE (16 << 10) +/* + * HDR would be appended at end of image and copied to DDR along + * with U-Boot image. Here u-boot max. size is 512K. So if binary + * size increases then increase this size in case of secure boot as + * it uses raw u-boot image instead of fit image. + */ +#define CONFIG_SYS_MONITOR_LEN (0x100000 + CONFIG_U_BOOT_HDR_SIZE) +#else +#define CONFIG_SYS_MONITOR_LEN 0x100000 +#endif /* ifdef CONFIG_SECURE_BOOT */ #endif
/* NAND SPL */ @@ -98,7 +109,7 @@ #define CONFIG_SPL_NAND_SUPPORT #define CONFIG_SPL_DRIVERS_MISC_SUPPORT #define CONFIG_SPL_TEXT_BASE 0x10000000 -#define CONFIG_SPL_MAX_SIZE 0x1d000 /* 116 KiB */ +#define CONFIG_SPL_MAX_SIZE 0x17000 /* 90 KiB */ #define CONFIG_SPL_STACK 0x1001f000 #define CONFIG_SYS_NAND_U_BOOT_DST CONFIG_SYS_TEXT_BASE #define CONFIG_SYS_NAND_U_BOOT_START CONFIG_SYS_TEXT_BASE
On 04/17/2017 12:32 AM, Ruchika Gupta wrote:
- Add SD secure boot target for ls1046ardb.
- Change the u-boot size defined by a macro for copying the main U-Boot by SPL to also include the u-boot Secure Boot header size as header is appended to u-boot image. So header will also be copied from SD to DDR.
- CONFIG_MAX_SPL_SIZE is limited to 90K.SPL is copied to OCRAM (128K) where 32K are reserved for use by boot ROM and 6K for the header
- Reduce the size of CAAM driver for SPL Blobification functions and descriptors, that are not required at the time of SPL are disabled. Further error code conversion to strings is disabled for SPL build.
Signed-off-by: Vinitha Pillai vinitha.pillai@nxp.com Signed-off-by: Sumit Garg sumit.garg@nxp.com Signed-off-by: Ruchika Gupta ruchika.gupta@nxp.com
Changes in v5: Updated MAINTAINERS file
Changes in v4: Removed spl_board_init from board specific file.
Changes in v3: Resend
Changes in v2:
- Rebased patches to latest dependent patch set
- With the dependent path set , spl imag size increased to 94K. So
- additionally reduce the spl image size by removing the functions from
- CAAM driver that are not required in SPL flow
Reformatted commit message to wrap back at or before 70 characters. Please do the same on your future patches.
Applied to u-boot-fsl-qoriq master, awaiting upstream. Thanks.
York
On 04/17/2017 12:32 AM, Ruchika Gupta wrote:
- Add SD secure boot target for ls1043ardb.
- Implement FSL_LSCH2 specific spl_board_init() to setup CAAM stream ID and corresponding stream ID in SMMU.
- Change the u-boot size defined by a macro for copying the main U-Boot by SPL to also include the u-boot Secure Boot header size as header is appended to u-boot image. So header will also be copied from SD to DDR.
- CONFIG_MAX_SPL_SIZE is limited to 90K.SPL is copied to OCRAM (128K) where 32K are reserved for use by boot ROM and 6K for secure boto header
- Error messages during SPL boot are limited to error code numbers instead of strings to reduce the size of SPL image
Signed-off-by: Vinitha Pillai-B57223 vinitha.pillai@nxp.com Signed-off-by: Sumit Garg sumit.garg@nxp.com Signed-off-by: Ruchika Gupta ruchika.gupta@nxp.com
Changes in v4: Updated Maintainers file
Changes in v3: Moved spl_board_init function to arch/arm/cpu/armv8/fsl-layerscape/spl.c
Changes in v2: Rebased to latest dependent patches: - No change
Reformatted commit message to wrap back at or before 70 characters. Please do the same on your future patches.
Applied to u-boot-fsl-qoriq master, awaiting upstream. Thanks.
York
participants (2)
-
Ruchika Gupta -
York Sun