[U-Boot] [PATCH 0/4] Add SECURE BOOT support in SPL framework
The patch-set does the following :
1. Enable chain of trust in SPL framework for ARM based platforms. 3. Add SD secure boot target for ls1021atwr platform.
Sumit Garg (4): DM: crypto/fsl: Enable rsa DM driver usage before relocation SECURE_BOOT: Enable chain of trust in SPL framework SECURE_BOOT: Enable SD as a source for bootscript arm: ls1021atwr: Add SD secure boot target
arch/arm/include/asm/fsl_secure_boot.h | 68 +++++++++++++++++----- arch/powerpc/include/asm/fsl_secure_boot.h | 4 +- board/freescale/common/fsl_chain_of_trust.c | 34 ++++++++++- board/freescale/ls1021atwr/ls1021atwr.c | 7 +++ .../ls1021atwr_sdcard_ifc_SECURE_BOOT_defconfig | 31 ++++++++++ drivers/crypto/fsl/fsl_rsa.c | 1 + include/config_fsl_chain_trust.h | 18 +++--- include/configs/ls1021atwr.h | 22 +++++++ 8 files changed, 159 insertions(+), 26 deletions(-) create mode 100644 configs/ls1021atwr_sdcard_ifc_SECURE_BOOT_defconfig
Enable rsa signature verification in SPL framework before relocation for verification of main u-boot.
Reviewed-by: Aneesh Bansal aneesh.bansal@nxp.com Signed-off-by: Sumit Garg sumit.garg@nxp.com --- drivers/crypto/fsl/fsl_rsa.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/crypto/fsl/fsl_rsa.c b/drivers/crypto/fsl/fsl_rsa.c index cf1c4c1..5471504 100644 --- a/drivers/crypto/fsl/fsl_rsa.c +++ b/drivers/crypto/fsl/fsl_rsa.c @@ -53,6 +53,7 @@ U_BOOT_DRIVER(fsl_rsa_mod_exp) = { .name = "fsl_rsa_mod_exp", .id = UCLASS_MOD_EXP, .ops = &fsl_mod_exp_ops, + .flags = DM_FLAG_PRE_RELOC, };
U_BOOT_DEVICE(fsl_rsa) = {
On 14 June 2016 at 11:52, Sumit Garg sumit.garg@nxp.com wrote:
Enable rsa signature verification in SPL framework before relocation for verification of main u-boot.
Reviewed-by: Aneesh Bansal aneesh.bansal@nxp.com Signed-off-by: Sumit Garg sumit.garg@nxp.com
drivers/crypto/fsl/fsl_rsa.c | 1 + 1 file changed, 1 insertion(+)
Reviewed-by: Simon Glass sjg@chromium.org
On 06/14/2016 04:36 AM, Sumit Garg wrote:
Enable rsa signature verification in SPL framework before relocation for verification of main u-boot.
Reviewed-by: Aneesh Bansal aneesh.bansal@nxp.com Signed-off-by: Sumit Garg sumit.garg@nxp.com
drivers/crypto/fsl/fsl_rsa.c | 1 + 1 file changed, 1 insertion(+)
Applied to fsl-qoriq master. Awaiting upstream. Thanks.
York
Override jump_to_image_no_args function to include validation of u-boot image using spl_validate_uboot before jumping to u-boot image. Also define macros in SPL framework to enable crypto operations.
Reviewed-by: Aneesh Bansal aneesh.bansal@nxp.com Signed-off-by: Sumit Garg sumit.garg@nxp.com --- arch/arm/include/asm/fsl_secure_boot.h | 25 +++++++++++++++++++-- board/freescale/common/fsl_chain_of_trust.c | 34 ++++++++++++++++++++++++++++- 2 files changed, 56 insertions(+), 3 deletions(-)
diff --git a/arch/arm/include/asm/fsl_secure_boot.h b/arch/arm/include/asm/fsl_secure_boot.h index 53cd755..3f76c9a 100644 --- a/arch/arm/include/asm/fsl_secure_boot.h +++ b/arch/arm/include/asm/fsl_secure_boot.h @@ -17,8 +17,6 @@
#ifdef CONFIG_CHAIN_OF_TRUST #define CONFIG_CMD_ESBC_VALIDATE -#define CONFIG_CMD_BLOB -#define CONFIG_CMD_HASH #define CONFIG_FSL_SEC_MON #define CONFIG_SHA_HW_ACCEL #define CONFIG_SHA_PROG_HW_ACCEL @@ -28,6 +26,28 @@ #define CONFIG_FSL_CAAM #endif
+#ifdef CONFIG_SPL_BUILD +#define CONFIG_SPL_BOARD_INIT +#define CONFIG_SPL_DM 1 +#define CONFIG_SPL_CRYPTO_SUPPORT +#define CONFIG_SPL_HASH_SUPPORT +#define CONFIG_SPL_RSA +#define CONFIG_SPL_DRIVERS_MISC_SUPPORT +/* + * Define the key hash for U-Boot here if public/private key pair used to + * sign U-boot are different from the SRK hash put in the fuse + * Example of defining KEY_HASH is + * #define CONFIG_SPL_UBOOT_KEY_HASH \ + * "41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b" + * else leave it defined as NULL + */ + +#define CONFIG_SPL_UBOOT_KEY_HASH NULL +#endif /* ifdef CONFIG_SPL_BUILD */ + +#ifndef CONFIG_SPL_BUILD +#define CONFIG_CMD_BLOB +#define CONFIG_CMD_HASH #define CONFIG_KEY_REVOCATION #ifndef CONFIG_SYS_RAMBOOT /* The key used for verification of next level images @@ -92,5 +112,6 @@ #endif
#include <config_fsl_chain_trust.h> +#endif /* #ifndef CONFIG_SPL_BUILD */ #endif /* #ifdef CONFIG_CHAIN_OF_TRUST */ #endif diff --git a/board/freescale/common/fsl_chain_of_trust.c b/board/freescale/common/fsl_chain_of_trust.c index 7bf9827..0f5ec35 100644 --- a/board/freescale/common/fsl_chain_of_trust.c +++ b/board/freescale/common/fsl_chain_of_trust.c @@ -10,6 +10,10 @@ #include <fsl_sfp.h> #include <dm/root.h>
+#if defined(CONFIG_SPL_BUILD) && defined(CONFIG_SPL_FRAMEWORK) +#include <spl.h> +#endif + #ifdef CONFIG_ADDR_MAP #include <asm/mmu.h> #endif @@ -113,7 +117,7 @@ void spl_validate_uboot(uint32_t hdr_addr, uintptr_t img_addr) * do not use common SPL framework, so need to call this function here. */ #if defined(CONFIG_SPL_DM) && (!defined(CONFIG_SPL_FRAMEWORK)) - dm_init_and_scan(false); + dm_init_and_scan(true); #endif res = fsl_secboot_validate(hdr_addr, CONFIG_SPL_UBOOT_KEY_HASH, &img_addr); @@ -121,4 +125,32 @@ void spl_validate_uboot(uint32_t hdr_addr, uintptr_t img_addr) if (res == 0) printf("SPL: Validation of U-boot successful\n"); } + +#ifdef CONFIG_SPL_FRAMEWORK +/* Override weak funtion defined in SPL framework to enable validation + * of main u-boot image before jumping to u-boot image. + */ +void __noreturn jump_to_image_no_args(struct spl_image_info *spl_image) +{ + typedef void __noreturn (*image_entry_noargs_t)(void); + uint32_t hdr_addr; + + image_entry_noargs_t image_entry = + (image_entry_noargs_t)(unsigned long)spl_image->entry_point; + + hdr_addr = (spl_image->entry_point + spl_image->size - + CONFIG_U_BOOT_HDR_SIZE); + spl_validate_uboot(hdr_addr, (uintptr_t)spl_image->entry_point); + /* + * In case of failure in validation, spl_validate_uboot would + * not return back in case of Production environment with ITS=1. + * Thus U-Boot will not start. + * In Development environment (ITS=0 and SB_EN=1), the function + * may return back in case of non-fatal failures. + */ + + debug("image entry point: 0x%X\n", spl_image->entry_point); + image_entry(); +} +#endif /* ifdef CONFIG_SPL_FRAMEWORK */ #endif /* ifdef CONFIG_SPL_BUILD */
On 14 June 2016 at 11:52, Sumit Garg sumit.garg@nxp.com wrote:
Override jump_to_image_no_args function to include validation of u-boot image using spl_validate_uboot before jumping to u-boot image. Also define macros in SPL framework to enable crypto operations.
Reviewed-by: Aneesh Bansal aneesh.bansal@nxp.com Signed-off-by: Sumit Garg sumit.garg@nxp.com
arch/arm/include/asm/fsl_secure_boot.h | 25 +++++++++++++++++++-- board/freescale/common/fsl_chain_of_trust.c | 34 ++++++++++++++++++++++++++++- 2 files changed, 56 insertions(+), 3 deletions(-)
Reviewed-by: Simon Glass sjg@chromium.org
On 06/14/2016 04:36 AM, Sumit Garg wrote:
Override jump_to_image_no_args function to include validation of u-boot image using spl_validate_uboot before jumping to u-boot image. Also define macros in SPL framework to enable crypto operations.
Reviewed-by: Aneesh Bansal aneesh.bansal@nxp.com Signed-off-by: Sumit Garg sumit.garg@nxp.com
arch/arm/include/asm/fsl_secure_boot.h | 25 +++++++++++++++++++-- board/freescale/common/fsl_chain_of_trust.c | 34 ++++++++++++++++++++++++++++- 2 files changed, 56 insertions(+), 3 deletions(-)
<snip>
diff --git a/board/freescale/common/fsl_chain_of_trust.c b/board/freescale/common/fsl_chain_of_trust.c index 7bf9827..0f5ec35 100644 --- a/board/freescale/common/fsl_chain_of_trust.c +++ b/board/freescale/common/fsl_chain_of_trust.c @@ -10,6 +10,10 @@ #include <fsl_sfp.h> #include <dm/root.h>
+#if defined(CONFIG_SPL_BUILD) && defined(CONFIG_SPL_FRAMEWORK) +#include <spl.h> +#endif
#ifdef CONFIG_ADDR_MAP #include <asm/mmu.h> #endif
Sumit,
Does this patch depend on another patch? It doesn't apply cleanly. I wonder if you have something else in your local branch.
York
-----Original Message----- From: york sun Sent: Wednesday, July 20, 2016 3:08 AM To: Sumit Garg sumit.garg@nxp.com; u-boot@lists.denx.de Cc: Ruchika Gupta ruchika.gupta@nxp.com; Prabhakar Kushwaha prabhakar.kushwaha@nxp.com; trini@konsulko.com; teddy.reed@gmail.com; sjg@chromium.org; dannenberg@ti.com; Aneesh Bansal aneesh.bansal@nxp.com Subject: Re: [PATCH 2/4] SECURE_BOOT: Enable chain of trust in SPL framework
On 06/14/2016 04:36 AM, Sumit Garg wrote:
Override jump_to_image_no_args function to include validation of u-boot image using spl_validate_uboot before jumping to u-boot image. Also define macros in SPL framework to enable crypto operations.
Reviewed-by: Aneesh Bansal aneesh.bansal@nxp.com Signed-off-by: Sumit Garg sumit.garg@nxp.com
arch/arm/include/asm/fsl_secure_boot.h | 25 +++++++++++++++++++-- board/freescale/common/fsl_chain_of_trust.c | 34 ++++++++++++++++++++++++++++- 2 files changed, 56 insertions(+), 3 deletions(-)
<snip>
diff --git a/board/freescale/common/fsl_chain_of_trust.c b/board/freescale/common/fsl_chain_of_trust.c index 7bf9827..0f5ec35 100644 --- a/board/freescale/common/fsl_chain_of_trust.c +++ b/board/freescale/common/fsl_chain_of_trust.c @@ -10,6 +10,10 @@ #include <fsl_sfp.h> #include <dm/root.h>
+#if defined(CONFIG_SPL_BUILD) && defined(CONFIG_SPL_FRAMEWORK) +#include <spl.h> #endif
#ifdef CONFIG_ADDR_MAP #include <asm/mmu.h> #endif
Sumit,
Does this patch depend on another patch? It doesn't apply cleanly. I wonder if you have something else in your local branch.
York
This series of patches is in continuation to [1], [2] and [3]. Please apply [1], [2] and [3] before applying this patch series.
Regards, Sumit
[1] https://patchwork.ozlabs.org/patch/648297/ [2] https://patchwork.ozlabs.org/patch/648298/ [3] https://patchwork.ozlabs.org/patch/648303/
On 06/14/2016 04:36 AM, Sumit Garg wrote:
Override jump_to_image_no_args function to include validation of u-boot image using spl_validate_uboot before jumping to u-boot image. Also define macros in SPL framework to enable crypto operations.
Reviewed-by: Aneesh Bansal aneesh.bansal@nxp.com Signed-off-by: Sumit Garg sumit.garg@nxp.com
arch/arm/include/asm/fsl_secure_boot.h | 25 +++++++++++++++++++-- board/freescale/common/fsl_chain_of_trust.c | 34 ++++++++++++++++++++++++++++- 2 files changed, 56 insertions(+), 3 deletions(-)
Applied to fsl-qoriq master. Awaiting upstream. Thanks.
York
Add support for reading bootscript and bootscript header from SD. Also renamed macros *_FLASH to *_DEVICE to represent SD alongwith NAND and NOR flash.
Reviewed-by: Aneesh Bansal aneesh.bansal@nxp.com Signed-off-by: Sumit Garg sumit.garg@nxp.com --- arch/arm/include/asm/fsl_secure_boot.h | 43 ++++++++++++++++++++---------- arch/powerpc/include/asm/fsl_secure_boot.h | 4 +-- include/config_fsl_chain_trust.h | 18 ++++++++----- 3 files changed, 42 insertions(+), 23 deletions(-)
diff --git a/arch/arm/include/asm/fsl_secure_boot.h b/arch/arm/include/asm/fsl_secure_boot.h index 3f76c9a..b35c271 100644 --- a/arch/arm/include/asm/fsl_secure_boot.h +++ b/arch/arm/include/asm/fsl_secure_boot.h @@ -78,37 +78,52 @@ "setenv hwconfig 'fsl_ddr:ctlr_intlv=null,bank_intlv=null';" #else #define CONFIG_EXTRA_ENV \ - "setenv fdt_high 0xcfffffff;" \ - "setenv initrd_high 0xcfffffff;" \ + "setenv fdt_high 0xffffffff;" \ + "setenv initrd_high 0xffffffff;" \ "setenv hwconfig 'fsl_ddr:ctlr_intlv=null,bank_intlv=null';" #endif
/* Copying Bootscript and Header to DDR from NOR for LS2 and for rest, from * Non-XIP Memory (Nand/SD)*/ -#if defined(CONFIG_SYS_RAMBOOT) || defined(CONFIG_LS2080A) +#if defined(CONFIG_SYS_RAMBOOT) || defined(CONFIG_LS2080A) || \ + defined(CONFIG_SD_BOOT) #define CONFIG_BOOTSCRIPT_COPY_RAM #endif -/* The address needs to be modified according to NOR and DDR memory map */ +/* The address needs to be modified according to NOR, NAND, SD and + * DDR memory map + */ #ifdef CONFIG_LS2080A -#define CONFIG_BS_HDR_ADDR_FLASH 0x583920000 -#define CONFIG_BS_ADDR_FLASH 0x583900000 +#define CONFIG_BS_HDR_ADDR_DEVICE 0x583920000 +#define CONFIG_BS_ADDR_DEVICE 0x583900000 #define CONFIG_BS_HDR_ADDR_RAM 0xa3920000 #define CONFIG_BS_ADDR_RAM 0xa3900000 +#define CONFIG_BS_HDR_SIZE 0x00002000 +#define CONFIG_BS_SIZE 0x00001000 +#else +#ifdef CONFIG_SD_BOOT +/* For SD boot address and size are assigned in terms of sector + * offset and no. of sectors respectively. + */ +#define CONFIG_BS_HDR_ADDR_DEVICE 0x00000800 +#define CONFIG_BS_ADDR_DEVICE 0x00000840 +#define CONFIG_BS_HDR_SIZE 0x00000010 +#define CONFIG_BS_SIZE 0x00000008 #else -#define CONFIG_BS_HDR_ADDR_FLASH 0x600a0000 -#define CONFIG_BS_ADDR_FLASH 0x60060000 -#define CONFIG_BS_HDR_ADDR_RAM 0xa0060000 -#define CONFIG_BS_ADDR_RAM 0xa0060000 +#define CONFIG_BS_HDR_ADDR_DEVICE 0x600a0000 +#define CONFIG_BS_ADDR_DEVICE 0x60060000 +#define CONFIG_BS_HDR_SIZE 0x00002000 +#define CONFIG_BS_SIZE 0x00001000 +#endif /* #ifdef CONFIG_SD_BOOT */ +#define CONFIG_BS_HDR_ADDR_RAM 0x81000000 +#define CONFIG_BS_ADDR_RAM 0x81020000 #endif
#ifdef CONFIG_BOOTSCRIPT_COPY_RAM #define CONFIG_BOOTSCRIPT_HDR_ADDR CONFIG_BS_HDR_ADDR_RAM -#define CONFIG_BS_HDR_SIZE 0x00002000 #define CONFIG_BOOTSCRIPT_ADDR CONFIG_BS_ADDR_RAM -#define CONFIG_BS_SIZE 0x00001000 #else -#define CONFIG_BOOTSCRIPT_HDR_ADDR CONFIG_BS_HDR_ADDR_FLASH -/* BS_HDR_SIZE, BOOTSCRIPT_ADDR and BS_SIZE are not required */ +#define CONFIG_BOOTSCRIPT_HDR_ADDR CONFIG_BS_HDR_ADDR_DEVICE +/* BOOTSCRIPT_ADDR is not required */ #endif
#include <config_fsl_chain_trust.h> diff --git a/arch/powerpc/include/asm/fsl_secure_boot.h b/arch/powerpc/include/asm/fsl_secure_boot.h index 2435cf8..7c39bdd 100644 --- a/arch/powerpc/include/asm/fsl_secure_boot.h +++ b/arch/powerpc/include/asm/fsl_secure_boot.h @@ -127,10 +127,10 @@ /* If Boot Script is not on NOR and is required to be copied on RAM */ #ifdef CONFIG_BOOTSCRIPT_COPY_RAM #define CONFIG_BS_HDR_ADDR_RAM 0x00010000 -#define CONFIG_BS_HDR_ADDR_FLASH 0x00800000 +#define CONFIG_BS_HDR_ADDR_DEVICE 0x00800000 #define CONFIG_BS_HDR_SIZE 0x00002000 #define CONFIG_BS_ADDR_RAM 0x00012000 -#define CONFIG_BS_ADDR_FLASH 0x00802000 +#define CONFIG_BS_ADDR_DEVICE 0x00802000 #define CONFIG_BS_SIZE 0x00001000
#define CONFIG_BOOTSCRIPT_HDR_ADDR CONFIG_BS_HDR_ADDR_RAM diff --git a/include/config_fsl_chain_trust.h b/include/config_fsl_chain_trust.h index 566fd80..eb45e98 100644 --- a/include/config_fsl_chain_trust.h +++ b/include/config_fsl_chain_trust.h @@ -74,23 +74,27 @@ #ifdef CONFIG_BOOTSCRIPT_COPY_RAM #define CONFIG_BS_COPY_ENV \ "setenv bs_hdr_ram " __stringify(CONFIG_BS_HDR_ADDR_RAM)";" \ - "setenv bs_hdr_flash " __stringify(CONFIG_BS_HDR_ADDR_FLASH)";" \ + "setenv bs_hdr_device " __stringify(CONFIG_BS_HDR_ADDR_DEVICE)";" \ "setenv bs_hdr_size " __stringify(CONFIG_BS_HDR_SIZE)";" \ "setenv bs_ram " __stringify(CONFIG_BS_ADDR_RAM)";" \ - "setenv bs_flash " __stringify(CONFIG_BS_ADDR_FLASH)";" \ + "setenv bs_device " __stringify(CONFIG_BS_ADDR_DEVICE)";" \ "setenv bs_size " __stringify(CONFIG_BS_SIZE)";"
/* For secure boot flow, default environment used will be used */ #if defined(CONFIG_SYS_RAMBOOT) #if defined(CONFIG_RAMBOOT_NAND) #define CONFIG_BS_COPY_CMD \ - "nand read $bs_hdr_ram $bs_hdr_flash $bs_hdr_size ;" \ - "nand read $bs_ram $bs_flash $bs_size ;" + "nand read $bs_hdr_ram $bs_hdr_device $bs_hdr_size ;" \ + "nand read $bs_ram $bs_device $bs_size ;" #endif /* CONFIG_RAMBOOT_NAND */ -#else +#elif defined(CONFIG_SD_BOOT) +#define CONFIG_BS_COPY_CMD \ + "mmc read $bs_hdr_ram $bs_hdr_device $bs_hdr_size ;" \ + "mmc read $bs_ram $bs_device $bs_size ;" +#else /* CONFIG_SD_BOOT */ #define CONFIG_BS_COPY_CMD \ - "cp.b $bs_hdr_flash $bs_hdr_ram $bs_hdr_size ;" \ - "cp.b $bs_flash $bs_ram $bs_size ;" + "cp.b $bs_hdr_device $bs_hdr_ram $bs_hdr_size ;" \ + "cp.b $bs_device $bs_ram $bs_size ;" #endif #endif /* CONFIG_BOOTSCRIPT_COPY_RAM */
On 14 June 2016 at 11:52, Sumit Garg sumit.garg@nxp.com wrote:
Add support for reading bootscript and bootscript header from SD. Also renamed macros *_FLASH to *_DEVICE to represent SD alongwith NAND and NOR flash.
Reviewed-by: Aneesh Bansal aneesh.bansal@nxp.com Signed-off-by: Sumit Garg sumit.garg@nxp.com
arch/arm/include/asm/fsl_secure_boot.h | 43 ++++++++++++++++++++---------- arch/powerpc/include/asm/fsl_secure_boot.h | 4 +-- include/config_fsl_chain_trust.h | 18 ++++++++----- 3 files changed, 42 insertions(+), 23 deletions(-)
Reviewed-by: Simon Glass sjg@chromium.org
On 06/14/2016 04:36 AM, Sumit Garg wrote:
Add support for reading bootscript and bootscript header from SD. Also renamed macros *_FLASH to *_DEVICE to represent SD alongwith NAND and NOR flash.
Reviewed-by: Aneesh Bansal aneesh.bansal@nxp.com Signed-off-by: Sumit Garg sumit.garg@nxp.com
arch/arm/include/asm/fsl_secure_boot.h | 43 ++++++++++++++++++++---------- arch/powerpc/include/asm/fsl_secure_boot.h | 4 +-- include/config_fsl_chain_trust.h | 18 ++++++++----- 3 files changed, 42 insertions(+), 23 deletions(-)
Applied to fsl-qoriq master. Awaiting upstream. Thanks.
York
Add SD secure boot target for ls1021atwr. Implement board specific spl_board_init() to setup CAAM stream ID and corresponding stream ID in SMMU. Change the u-boot size defined by a macro for copying the main U-Boot by SPL to also include the u-boot Secure Boot header size as header is appended to u-boot image. So header will also be copied from SD to DDR.
Reviewed-by: Aneesh Bansal aneesh.bansal@nxp.com Signed-off-by: Sumit Garg sumit.garg@nxp.com --- board/freescale/ls1021atwr/ls1021atwr.c | 7 +++++ .../ls1021atwr_sdcard_ifc_SECURE_BOOT_defconfig | 31 ++++++++++++++++++++++ include/configs/ls1021atwr.h | 22 +++++++++++++++ 3 files changed, 60 insertions(+) create mode 100644 configs/ls1021atwr_sdcard_ifc_SECURE_BOOT_defconfig
diff --git a/board/freescale/ls1021atwr/ls1021atwr.c b/board/freescale/ls1021atwr/ls1021atwr.c index c69c9cb..77482a9 100644 --- a/board/freescale/ls1021atwr/ls1021atwr.c +++ b/board/freescale/ls1021atwr/ls1021atwr.c @@ -503,6 +503,13 @@ int board_init(void) return 0; }
+#if defined(CONFIG_SPL_BUILD) +void spl_board_init(void) +{ + ls102xa_smmu_stream_id_init(); +} +#endif + #ifdef CONFIG_BOARD_LATE_INIT int board_late_init(void) { diff --git a/configs/ls1021atwr_sdcard_ifc_SECURE_BOOT_defconfig b/configs/ls1021atwr_sdcard_ifc_SECURE_BOOT_defconfig new file mode 100644 index 0000000..c735d6d --- /dev/null +++ b/configs/ls1021atwr_sdcard_ifc_SECURE_BOOT_defconfig @@ -0,0 +1,31 @@ +CONFIG_ARM=y +CONFIG_TARGET_LS1021ATWR=y +CONFIG_SPL=y +CONFIG_OF_BOARD_SETUP=y +CONFIG_OF_STDOUT_VIA_ALIAS=y +CONFIG_SYS_EXTRA_OPTIONS="RAMBOOT_PBL,SPL_FSL_PBL,SD_BOOT,SECURE_BOOT" +CONFIG_BOOTDELAY=0 +CONFIG_HUSH_PARSER=y +CONFIG_CMD_BOOTZ=y +CONFIG_CMD_GREPENV=y +CONFIG_CMD_MEMTEST=y +CONFIG_CMD_MEMINFO=y +CONFIG_CMD_MMC=y +CONFIG_CMD_I2C=y +CONFIG_CMD_USB=y +CONFIG_CMD_DHCP=y +CONFIG_CMD_MII=y +CONFIG_CMD_PING=y +CONFIG_CMD_EXT2=y +CONFIG_CMD_FAT=y +CONFIG_NETDEVICES=y +CONFIG_E1000=y +CONFIG_SYS_NS16550=y +CONFIG_USB=y +CONFIG_USB_XHCI_HCD=y +CONFIG_USB_XHCI_DWC3=y +CONFIG_OF_LIBFDT=y +CONFIG_FIT=y +CONFIG_FIT_VERBOSE=y +CONFIG_RSA=y +CONFIG_DM=y diff --git a/include/configs/ls1021atwr.h b/include/configs/ls1021atwr.h index 0fb28ef..7f14851 100644 --- a/include/configs/ls1021atwr.h +++ b/include/configs/ls1021atwr.h @@ -123,7 +123,18 @@ #define CONFIG_SPL_SERIAL_SUPPORT #define CONFIG_SPL_MMC_SUPPORT #define CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR 0xe8 + +#ifdef CONFIG_SECURE_BOOT +#define CONFIG_U_BOOT_HDR_SIZE (16 << 10) +/* + * HDR would be appended at end of image and copied to DDR along + * with U-Boot image. + */ +#define CONFIG_SYS_U_BOOT_MAX_SIZE_SECTORS (0x400 + \ + (CONFIG_U_BOOT_HDR_SIZE / 512) +#else #define CONFIG_SYS_U_BOOT_MAX_SIZE_SECTORS 0x400 +#endif /* ifdef CONFIG_SECURE_BOOT */
#define CONFIG_SPL_TEXT_BASE 0x10000000 #define CONFIG_SPL_MAX_SIZE 0x1a000 @@ -136,7 +147,18 @@ #define CONFIG_SYS_SPL_MALLOC_SIZE 0x100000 #define CONFIG_SPL_BSS_START_ADDR 0x80100000 #define CONFIG_SPL_BSS_MAX_SIZE 0x80000 + +#ifdef CONFIG_U_BOOT_HDR_SIZE +/* + * HDR would be appended at end of image and copied to DDR along + * with U-Boot image. Here u-boot max. size is 512K. So if binary + * size increases then increase this size in case of secure boot as + * it uses raw u-boot image instead of fit image. + */ +#define CONFIG_SYS_MONITOR_LEN (0x80000 + CONFIG_U_BOOT_HDR_SIZE) +#else #define CONFIG_SYS_MONITOR_LEN 0x80000 +#endif /* ifdef CONFIG_U_BOOT_HDR_SIZE */ #endif
#ifdef CONFIG_QSPI_BOOT
On 14 June 2016 at 11:52, Sumit Garg sumit.garg@nxp.com wrote:
Add SD secure boot target for ls1021atwr. Implement board specific spl_board_init() to setup CAAM stream ID and corresponding stream ID in SMMU. Change the u-boot size defined by a macro for copying the main U-Boot by SPL to also include the u-boot Secure Boot header size as header is appended to u-boot image. So header will also be copied from SD to DDR.
Reviewed-by: Aneesh Bansal aneesh.bansal@nxp.com Signed-off-by: Sumit Garg sumit.garg@nxp.com
board/freescale/ls1021atwr/ls1021atwr.c | 7 +++++ .../ls1021atwr_sdcard_ifc_SECURE_BOOT_defconfig | 31 ++++++++++++++++++++++ include/configs/ls1021atwr.h | 22 +++++++++++++++ 3 files changed, 60 insertions(+) create mode 100644 configs/ls1021atwr_sdcard_ifc_SECURE_BOOT_defconfig
Reviewed-by: Simon Glass sjg@chromium.org
On 06/14/2016 04:37 AM, Sumit Garg wrote:
Add SD secure boot target for ls1021atwr. Implement board specific spl_board_init() to setup CAAM stream ID and corresponding stream ID in SMMU. Change the u-boot size defined by a macro for copying the main U-Boot by SPL to also include the u-boot Secure Boot header size as header is appended to u-boot image. So header will also be copied from SD to DDR.
Reviewed-by: Aneesh Bansal aneesh.bansal@nxp.com Signed-off-by: Sumit Garg sumit.garg@nxp.com
board/freescale/ls1021atwr/ls1021atwr.c | 7 +++++ .../ls1021atwr_sdcard_ifc_SECURE_BOOT_defconfig | 31 ++++++++++++++++++++++ include/configs/ls1021atwr.h | 22 +++++++++++++++ 3 files changed, 60 insertions(+) create mode 100644 configs/ls1021atwr_sdcard_ifc_SECURE_BOOT_defconfig
Applied to fsl-qoriq master. Awaiting upstream. Thanks.
York
participants (3)
-
Simon Glass -
Sumit Garg -
york sun