On 10/26/2016 03:47 AM, Sumit Garg wrote:

Define bootscript and its header addresses for QSPI target. Also define PPA header address to enable PPA validation.

Signed-off-by: Vinitha Pillai vinitha.pillai@nxp.com Signed-off-by: Sumit Garg sumit.garg@nxp.com

---

Changes in v2: Split patches logically from 2 to 3.

arch/arm/include/asm/arch-fsl-layerscape/config.h | 2 +- arch/arm/include/asm/fsl_secure_boot.h | 37 ++++++++++++++++------- 2 files changed, 27 insertions(+), 12 deletions(-)

diff --git a/arch/arm/include/asm/arch-fsl-layerscape/config.h b/arch/arm/include/asm/arch-fsl-layerscape/config.h index 4201e0f..11a62e8 100644 --- a/arch/arm/include/asm/arch-fsl-layerscape/config.h +++ b/arch/arm/include/asm/arch-fsl-layerscape/config.h @@ -196,7 +196,7 @@

#define CONFIG_SYS_FSL_IFC_BE #define CONFIG_SYS_FSL_SFP_VER_3_2 -#define CONFIG_SYS_FSL_SNVS_LE +#define CONFIG_SYS_FSL_SEC_MON_BE #define CONFIG_SYS_FSL_SFP_BE #define CONFIG_SYS_FSL_SRK_LE #define CONFIG_KEY_REVOCATION diff --git a/arch/arm/include/asm/fsl_secure_boot.h b/arch/arm/include/asm/fsl_secure_boot.h index 4525287..933e09c 100644 --- a/arch/arm/include/asm/fsl_secure_boot.h +++ b/arch/arm/include/asm/fsl_secure_boot.h @@ -45,7 +45,8 @@ #define CONFIG_CMD_HASH #define CONFIG_KEY_REVOCATION #ifndef CONFIG_SYS_RAMBOOT -/* The key used for verification of next level images +/*

• • The key used for verification of next level images
  • is picked up from an Extension Table which has
  • been verified by the ISBC (Internal Secure boot Code)
  • in boot ROM of the SoC.

@@ -59,9 +60,10 @@

#endif

-#if defined(CONFIG_LS1043A) || defined(CONFIG_LS2080A) -/* For LS1043 (ARMv8), ESBC image Address in Header is 64 bit

• • Similiarly for LS2080

+#if defined(CONFIG_FSL_LAYERSCAPE) +/*

• • For fsl layerscape based platforms, ESBC image Address in Header
• • is 64 bit.
  */

#define CONFIG_ESBC_ADDR_64BIT #endif @@ -78,13 +80,16 @@ "setenv hwconfig 'fsl_ddr:ctlr_intlv=null,bank_intlv=null';" #endif

-/* Copying Bootscript and Header to DDR from NOR for LS2 and for rest, from

• • Non-XIP Memory (Nand/SD)*/

+/*

• • Copying Bootscript and Header to DDR from NOR for LS2 and for rest, from
• • Non-XIP Memory (Nand/SD)
• */

#if defined(CONFIG_SYS_RAMBOOT) || defined(CONFIG_LS2080A) || \ defined(CONFIG_SD_BOOT) #define CONFIG_BOOTSCRIPT_COPY_RAM #endif -/* The address needs to be modified according to NOR, NAND, SD and +/*

• • The address needs to be modified according to NOR, NAND, SD and
  • DDR memory map
  */

#ifdef CONFIG_LS2080A @@ -96,19 +101,26 @@ #define CONFIG_BS_SIZE 0x00001000 #else #ifdef CONFIG_SD_BOOT -/* For SD boot address and size are assigned in terms of sector +/*

• • For SD boot address and size are assigned in terms of sector
  • offset and no. of sectors respectively.
  */

#define CONFIG_BS_HDR_ADDR_DEVICE 0x00000800 #define CONFIG_BS_ADDR_DEVICE 0x00000840 #define CONFIG_BS_HDR_SIZE 0x00000010 #define CONFIG_BS_SIZE 0x00000008 -#else +/* ifdef CONFIG_SD_BOOT */

This comment confuses me. The code below is for QSPI_BOOT obviously.

+#elif defined(CONFIG_QSPI_BOOT) +#define CONFIG_BS_HDR_ADDR_DEVICE 0x40780000 +#define CONFIG_BS_ADDR_DEVICE 0x40800000 +#define CONFIG_BS_HDR_SIZE 0x00002000 +#define CONFIG_BS_SIZE 0x00001000 +#else /* elif defined(CONFIG_QSPI_BOOT) */

The code below is not for QSPI_BOOT. Confusing comment.

#define CONFIG_BS_HDR_ADDR_DEVICE 0x600a0000 #define CONFIG_BS_ADDR_DEVICE 0x60060000 #define CONFIG_BS_HDR_SIZE 0x00002000 #define CONFIG_BS_SIZE 0x00001000 -#endif /* #ifdef CONFIG_SD_BOOT */ +#endif /* Default NOR Boot */

I guess the above is for normal NOR boot. The comment should be moved above the block.

#define CONFIG_BS_HDR_ADDR_RAM 0x81000000 #define CONFIG_BS_ADDR_RAM 0x81020000 #endif @@ -125,12 +137,15 @@ #ifdef CONFIG_SYS_LS_PPA_FW_IN_XIP #ifdef CONFIG_LS1043A #define CONFIG_SYS_LS_PPA_ESBC_ADDR 0x600c0000 +#elif defined(CONFIG_LS1046A) +#define CONFIG_SYS_LS_PPA_ESBC_ADDR 0x40740000 #endif #else #error "No CONFIG_SYS_LS_PPA_FW_IN_xxx defined" #endif /* ifdef CONFIG_SYS_LS_PPA_FW_IN_XIP */

-/* Define the key hash here if SRK used for signing PPA image is +/*

• • Define the key hash here if SRK used for signing PPA image is
  • different from SRK hash put in SFP used for U-Boot.
  • Example
  • #define CONFIG_PPA_KEY_HASH \

It would be better to separate the cosmetic change from the code change.

York

-----Original Message----- From: york sun Sent: Monday, November 14, 2016 11:23 PM To: Sumit Garg sumit.garg@nxp.com; u-boot@lists.denx.de Cc: Ruchika Gupta ruchika.gupta@nxp.com; Prabhakar Kushwaha prabhakar.kushwaha@nxp.com; Vini Pillai vinitha.pillai@nxp.com Subject: Re: [PATCH v2 2/3] LS1046AQDS: Add NOR Secure Boot Target

On 10/26/2016 03:47 AM, Sumit Garg wrote:

...

Add NOR secure boot target. Also enable sec init.

Signed-off-by: Vinitha Pillai vinitha.pillai@nxp.com Signed-off-by: Sumit Garg sumit.garg@nxp.com

---

Changes in v2: Split patches logically from 2 to 3.

board/freescale/ls1046aqds/MAINTAINERS | 4 ++++ board/freescale/ls1046aqds/ls1046aqds.c | 18 ++++++++++++++++++ configs/ls1046aqds_SECURE_BOOT_defconfig | 29 +++++++++++++++++++++++++++++ 3 files changed, 51 insertions(+) create mode 100644 configs/ls1046aqds_SECURE_BOOT_defconfig

diff --git a/board/freescale/ls1046aqds/MAINTAINERS b/board/freescale/ls1046aqds/MAINTAINERS index b4549ae..6737d55 100644 --- a/board/freescale/ls1046aqds/MAINTAINERS +++ b/board/freescale/ls1046aqds/MAINTAINERS @@ -8,3 +8,7 @@ F: configs/ls1046aqds_nand_defconfig F: configs/ls1046aqds_sdcard_ifc_defconfig F: configs/ls1046aqds_sdcard_qspi_defconfig F: configs/ls1046aqds_qspi_defconfig

+M: Sumit Garg sumit.garg@nxp.com +S: Maintained +F: configs/ls1046aqds_SECURE_BOOT_defconfig diff --git a/board/freescale/ls1046aqds/ls1046aqds.c b/board/freescale/ls1046aqds/ls1046aqds.c index 8c18538..a418590 100644 --- a/board/freescale/ls1046aqds/ls1046aqds.c +++ b/board/freescale/ls1046aqds/ls1046aqds.c @@ -20,6 +20,7 @@ #include <fsl_csu.h> #include <fsl_esdhc.h> #include <fsl_ifc.h> +#include <fsl_sec.h> #include <spl.h>

#include "../common/vid.h" @@ -242,6 +243,23 @@ int board_init(void) if (adjust_vdd(0)) printf("Warning: Adjusting core voltage failed.\n");

+#ifdef CONFIG_SECURE_BOOT

• /* In case of Secure Boot, the IBR configures the SMMU

• * to allow only Secure transactions.
  

• * SMMU must be reset in bypass mode.
  

• * Set the ClientPD bit and Clear the USFCFG Bit
  

• */
  

Multiple-line comment in wrong format. You just fixed some in your first patch.

York

Sure I will fix this multi-line comment in next patch-set.

-Sumit

Hi all Please Ignore this mail Regards, Vinitha

-----Original Message----- From: Vinitha Pillai-B57223 [mailto:B57223@freescale.com] Sent: Tuesday, January 03, 2017 11:01 PM To: Udit Agarwal udit.agarwal@nxp.com; u-boot@lists.denx.de Cc: Sumit Garg sumit.garg@nxp.com; Ruchika Gupta ruchika.gupta@nxp.com; Vini Pillai vinitha.pillai@nxp.com Subject: [U-Boot,v2,3/3] LS1046ARDB: Add QSPI Secure Boot target

From: Sumit Garg sumit.garg@nxp.com

Add QSPI Secure Boot target. Also enable sec init.

Signed-off-by: Vinitha Pillai vinitha.pillai@nxp.com Signed-off-by: Sumit Garg sumit.garg@nxp.com ---

Changes in v2: Split patches logically from 2 to 3.

board/freescale/ls1046ardb/MAINTAINERS | 4 ++++ board/freescale/ls1046ardb/ls1046ardb.c | 19 +++++++++++++++++++ configs/ls1046ardb_qspi_SECURE_BOOT_defconfig | 27 +++++++++++++++++++++++++++ include/configs/ls1046ardb.h | 2 ++ 4 files changed, 52 insertions(+) create mode 100644 configs/ls1046ardb_qspi_SECURE_BOOT_defconfig

diff --git a/board/freescale/ls1046ardb/MAINTAINERS b/board/freescale/ls1046ardb/MAINTAINERS index ff42bef..758ff9d 100644 --- a/board/freescale/ls1046ardb/MAINTAINERS +++ b/board/freescale/ls1046ardb/MAINTAINERS @@ -7,3 +7,7 @@ F: include/configs/ls1046ardb.h F: configs/ls1046ardb_qspi_defconfig F: configs/ls1046ardb_sdcard_defconfig F: configs/ls1046ardb_emmc_defconfig + +M: Sumit Garg sumit.garg@nxp.com +S: Maintained +F: configs/ls1046ardb_qspi_SECURE_BOOT_defconfig diff --git a/board/freescale/ls1046ardb/ls1046ardb.c b/board/freescale/ls1046ardb/ls1046ardb.c index 585c807..6fadea1 100644 --- a/board/freescale/ls1046ardb/ls1046ardb.c +++ b/board/freescale/ls1046ardb/ls1046ardb.c @@ -20,6 +20,7 @@ #include <fsl_csu.h> #include <fsl_esdhc.h> #include "cpld.h" +#include <fsl_sec.h>

DECLARE_GLOBAL_DATA_PTR;

@@ -77,6 +78,24 @@ int board_init(void) enable_layerscape_ns_access(); #endif

+#ifdef CONFIG_SECURE_BOOT + /* + * In case of Secure Boot, the IBR configures the SMMU + * to allow only Secure transactions. + * SMMU must be reset in bypass mode. + * Set the ClientPD bit and Clear the USFCFG Bit + */ + u32 val; + val = (in_le32(SMMU_SCR0) | SCR0_CLIENTPD_MASK) & ~(SCR0_USFCFG_MASK); + out_le32(SMMU_SCR0, val); + val = (in_le32(SMMU_NSCR0) | SCR0_CLIENTPD_MASK) & ~(SCR0_USFCFG_MASK); + out_le32(SMMU_NSCR0, val); +#endif + +#ifdef CONFIG_FSL_CAAM + sec_init(); +#endif + #ifdef CONFIG_FSL_LS_PPA ppa_init(); #endif diff --git a/configs/ls1046ardb_qspi_SECURE_BOOT_defconfig b/configs/ls1046ardb_qspi_SECURE_BOOT_defconfig new file mode 100644 index 0000000..c79c875 --- /dev/null +++ b/configs/ls1046ardb_qspi_SECURE_BOOT_defconfig @@ -0,0 +1,27 @@ +CONFIG_ARM=y +CONFIG_TARGET_LS1046ARDB=y +CONFIG_DM_SPI=y +CONFIG_DEFAULT_DEVICE_TREE="fsl-ls1046a-rdb" +CONFIG_FIT=y +CONFIG_FIT_VERBOSE=y +CONFIG_OF_BOARD_SETUP=y +CONFIG_SYS_EXTRA_OPTIONS="SYS_FSL_DDR4,SECURE_BOOT" +CONFIG_QSPI_BOOT=y +CONFIG_BOOTDELAY=10 +CONFIG_HUSH_PARSER=y +# CONFIG_CMD_IMLS is not set +CONFIG_CMD_MMC=y +CONFIG_CMD_SF=y +CONFIG_CMD_I2C=y +CONFIG_CMD_DHCP=y +CONFIG_CMD_MII=y +CONFIG_CMD_PING=y +CONFIG_CMD_CACHE=y +CONFIG_CMD_EXT2=y +CONFIG_CMD_FAT=y +CONFIG_OF_CONTROL=y +CONFIG_DM=y +CONFIG_SPI_FLASH=y +CONFIG_SYS_NS16550=y +CONFIG_FSL_QSPI=y +CONFIG_RSA=y diff --git a/include/configs/ls1046ardb.h b/include/configs/ls1046ardb.h index 2fe8fc1..afa580e 100644 --- a/include/configs/ls1046ardb.h +++ b/include/configs/ls1046ardb.h @@ -234,4 +234,6 @@ "7e800000.flash:16m(nand_uboot)," \ "48m(nand_kernel),448m(nand_free)"

+#include <asm/fsl_secure_boot.h> + #endif /* __LS1046ARDB_H__ */