[U-Boot] [PATCH v2 3/3] ARM: bootm: Allow booting in secure mode on hyp capable systems
Albert ARIBAUD
albert.u.boot at aribaud.net
Mon Nov 24 16:34:47 CET 2014
Hello Hans,
On Thu, 13 Nov 2014 20:37:42 +0100, Hans de Goede <hdegoede at redhat.com> wrote:
> Older Linux kernels will not properly boot in hyp mode, add support for a
> bootm_boot_mode environment variable, which can be set to "sec" or "nonsec"
> to force booting in secure or non-secure mode when build with non-sec support.
>
> The default behavior can be selected through CONFIG_ARMV7_BOOT_SEC_DEFAULT,
> when this is set booting in secure mode is the default. The default setting
> for this Kconfig option is N, preserving the current behavior of booting in
> non-secure mode by default when non-secure mode is supported.
>
> Signed-off-by: Hans de Goede <hdegoede at redhat.com>
> Acked-by: Marc Zyngier <marc.zyngier at arm.com>
> Acked-by: Siarhei Siamashka <siarhei.siamashka at gmail.com>
> --
> Changes in v2:
> -Allow changing the default boot mode to secure through defining
> CONFIG_ARMV7_BOOT_SEC_DEFAULT, this is useful for archs which have a Kconfig
> option for compatibility with older kernels
> Changes in v3:
> -Add an else at the end of the #ifdef NONSEC block so that if do_nonsec_entry
> fails we do not end up re-trying in secure mode
> Changes in v4:
> -Add a Kconfig option to select to boot in secure or non-secure mode by default
> ---
> arch/arm/cpu/armv7/Kconfig | 11 +++++++++++
> arch/arm/lib/bootm.c | 31 ++++++++++++++++++++++++++-----
> 2 files changed, 37 insertions(+), 5 deletions(-)
>
> diff --git a/arch/arm/cpu/armv7/Kconfig b/arch/arm/cpu/armv7/Kconfig
> index 15c5155..6ee5ff8 100644
> --- a/arch/arm/cpu/armv7/Kconfig
> +++ b/arch/arm/cpu/armv7/Kconfig
> @@ -13,6 +13,17 @@ config ARMV7_NONSEC
> ---help---
> Say Y here to enable support for booting in non-secure / SVC mode.
>
> +config ARMV7_BOOT_SEC_DEFAULT
> + boolean "Boot in secure mode by default" if EXPERT
> + depends on ARMV7_NONSEC
> + default n
> + ---help---
> + Say Y here to boot in secure mode by default even if non-secure mode
> + is supported. This option is useful to boot kernels which do not
> + suppport booting in secure mode. Only set this if you need it.
> + This can be overriden at run-time by setting the bootm_boot_mode env.
> + variable to "sec" or "nonsec".
> +
> config ARMV7_VIRT
> boolean "Enable support for hardware virtualization" if EXPERT
> depends on CPU_V7_HAS_VIRT && ARMV7_NONSEC
> diff --git a/arch/arm/lib/bootm.c b/arch/arm/lib/bootm.c
> index 4949d57..a7f7c67 100644
> --- a/arch/arm/lib/bootm.c
> +++ b/arch/arm/lib/bootm.c
> @@ -237,6 +237,26 @@ static void boot_prep_linux(bootm_headers_t *images)
> }
> }
>
> +#if defined(CONFIG_ARMV7_NONSEC) || defined(CONFIG_ARMV7_VIRT)
> +static bool boot_nonsec(void)
> +{
> + char *s = getenv("bootm_boot_mode");
> +#ifdef CONFIG_ARMV7_BOOT_SEC_DEFAULT
> + bool nonsec = false;
> +#else
> + bool nonsec = true;
> +#endif
> +
> + if (s && !strcmp(s, "sec"))
> + nonsec = false;
> +
> + if (s && !strcmp(s, "nonsec"))
> + nonsec = true;
> +
> + return nonsec;
> +}
> +#endif
> +
> /* Subcommand: GO */
> static void boot_jump_linux(bootm_headers_t *images, int flag)
> {
> @@ -285,12 +305,13 @@ static void boot_jump_linux(bootm_headers_t *images, int flag)
>
> if (!fake) {
> #if defined(CONFIG_ARMV7_NONSEC) || defined(CONFIG_ARMV7_VIRT)
> - armv7_init_nonsec();
> - secure_ram_addr(_do_nonsec_entry)(kernel_entry,
> - 0, machid, r2);
> -#else
> - kernel_entry(0, machid, r2);
> + if (boot_nonsec()) {
> + armv7_init_nonsec();
> + secure_ram_addr(_do_nonsec_entry)(kernel_entry,
> + 0, machid, r2);
> + } else
> #endif
> + kernel_entry(0, machid, r2);
> }
> #endif
> }
> --
> 2.1.0
>
Applied to u-boot-arm/master, thanks!
Amicalement,
--
Albert.
More information about the U-Boot
mailing list