[U-Boot] [PATCH 5/7] enable chain of trust for ARM platforms

Aneesh Bansal aneesh.bansal at freescale.com
Wed Dec 23 15:55:11 CET 2015


Chain of Trust is enabled for ARM platforms (LS1021 and LS1043).
Compile time Secure Boot targets are removed.
In board_late_init(), fsl_setenv_chain_of_trust() is called which
will perform the following:
- If boot mode is non-secure, return (No Change)
- If boot mode is secure, set the following environmet variables:
   bootdelay = 0 (To disable Boot Prompt)
   bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute Boot script)

Signed-off-by: Aneesh Bansal <aneesh.bansal at freescale.com>
---
 arch/arm/cpu/armv8/fsl-layerscape/soc.c      |  4 ++++
 board/freescale/common/Makefile              |  1 +
 board/freescale/common/fsl_chain_of_trust.c  | 17 +++++++++++++++++
 board/freescale/ls1021aqds/ls1021aqds.c      |  4 ++++
 board/freescale/ls1021atwr/ls1021atwr.c      |  4 ++++
 configs/ls1021aqds_nor_SECURE_BOOT_defconfig |  7 -------
 configs/ls1021atwr_nor_SECURE_BOOT_defconfig |  7 -------
 configs/ls1043ardb_SECURE_BOOT_defconfig     |  9 ---------
 include/fsl_validate.h                       |  2 ++
 9 files changed, 32 insertions(+), 23 deletions(-)
 delete mode 100644 configs/ls1021aqds_nor_SECURE_BOOT_defconfig
 delete mode 100644 configs/ls1021atwr_nor_SECURE_BOOT_defconfig
 delete mode 100644 configs/ls1043ardb_SECURE_BOOT_defconfig

diff --git a/arch/arm/cpu/armv8/fsl-layerscape/soc.c b/arch/arm/cpu/armv8/fsl-layerscape/soc.c
index 23d6b73..2f92b55 100644
--- a/arch/arm/cpu/armv8/fsl-layerscape/soc.c
+++ b/arch/arm/cpu/armv8/fsl-layerscape/soc.c
@@ -12,6 +12,7 @@
 #include <asm/io.h>
 #include <asm/global_data.h>
 #include <asm/arch-fsl-layerscape/config.h>
+#include <fsl_validate.h>
 
 DECLARE_GLOBAL_DATA_PTR;
 
@@ -241,6 +242,9 @@ int board_late_init(void)
 #ifdef CONFIG_SCSI_AHCI_PLAT
 	sata_init();
 #endif
+#ifdef CONFIG_CHAIN_OF_TRUST
+	fsl_setenv_chain_of_trust();
+#endif
 
 	return 0;
 }
diff --git a/board/freescale/common/Makefile b/board/freescale/common/Makefile
index 9af8782..eef518e 100644
--- a/board/freescale/common/Makefile
+++ b/board/freescale/common/Makefile
@@ -74,5 +74,6 @@ obj-$(CONFIG_P5040DS)	+= p_corenet/
 obj-$(CONFIG_LAYERSCAPE_NS_ACCESS)	+= ns_access.o
 
 obj-$(CONFIG_CMD_ESBC_VALIDATE) += fsl_validate.o cmd_esbc_validate.o
+obj-$(CONFIG_CHAIN_OF_TRUST) += fsl_chain_of_trust.o
 
 endif
diff --git a/board/freescale/common/fsl_chain_of_trust.c b/board/freescale/common/fsl_chain_of_trust.c
index ff67bd7..ecfcc82 100644
--- a/board/freescale/common/fsl_chain_of_trust.c
+++ b/board/freescale/common/fsl_chain_of_trust.c
@@ -51,3 +51,20 @@ int fsl_check_boot_mode_secure(void)
 #endif
 	return 0;
 }
+
+int fsl_setenv_chain_of_trust(void)
+{
+	/* Check Boot Mode
+	 * If Boot Mode is Non-Secure, no changes are required
+	 */
+	if (fsl_check_boot_mode_secure() == 0)
+		return 0;
+
+	/* If Boot mode is Secure, set the environment variables
+	 * bootdelay = 0 (To disable Boot Prompt)
+	 * bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute Boot script)
+	 */
+	setenv("bootdelay", "0");
+	setenv("bootcmd", CONFIG_CHAIN_BOOT_CMD);
+	return 0;
+}
diff --git a/board/freescale/ls1021aqds/ls1021aqds.c b/board/freescale/ls1021aqds/ls1021aqds.c
index be3358a..5f4ec9d 100644
--- a/board/freescale/ls1021aqds/ls1021aqds.c
+++ b/board/freescale/ls1021aqds/ls1021aqds.c
@@ -22,6 +22,7 @@
 #include <fsl_sec.h>
 #include <spl.h>
 #include <fsl_devdis.h>
+#include <fsl_validate.h>
 
 #include "../common/sleep.h"
 #include "../common/qixis.h"
@@ -369,6 +370,9 @@ int board_late_init(void)
 #ifdef CONFIG_SCSI_AHCI_PLAT
 	ls1021a_sata_init();
 #endif
+#ifdef CONFIG_CHAIN_OF_TRUST
+	fsl_setenv_chain_of_trust();
+#endif
 
 	return 0;
 }
diff --git a/board/freescale/ls1021atwr/ls1021atwr.c b/board/freescale/ls1021atwr/ls1021atwr.c
index 8eaff5f..b85774c 100644
--- a/board/freescale/ls1021atwr/ls1021atwr.c
+++ b/board/freescale/ls1021atwr/ls1021atwr.c
@@ -30,6 +30,7 @@
 #ifdef CONFIG_U_QE
 #include "../../../drivers/qe/qe.h"
 #endif
+#include <fsl_validate.h>
 
 
 DECLARE_GLOBAL_DATA_PTR;
@@ -549,6 +550,9 @@ int board_late_init(void)
 #ifdef CONFIG_SCSI_AHCI_PLAT
 	ls1021a_sata_init();
 #endif
+#ifdef CONFIG_CHAIN_OF_TRUST
+	fsl_setenv_chain_of_trust();
+#endif
 
 	return 0;
 }
diff --git a/configs/ls1021aqds_nor_SECURE_BOOT_defconfig b/configs/ls1021aqds_nor_SECURE_BOOT_defconfig
deleted file mode 100644
index 025a8f2..0000000
--- a/configs/ls1021aqds_nor_SECURE_BOOT_defconfig
+++ /dev/null
@@ -1,7 +0,0 @@
-CONFIG_ARM=y
-CONFIG_TARGET_LS1021AQDS=y
-CONFIG_SYS_EXTRA_OPTIONS="SECURE_BOOT"
-# CONFIG_CMD_SETEXPR is not set
-CONFIG_NETDEVICES=y
-CONFIG_E1000=y
-CONFIG_SYS_NS16550=y
diff --git a/configs/ls1021atwr_nor_SECURE_BOOT_defconfig b/configs/ls1021atwr_nor_SECURE_BOOT_defconfig
deleted file mode 100644
index bf19c33..0000000
--- a/configs/ls1021atwr_nor_SECURE_BOOT_defconfig
+++ /dev/null
@@ -1,7 +0,0 @@
-CONFIG_ARM=y
-CONFIG_TARGET_LS1021ATWR=y
-CONFIG_SYS_EXTRA_OPTIONS="SECURE_BOOT"
-# CONFIG_CMD_SETEXPR is not set
-CONFIG_NETDEVICES=y
-CONFIG_E1000=y
-CONFIG_SYS_NS16550=y
diff --git a/configs/ls1043ardb_SECURE_BOOT_defconfig b/configs/ls1043ardb_SECURE_BOOT_defconfig
deleted file mode 100644
index d9d6c97..0000000
--- a/configs/ls1043ardb_SECURE_BOOT_defconfig
+++ /dev/null
@@ -1,9 +0,0 @@
-CONFIG_ARM=y
-CONFIG_TARGET_LS1043ARDB=y
-CONFIG_SYS_EXTRA_OPTIONS="SYS_FSL_DDR4, SECURE_BOOT"
-CONFIG_SYS_NS16550=y
-CONFIG_DEFAULT_DEVICE_TREE="fsl-ls1043a-rdb"
-CONFIG_OF_CONTROL=y
-CONFIG_DM=y
-CONFIG_SPI_FLASH=y
-CONFIG_DM_SPI=y
\ No newline at end of file
diff --git a/include/fsl_validate.h b/include/fsl_validate.h
index ad14867..83efcf4 100644
--- a/include/fsl_validate.h
+++ b/include/fsl_validate.h
@@ -205,4 +205,6 @@ int fsl_secboot_blob_encap(cmd_tbl_t *cmdtp, int flag, int argc,
 int fsl_secboot_blob_decap(cmd_tbl_t *cmdtp, int flag, int argc,
 	char * const argv[]);
 
+int fsl_check_boot_mode_secure(void);
+int fsl_setenv_chain_of_trust(void);
 #endif
-- 
1.8.1.4



More information about the U-Boot mailing list