[U-Boot] [PATCH 3/4] armv8/ls1043ardb: SECURE BOOT target added for NOR
Aneesh Bansal
aneesh.bansal at freescale.com
Wed Nov 18 17:57:12 CET 2015
LS1043ARDB Secure Boot Target from NOR has been added.
- Configs defined to enable esbc_validate.
- ESBC Address in header is made 64 bit.
- SMMU is re-configured in Bypass mode.
Signed-off-by: Aneesh Bansal <aneesh.bansal at freescale.com>
---
arch/arm/include/asm/arch-fsl-layerscape/config.h | 16 ++++++++--
.../include/asm/arch-fsl-layerscape/immap_lsch2.h | 2 +-
board/freescale/common/fsl_validate.c | 35 +++++++++++++---------
board/freescale/ls1043ardb/MAINTAINERS | 5 ++++
board/freescale/ls1043ardb/ls1043ardb.c | 18 ++++++++++-
common/cmd_blob.c | 6 ++--
configs/ls1043ardb_SECURE_BOOT_defconfig | 4 +++
include/configs/ls1043ardb.h | 12 ++++++++
include/fsl_validate.h | 9 +++++-
9 files changed, 85 insertions(+), 22 deletions(-)
create mode 100644 configs/ls1043ardb_SECURE_BOOT_defconfig
diff --git a/arch/arm/include/asm/arch-fsl-layerscape/config.h b/arch/arm/include/asm/arch-fsl-layerscape/config.h
index 87bb937..d6729a0 100644
--- a/arch/arm/include/asm/arch-fsl-layerscape/config.h
+++ b/arch/arm/include/asm/arch-fsl-layerscape/config.h
@@ -122,9 +122,21 @@
#define CONFIG_SYS_FSL_SRDS_1
#define CONFIG_SYS_FSL_PCIE_COMPAT "fsl,qoriq-pcie-v2.4"
+#ifdef CONFIG_SECURE_BOOT
+#define CONFIG_CMD_ESBC_VALIDATE
+#define CONFIG_FSL_SEC_MON
+#define CONFIG_SHA_PROG_HW_ACCEL
+#define CONFIG_DM
+#define CONFIG_RSA
+#define CONFIG_RSA_FREESCALE_EXP
+#ifndef CONFIG_FSL_CAAM
+#define CONFIG_FSL_CAAM
+#endif
+#endif
+
#define CONFIG_SYS_FSL_SFP_VER_3_2
-#define CONFIG_SYS_FSL_SNVS_LE
-#define CONFIG_SYS_FSL_SEC_LE
+#define CONFIG_SYS_FSL_SEC_MON_BE
+#define CONFIG_SYS_FSL_SEC_BE
#define CONFIG_SYS_FSL_SFP_BE
#define CONFIG_SYS_FSL_SRK_LE
#define CONFIG_KEY_REVOCATION
diff --git a/arch/arm/include/asm/arch-fsl-layerscape/immap_lsch2.h b/arch/arm/include/asm/arch-fsl-layerscape/immap_lsch2.h
index d941437..2a3a7da 100644
--- a/arch/arm/include/asm/arch-fsl-layerscape/immap_lsch2.h
+++ b/arch/arm/include/asm/arch-fsl-layerscape/immap_lsch2.h
@@ -38,7 +38,7 @@
#define CONFIG_SYS_PCIE3_ADDR (CONFIG_SYS_IMMR + 0x2600000)
#define CONFIG_SYS_FSL_SEC_ADDR (CONFIG_SYS_IMMR + 0x700000)
#define CONFIG_SYS_FSL_JR0_ADDR (CONFIG_SYS_IMMR + 0x710000)
-#define CONFIG_SYS_SNVS_ADDR (CONFIG_SYS_IMMR + 0xe90000)
+#define CONFIG_SYS_SEC_MON_ADDR (CONFIG_SYS_IMMR + 0xe90000)
#define CONFIG_SYS_SFP_ADDR (CONFIG_SYS_IMMR + 0xe80200)
#define CONFIG_SYS_FSL_TIMER_ADDR 0x02b00000
diff --git a/board/freescale/common/fsl_validate.c b/board/freescale/common/fsl_validate.c
index 73b6718..1fb5eaa 100644
--- a/board/freescale/common/fsl_validate.c
+++ b/board/freescale/common/fsl_validate.c
@@ -15,9 +15,6 @@
#include <u-boot/rsa-mod-exp.h>
#include <hash.h>
#include <fsl_secboot_err.h>
-#ifndef CONFIG_MPC85xx
-#include <asm/arch/immap_ls102xa.h>
-#endif
#define SHA256_BITS 256
#define SHA256_BYTES (256/8)
@@ -99,7 +96,8 @@ int get_csf_base_addr(u32 *csf_addr, u32 *flash_base_addr)
struct ccsr_gur __iomem *gur = (void *)(CONFIG_SYS_FSL_GUTS_ADDR);
u32 csf_hdr_addr = in_be32(&gur->scratchrw[0]);
- if (memcmp((u8 *)csf_hdr_addr, barker_code, ESBC_BARKER_LEN))
+ if (memcmp((u8 *)(dma_addr_t)csf_hdr_addr,
+ barker_code, ESBC_BARKER_LEN))
return -1;
*csf_addr = csf_hdr_addr;
@@ -117,7 +115,7 @@ static int get_ie_info_addr(u32 *ie_addr)
if (get_csf_base_addr(&csf_addr, &flash_base_addr))
return -1;
- hdr = (struct fsl_secboot_img_hdr *)csf_addr;
+ hdr = (struct fsl_secboot_img_hdr *)(dma_addr_t)csf_addr;
/* For SoC's with Trust Architecture v1 with corenet bus
* the sg table field in CSF header has absolute address
@@ -130,7 +128,7 @@ static int get_ie_info_addr(u32 *ie_addr)
(((u32)hdr->psgtable & ~(CONFIG_SYS_PBI_FLASH_BASE)) +
flash_base_addr);
#else
- sg_tbl = (struct fsl_secboot_sg_table *)(csf_addr +
+ sg_tbl = (struct fsl_secboot_sg_table *)(dma_addr_t)(csf_addr +
(u32)hdr->psgtable);
#endif
@@ -379,8 +377,8 @@ static int calc_img_key_hash(struct fsl_secboot_img_priv *img)
#ifdef CONFIG_KEY_REVOCATION
if (check_srk(img)) {
ret = algo->hash_update(algo, ctx,
- (u8 *)(img->ehdrloc + img->hdr.srk_tbl_off),
- img->hdr.len_kr.num_srk * sizeof(struct srk_table), 1);
+ (u8 *)(dma_addr_t)(img->ehdrloc + img->hdr.srk_tbl_off),
+ img->hdr.len_kr.num_srk * sizeof(struct srk_table), 1);
srk = 1;
}
#endif
@@ -438,8 +436,8 @@ static int calc_esbchdr_esbc_hash(struct fsl_secboot_img_priv *img)
#ifdef CONFIG_KEY_REVOCATION
if (check_srk(img)) {
ret = algo->hash_update(algo, ctx,
- (u8 *)(img->ehdrloc + img->hdr.srk_tbl_off),
- img->hdr.len_kr.num_srk * sizeof(struct srk_table), 0);
+ (u8 *)(dma_addr_t)(img->ehdrloc + img->hdr.srk_tbl_off),
+ img->hdr.len_kr.num_srk * sizeof(struct srk_table), 0);
key_hash = 1;
}
#endif
@@ -454,8 +452,13 @@ static int calc_esbchdr_esbc_hash(struct fsl_secboot_img_priv *img)
return ret;
/* Update hash for actual Image */
+#ifdef CONFIG_ESBC_ADDR_64BIT
+ ret = algo->hash_update(algo, ctx,
+ (u8 *)(dma_addr_t)img->hdr.pimg64, img->hdr.img_size, 1);
+#else
ret = algo->hash_update(algo, ctx,
- (u8 *)img->hdr.pimg, img->hdr.img_size, 1);
+ (u8 *)(dma_addr_t)img->hdr.pimg, img->hdr.img_size, 1);
+#endif
if (ret)
return ret;
@@ -533,7 +536,7 @@ static int read_validate_esbc_client_header(struct fsl_secboot_img_priv *img)
{
char buf[20];
struct fsl_secboot_img_hdr *hdr = &img->hdr;
- void *esbc = (u8 *)img->ehdrloc;
+ void *esbc = (u8 *)(dma_addr_t)img->ehdrloc;
u8 *k, *s;
#ifdef CONFIG_KEY_REVOCATION
u32 ret;
@@ -549,7 +552,11 @@ static int read_validate_esbc_client_header(struct fsl_secboot_img_priv *img)
if (memcmp(hdr->barker, barker_code, ESBC_BARKER_LEN))
return ERROR_ESBC_CLIENT_HEADER_BARKER;
+#ifdef CONFIG_ESBC_ADDR_64BIT
+ sprintf(buf, "%llx", hdr->pimg64);
+#else
sprintf(buf, "%x", hdr->pimg);
+#endif
setenv("img_addr", buf);
if (!hdr->img_size)
@@ -594,7 +601,7 @@ static int read_validate_esbc_client_header(struct fsl_secboot_img_priv *img)
if (!key_found && check_ie(img)) {
if (get_ie_info_addr(&img->ie_addr))
return ERROR_IE_TABLE_NOT_FOUND;
- ie_info = (struct ie_key_info *)img->ie_addr;
+ ie_info = (struct ie_key_info *)(dma_addr_t)img->ie_addr;
if (ie_info->num_keys == 0 || ie_info->num_keys > 32)
return ERROR_ESBC_CLIENT_HEADER_INVALID_IE_NUM_ENTRY;
@@ -748,7 +755,7 @@ int fsl_secboot_validate(cmd_tbl_t *cmdtp, int flag, int argc,
hdr = &img->hdr;
img->ehdrloc = addr;
- esbc = (u8 *)img->ehdrloc;
+ esbc = (u8 *)(dma_addr_t)img->ehdrloc;
memcpy(hdr, esbc, sizeof(struct fsl_secboot_img_hdr));
diff --git a/board/freescale/ls1043ardb/MAINTAINERS b/board/freescale/ls1043ardb/MAINTAINERS
index efca5bf..84ffb63 100644
--- a/board/freescale/ls1043ardb/MAINTAINERS
+++ b/board/freescale/ls1043ardb/MAINTAINERS
@@ -7,3 +7,8 @@ F: include/configs/ls1043ardb.h
F: configs/ls1043ardb_defconfig
F: configs/ls1043ardb_nand_defconfig
F: configs/ls1043ardb_sdcard_defconfig
+
+LS1043A_SECURE_BOOT BOARD
+M: Aneesh Bansal <aneesh.bansal at freescale.com>
+S: Maintained
+F: configs/ls1043ardb_SECURE_BOOT_defconfig
diff --git a/board/freescale/ls1043ardb/ls1043ardb.c b/board/freescale/ls1043ardb/ls1043ardb.c
index 9032ed3..ef8a1e2 100644
--- a/board/freescale/ls1043ardb/ls1043ardb.c
+++ b/board/freescale/ls1043ardb/ls1043ardb.c
@@ -18,6 +18,8 @@
#include <fsl_csu.h>
#include <fsl_esdhc.h>
#include <fsl_ifc.h>
+#include <environment.h>
+#include <fsl_sec.h>
#include "cpld.h"
DECLARE_GLOBAL_DATA_PTR;
@@ -107,7 +109,21 @@ int config_board_mux(void)
int misc_init_r(void)
{
config_board_mux();
-
+#ifdef CONFIG_SECURE_BOOT
+#ifdef CONFIG_LS1043A
+ /* In case of Secure Boot, the IBR configures the SMMU
+ * to allow only Secure transactions.
+ * SMMU must be reset in bypass mode.
+ * Set the ClientPD bit and Clear the USFCFG Bit
+ */
+ u32 val;
+ val = (in_le32(SMMU_SCR0) | SCR0_CLIENTPD_MASK) & ~(SCR0_USFCFG_MASK);
+ out_le32(SMMU_SCR0, val);
+ val = (in_le32(SMMU_NSCR0) | SCR0_CLIENTPD_MASK) & ~(SCR0_USFCFG_MASK);
+ out_le32(SMMU_NSCR0, val);
+#endif
+ return sec_init();
+#endif
return 0;
}
#endif
diff --git a/common/cmd_blob.c b/common/cmd_blob.c
index d3f22a1..911356c 100644
--- a/common/cmd_blob.c
+++ b/common/cmd_blob.c
@@ -73,9 +73,9 @@ static int do_blob(cmd_tbl_t *cmdtp, int flag, int argc, char *const argv[])
len = simple_strtoul(argv[4], NULL, 16);
key_addr = simple_strtoul(argv[5], NULL, 16);
- km_ptr = (uint8_t *)key_addr;
- src_ptr = (uint8_t *)src_addr;
- dst_ptr = (uint8_t *)dst_addr;
+ km_ptr = (uint8_t *)(dma_addr_t)key_addr;
+ src_ptr = (uint8_t *)(dma_addr_t)src_addr;
+ dst_ptr = (uint8_t *)(dma_addr_t)dst_addr;
if (enc)
ret = blob_encap(km_ptr, src_ptr, dst_ptr, len);
diff --git a/configs/ls1043ardb_SECURE_BOOT_defconfig b/configs/ls1043ardb_SECURE_BOOT_defconfig
new file mode 100644
index 0000000..9ceee6d
--- /dev/null
+++ b/configs/ls1043ardb_SECURE_BOOT_defconfig
@@ -0,0 +1,4 @@
+CONFIG_SYS_EXTRA_OPTIONS="SYS_FSL_DDR4, SECURE_BOOT"
+CONFIG_ARM=y
+CONFIG_TARGET_LS1043ARDB=y
+CONFIG_FSL_LAYERSCAPE=y
diff --git a/include/configs/ls1043ardb.h b/include/configs/ls1043ardb.h
index 307d947..bf3a1a0 100644
--- a/include/configs/ls1043ardb.h
+++ b/include/configs/ls1043ardb.h
@@ -268,4 +268,16 @@
#define CONFIG_ETHPRIME "FM1 at DTSEC3"
#endif
+#ifdef CONFIG_SECURE_BOOT
+/* Hash command with SHA acceleration supported in hardware */
+#define CONFIG_CMD_HASH
+#define CONFIG_SHA_HW_ACCEL
+#define CONFIG_CMD_BLOB
+
+/* For LS1043 (ARMv8), ESBC image Address in Header is 64 bit */
+#define CONFIG_ESBC_ADDR_64BIT
+
+#include <asm/fsl_secure_boot.h>
+#endif
+
#endif /* __LS1043ARDB_H__ */
diff --git a/include/fsl_validate.h b/include/fsl_validate.h
index 92dd98b..a62dc74 100644
--- a/include/fsl_validate.h
+++ b/include/fsl_validate.h
@@ -83,7 +83,9 @@ struct fsl_secboot_img_hdr {
u32 sign_len; /* length of the signature in bytes */
union {
u32 psgtable; /* ptr to SG table */
+#ifndef CONFIG_ESBC_ADDR_64BIT
u32 pimg; /* ptr to ESBC client image */
+#endif
};
union {
u32 sg_entries; /* no of entries in SG table */
@@ -97,7 +99,12 @@ struct fsl_secboot_img_hdr {
u32 reserved1[2];
u32 fsl_uid_1;
u32 oem_uid_1;
- u32 reserved2[2];
+ union {
+ u32 reserved2[2];
+#ifdef CONFIG_ESBC_ADDR_64BIT
+ u64 pimg64; /* 64 bit pointer to ESBC Image */
+#endif
+ };
u32 ie_flag;
u32 ie_key_sel;
};
--
1.8.1.4
More information about the U-Boot
mailing list