[U-Boot] [PATCH 2/4] SECURE_BOOT: Enable chain of trust in SPL framework
Sumit Garg
sumit.garg at nxp.com
Tue Jun 14 19:52:38 CEST 2016
Override jump_to_image_no_args function to include validation of
u-boot image using spl_validate_uboot before jumping to u-boot image.
Also define macros in SPL framework to enable crypto operations.
Reviewed-by: Aneesh Bansal <aneesh.bansal at nxp.com>
Signed-off-by: Sumit Garg <sumit.garg at nxp.com>
---
arch/arm/include/asm/fsl_secure_boot.h | 25 +++++++++++++++++++--
board/freescale/common/fsl_chain_of_trust.c | 34 ++++++++++++++++++++++++++++-
2 files changed, 56 insertions(+), 3 deletions(-)
diff --git a/arch/arm/include/asm/fsl_secure_boot.h b/arch/arm/include/asm/fsl_secure_boot.h
index 53cd755..3f76c9a 100644
--- a/arch/arm/include/asm/fsl_secure_boot.h
+++ b/arch/arm/include/asm/fsl_secure_boot.h
@@ -17,8 +17,6 @@
#ifdef CONFIG_CHAIN_OF_TRUST
#define CONFIG_CMD_ESBC_VALIDATE
-#define CONFIG_CMD_BLOB
-#define CONFIG_CMD_HASH
#define CONFIG_FSL_SEC_MON
#define CONFIG_SHA_HW_ACCEL
#define CONFIG_SHA_PROG_HW_ACCEL
@@ -28,6 +26,28 @@
#define CONFIG_FSL_CAAM
#endif
+#ifdef CONFIG_SPL_BUILD
+#define CONFIG_SPL_BOARD_INIT
+#define CONFIG_SPL_DM 1
+#define CONFIG_SPL_CRYPTO_SUPPORT
+#define CONFIG_SPL_HASH_SUPPORT
+#define CONFIG_SPL_RSA
+#define CONFIG_SPL_DRIVERS_MISC_SUPPORT
+/*
+ * Define the key hash for U-Boot here if public/private key pair used to
+ * sign U-boot are different from the SRK hash put in the fuse
+ * Example of defining KEY_HASH is
+ * #define CONFIG_SPL_UBOOT_KEY_HASH \
+ * "41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b"
+ * else leave it defined as NULL
+ */
+
+#define CONFIG_SPL_UBOOT_KEY_HASH NULL
+#endif /* ifdef CONFIG_SPL_BUILD */
+
+#ifndef CONFIG_SPL_BUILD
+#define CONFIG_CMD_BLOB
+#define CONFIG_CMD_HASH
#define CONFIG_KEY_REVOCATION
#ifndef CONFIG_SYS_RAMBOOT
/* The key used for verification of next level images
@@ -92,5 +112,6 @@
#endif
#include <config_fsl_chain_trust.h>
+#endif /* #ifndef CONFIG_SPL_BUILD */
#endif /* #ifdef CONFIG_CHAIN_OF_TRUST */
#endif
diff --git a/board/freescale/common/fsl_chain_of_trust.c b/board/freescale/common/fsl_chain_of_trust.c
index 7bf9827..0f5ec35 100644
--- a/board/freescale/common/fsl_chain_of_trust.c
+++ b/board/freescale/common/fsl_chain_of_trust.c
@@ -10,6 +10,10 @@
#include <fsl_sfp.h>
#include <dm/root.h>
+#if defined(CONFIG_SPL_BUILD) && defined(CONFIG_SPL_FRAMEWORK)
+#include <spl.h>
+#endif
+
#ifdef CONFIG_ADDR_MAP
#include <asm/mmu.h>
#endif
@@ -113,7 +117,7 @@ void spl_validate_uboot(uint32_t hdr_addr, uintptr_t img_addr)
* do not use common SPL framework, so need to call this function here.
*/
#if defined(CONFIG_SPL_DM) && (!defined(CONFIG_SPL_FRAMEWORK))
- dm_init_and_scan(false);
+ dm_init_and_scan(true);
#endif
res = fsl_secboot_validate(hdr_addr, CONFIG_SPL_UBOOT_KEY_HASH,
&img_addr);
@@ -121,4 +125,32 @@ void spl_validate_uboot(uint32_t hdr_addr, uintptr_t img_addr)
if (res == 0)
printf("SPL: Validation of U-boot successful\n");
}
+
+#ifdef CONFIG_SPL_FRAMEWORK
+/* Override weak funtion defined in SPL framework to enable validation
+ * of main u-boot image before jumping to u-boot image.
+ */
+void __noreturn jump_to_image_no_args(struct spl_image_info *spl_image)
+{
+ typedef void __noreturn (*image_entry_noargs_t)(void);
+ uint32_t hdr_addr;
+
+ image_entry_noargs_t image_entry =
+ (image_entry_noargs_t)(unsigned long)spl_image->entry_point;
+
+ hdr_addr = (spl_image->entry_point + spl_image->size -
+ CONFIG_U_BOOT_HDR_SIZE);
+ spl_validate_uboot(hdr_addr, (uintptr_t)spl_image->entry_point);
+ /*
+ * In case of failure in validation, spl_validate_uboot would
+ * not return back in case of Production environment with ITS=1.
+ * Thus U-Boot will not start.
+ * In Development environment (ITS=0 and SB_EN=1), the function
+ * may return back in case of non-fatal failures.
+ */
+
+ debug("image entry point: 0x%X\n", spl_image->entry_point);
+ image_entry();
+}
+#endif /* ifdef CONFIG_SPL_FRAMEWORK */
#endif /* ifdef CONFIG_SPL_BUILD */
--
1.8.1.4
More information about the U-Boot
mailing list