[U-Boot] [PATCH v2 2/2] ls1043ardb: PPA: add PPA validation in case of secure boot
Sumit Garg
sumit.garg at nxp.com
Thu Sep 1 18:56:44 CEST 2016
As part of Secure Boot Chain of trust, PPA image must be validated
before the image is started.
The code for the same has been added.
Signed-off-by: Aneesh Bansal <aneesh.bansal at nxp.com>
Signed-off-by: Sumit Garg <sumit.garg at nxp.com>
---
Rebased Aneesh's patchset. No dependency.
Link to patchset: https://patchwork.ozlabs.org/patch/586784/
arch/arm/cpu/armv8/fsl-layerscape/ppa.c | 21 +++++++++++++++++++++
arch/arm/include/asm/fsl_secure_boot.h | 18 ++++++++++++++++++
2 files changed, 39 insertions(+)
diff --git a/arch/arm/cpu/armv8/fsl-layerscape/ppa.c b/arch/arm/cpu/armv8/fsl-layerscape/ppa.c
index f54ac3f..b68e87d 100644
--- a/arch/arm/cpu/armv8/fsl-layerscape/ppa.c
+++ b/arch/arm/cpu/armv8/fsl-layerscape/ppa.c
@@ -17,6 +17,9 @@
#ifdef CONFIG_ARMV8_SEC_FIRMWARE_SUPPORT
#include <asm/armv8/sec_firmware.h>
#endif
+#ifdef CONFIG_CHAIN_OF_TRUST
+#include <fsl_validate.h>
+#endif
int ppa_init(void)
{
@@ -24,12 +27,30 @@ int ppa_init(void)
u32 *boot_loc_ptr_l, *boot_loc_ptr_h;
int ret;
+#ifdef CONFIG_CHAIN_OF_TRUST
+ uintptr_t ppa_esbc_hdr = CONFIG_SYS_LS_PPA_ESBC_ADDR;
+ uintptr_t ppa_img_addr = 0;
+#endif
+
#ifdef CONFIG_SYS_LS_PPA_FW_IN_XIP
ppa_fit_addr = (void *)CONFIG_SYS_LS_PPA_FW_ADDR;
#else
#error "No CONFIG_SYS_LS_PPA_FW_IN_xxx defined"
#endif
+#ifdef CONFIG_CHAIN_OF_TRUST
+ ppa_img_addr = (uintptr_t)ppa_fit_addr;
+ if (fsl_check_boot_mode_secure() != 0) {
+ ret = fsl_secboot_validate(ppa_esbc_hdr,
+ CONFIG_PPA_KEY_HASH,
+ &ppa_img_addr);
+ if (ret != 0)
+ printf("PPA validation failed\n");
+ else
+ printf("PPA validation Successful\n");
+ }
+#endif
+
#ifdef CONFIG_FSL_LSCH3
struct ccsr_gur __iomem *gur = (void *)(CONFIG_SYS_FSL_GUTS_ADDR);
boot_loc_ptr_l = &gur->bootlocptrl;
diff --git a/arch/arm/include/asm/fsl_secure_boot.h b/arch/arm/include/asm/fsl_secure_boot.h
index b35c271..6b9d3e4 100644
--- a/arch/arm/include/asm/fsl_secure_boot.h
+++ b/arch/arm/include/asm/fsl_secure_boot.h
@@ -126,6 +126,24 @@
/* BOOTSCRIPT_ADDR is not required */
#endif
+#ifdef CONFIG_FSL_LS_PPA
+#ifdef CONFIG_SYS_LS_PPA_FW_IN_XIP
+#ifdef CONFIG_LS1043A
+#define CONFIG_SYS_LS_PPA_ESBC_ADDR 0x600c0000
+#endif
+#else
+#error "No CONFIG_SYS_LS_PPA_FW_IN_xxx defined"
+#endif /* ifdef CONFIG_SYS_LS_PPA_FW_IN_XIP */
+
+/* Define the key hash here if SRK used for signing PPA image is
+ * different from SRK hash put in SFP used for U-Boot.
+ * Example
+ * #define CONFIG_PPA_KEY_HASH \
+ * "41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b"
+ */
+#define CONFIG_PPA_KEY_HASH NULL
+#endif /* ifdef CONFIG_FSL_LS_PPA */
+
#include <config_fsl_chain_trust.h>
#endif /* #ifndef CONFIG_SPL_BUILD */
#endif /* #ifdef CONFIG_CHAIN_OF_TRUST */
--
1.8.1.4
More information about the U-Boot
mailing list