[U-Boot] [PATCH v2 2/2] ls1043ardb: PPA: add PPA validation in case of secure boot

Sumit Garg sumit.garg at nxp.com
Thu Sep 1 18:56:44 CEST 2016


As part of Secure Boot Chain of trust, PPA image must be validated
before the image is started.
The code for the same has been added.

Signed-off-by: Aneesh Bansal <aneesh.bansal at nxp.com>
Signed-off-by: Sumit Garg <sumit.garg at nxp.com>
---

Rebased Aneesh's patchset. No dependency.
Link to patchset: https://patchwork.ozlabs.org/patch/586784/

 arch/arm/cpu/armv8/fsl-layerscape/ppa.c | 21 +++++++++++++++++++++
 arch/arm/include/asm/fsl_secure_boot.h  | 18 ++++++++++++++++++
 2 files changed, 39 insertions(+)

diff --git a/arch/arm/cpu/armv8/fsl-layerscape/ppa.c b/arch/arm/cpu/armv8/fsl-layerscape/ppa.c
index f54ac3f..b68e87d 100644
--- a/arch/arm/cpu/armv8/fsl-layerscape/ppa.c
+++ b/arch/arm/cpu/armv8/fsl-layerscape/ppa.c
@@ -17,6 +17,9 @@
 #ifdef CONFIG_ARMV8_SEC_FIRMWARE_SUPPORT
 #include <asm/armv8/sec_firmware.h>
 #endif
+#ifdef CONFIG_CHAIN_OF_TRUST
+#include <fsl_validate.h>
+#endif
 
 int ppa_init(void)
 {
@@ -24,12 +27,30 @@ int ppa_init(void)
 	u32 *boot_loc_ptr_l, *boot_loc_ptr_h;
 	int ret;
 
+#ifdef CONFIG_CHAIN_OF_TRUST
+	uintptr_t ppa_esbc_hdr = CONFIG_SYS_LS_PPA_ESBC_ADDR;
+	uintptr_t ppa_img_addr = 0;
+#endif
+
 #ifdef CONFIG_SYS_LS_PPA_FW_IN_XIP
 	ppa_fit_addr = (void *)CONFIG_SYS_LS_PPA_FW_ADDR;
 #else
 #error "No CONFIG_SYS_LS_PPA_FW_IN_xxx defined"
 #endif
 
+#ifdef CONFIG_CHAIN_OF_TRUST
+	ppa_img_addr = (uintptr_t)ppa_fit_addr;
+	if (fsl_check_boot_mode_secure() != 0) {
+		ret = fsl_secboot_validate(ppa_esbc_hdr,
+					   CONFIG_PPA_KEY_HASH,
+					   &ppa_img_addr);
+		if (ret != 0)
+			printf("PPA validation failed\n");
+		else
+			printf("PPA validation Successful\n");
+	}
+#endif
+
 #ifdef CONFIG_FSL_LSCH3
 	struct ccsr_gur __iomem *gur = (void *)(CONFIG_SYS_FSL_GUTS_ADDR);
 	boot_loc_ptr_l = &gur->bootlocptrl;
diff --git a/arch/arm/include/asm/fsl_secure_boot.h b/arch/arm/include/asm/fsl_secure_boot.h
index b35c271..6b9d3e4 100644
--- a/arch/arm/include/asm/fsl_secure_boot.h
+++ b/arch/arm/include/asm/fsl_secure_boot.h
@@ -126,6 +126,24 @@
 /* BOOTSCRIPT_ADDR is not required */
 #endif
 
+#ifdef CONFIG_FSL_LS_PPA
+#ifdef CONFIG_SYS_LS_PPA_FW_IN_XIP
+#ifdef CONFIG_LS1043A
+#define CONFIG_SYS_LS_PPA_ESBC_ADDR	0x600c0000
+#endif
+#else
+#error "No CONFIG_SYS_LS_PPA_FW_IN_xxx defined"
+#endif /* ifdef CONFIG_SYS_LS_PPA_FW_IN_XIP */
+
+/* Define the key hash here if SRK used for signing PPA image is
+ * different from SRK hash put in SFP used for U-Boot.
+ * Example
+ * #define CONFIG_PPA_KEY_HASH \
+ *	"41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b"
+ */
+#define CONFIG_PPA_KEY_HASH		NULL
+#endif /* ifdef CONFIG_FSL_LS_PPA */
+
 #include <config_fsl_chain_trust.h>
 #endif /* #ifndef CONFIG_SPL_BUILD */
 #endif /* #ifdef CONFIG_CHAIN_OF_TRUST */
-- 
1.8.1.4



More information about the U-Boot mailing list