[U-Boot] [PATCH v2 2/3] fsl: PPA: add support PPA image validation from NAND and SD

Sat Apr 22 02:54:35 UTC 2017

> -----Original Message-----
> From: York Sun [mailto:york.sun at nxp.com]
> Sent: Saturday, April 22, 2017 1:03 AM
> To: Sumit Garg <sumit.garg at nxp.com>; u-boot at lists.denx.de
> Cc: Ruchika Gupta <ruchika.gupta at nxp.com>; Prabhakar Kushwaha
> <prabhakar.kushwaha at nxp.com>; Vini Pillai <vinitha.pillai at nxp.com>; Udit
> Agarwal <udit.agarwal at nxp.com>
> Subject: Re: [PATCH v2 2/3] fsl: PPA: add support PPA image validation from
> NAND and SD
> 
> On 04/19/2017 05:16 AM, Sumit Garg wrote:
> > Signed-off-by: Sumit Garg <sumit.garg at nxp.com>
> > Signed-off-by: Udit Agarwal <udit.agarwal at nxp.com>
> > Tested-by: Vinitha Pillai <vinitha.pillai at nxp.com>
> > ---
> >
> > Changes in v2:
> > Changed order of patch 1 & 2. Also moved assignment of ppa_esbc_hdr to
> > CONFIG_SYS_LS_PPA_ESBC_ADDR in XIP space as it's not required in case
> > of SD/NAND.
> >
> >  arch/arm/cpu/armv8/fsl-layerscape/ppa.c | 72
> > ++++++++++++++++++++++++++++++++-
> >  1 file changed, 70 insertions(+), 2 deletions(-)
> >
> 
> <snip>
> 
> >  #ifdef CONFIG_CHAIN_OF_TRUST
> >  	ppa_img_addr = (uintptr_t)ppa_fit_addr;
> >  	if (fsl_check_boot_mode_secure() != 0) {
> > +		/*
> > +		 * In case of failure in validation, fsl_secboot_validate
> > +		 * would not return back in case of Production environment
> > +		 * with ITS=1. In Development environment (ITS=0 and
> > +		 * SB_EN=1), the function may return back in case of
> > +		 * non-fatal failures.
> > +		 */
> >  		ret = fsl_secboot_validate(ppa_esbc_hdr,
> >  					   PPA_KEY_HASH,
> >  					   &ppa_img_addr);
> > @@ -185,6 +249,10 @@ int ppa_init(void)
> >  		else
> >  			printf("PPA validation Successful\n");
> >  	}
> > +#if defined(CONFIG_SYS_LS_PPA_FW_IN_MMC) || \
> > +	defined(CONFIG_SYS_LS_PPA_FW_IN_NAND)
> > +	free(ppa_hdr_ddr);
> > +#endif
> >  #endif
> >
> >  #ifdef CONFIG_FSL_LSCH3
> >
> 
> Do we want to return from this function if any error happens with
> CONFIG_CHAIN_OF_TRUST enabled?
> 
> York

There are two scenarios in Secure boot validation, either there could be non-fatal
or fatal errors. In case of fatal error " fsl_secboot_validate" function will not
return. In case of non-fatal error " fsl_secboot_validate" func. will return and
booting should continue.
So in case of Production environment, all errors are fatal failures so function will
not pass control back. But in case of Development environment there is possibility
of non-fatal error, so function returns back and booting should continue.

Sumit