[U-Boot] [PATCH][v4] ARMv8/sec_firmware : Update chosen/kaslr-seed with random number
Ruchika Gupta
ruchika.gupta at nxp.com
Wed Aug 16 10:28:10 UTC 2017
kASLR support in kernel requires a random number to be passed via
chosen/kaslr-seed propert. sec_firmware generates this random seed
which can then be passed in the device tree node.
sec_firmware reserves JR3 for it's own usage. Node for JR3 is
removed from device-tree.
Signed-off-by: Ruchika Gupta <ruchika.gupta at nxp.com>
---
Changes from v3:
fdt_fixup_kaslr function is valid only if secure firmare is enabled.
So the call to this function is done only if CONFIG_ARMV8_SEC_FIRMWARE_SUPPORT
is enabled
Changes from v2:
fix-kaslr-seed moved to sec_firmware.c
Changes from v1
- Extra spaces removed from the patch
- Support added for LSCH3 devices in the patch
- of calls replaced with fdt calls to remove compilation error with
latest uboot
arch/arm/cpu/armv8/fsl-layerscape/fdt.c | 37 +++++++++++-
arch/arm/cpu/armv8/sec_firmware.c | 99 +++++++++++++++++++++++++++++++
arch/arm/include/asm/armv8/sec_firmware.h | 9 +++
3 files changed, 142 insertions(+), 3 deletions(-)
diff --git a/arch/arm/cpu/armv8/fsl-layerscape/fdt.c b/arch/arm/cpu/armv8/fsl-layerscape/fdt.c
index f5f4840..c925275 100644
--- a/arch/arm/cpu/armv8/fsl-layerscape/fdt.c
+++ b/arch/arm/cpu/armv8/fsl-layerscape/fdt.c
@@ -345,11 +345,38 @@ static void fdt_fixup_msi(void *blob)
}
#endif
+#ifdef CONFIG_ARMV8_SEC_FIRMWARE_SUPPORT
+/* Remove JR node used by SEC firmware */
+void fdt_fixup_remove_jr(void *blob)
+{
+ int jr_node, addr_cells, len;
+ int crypto_node = fdt_path_offset(blob, "crypto");
+ u64 jr_offset, used_jr;
+ fdt32_t *reg;
+
+ used_jr = sec_firmware_used_jobring_offset();
+ fdt_support_default_count_cells(blob, crypto_node, &addr_cells, NULL);
+
+ jr_node = fdt_node_offset_by_compatible(blob, crypto_node,
+ "fsl,sec-v4.0-job-ring");
+
+ while (jr_node != -FDT_ERR_NOTFOUND) {
+ reg = (fdt32_t *)fdt_getprop(blob, jr_node, "reg", &len);
+ jr_offset = fdt_read_number(reg, addr_cells);
+ if (jr_offset == used_jr) {
+ fdt_del_node(blob, jr_node);
+ break;
+ }
+ jr_node = fdt_node_offset_by_compatible(blob, jr_node,
+ "fsl,sec-v4.0-job-ring");
+ }
+}
+#endif
+
void ft_cpu_setup(void *blob, bd_t *bd)
{
-#ifdef CONFIG_FSL_LSCH2
struct ccsr_gur __iomem *gur = (void *)(CONFIG_SYS_FSL_GUTS_ADDR);
- unsigned int svr = in_be32(&gur->svr);
+ unsigned int svr = gur_in32(&gur->svr);
/* delete crypto node if not on an E-processor */
if (!IS_E_PROCESSOR(svr))
@@ -358,11 +385,15 @@ void ft_cpu_setup(void *blob, bd_t *bd)
else {
ccsr_sec_t __iomem *sec;
+#ifdef CONFIG_ARMV8_SEC_FIRMWARE_SUPPORT
+ if (fdt_fixup_kaslr(blob))
+ fdt_fixup_remove_jr(blob);
+#endif
+
sec = (void __iomem *)CONFIG_SYS_FSL_SEC_ADDR;
fdt_fixup_crypto_node(blob, sec_in32(&sec->secvid_ms));
}
#endif
-#endif
#ifdef CONFIG_MP
ft_fixup_cpu(blob);
diff --git a/arch/arm/cpu/armv8/sec_firmware.c b/arch/arm/cpu/armv8/sec_firmware.c
index fffce71..0e74834 100644
--- a/arch/arm/cpu/armv8/sec_firmware.c
+++ b/arch/arm/cpu/armv8/sec_firmware.c
@@ -232,6 +232,59 @@ unsigned int sec_firmware_support_psci_version(void)
#endif
/*
+ * Check with sec_firmware if it supports random number generation
+ * via HW RNG
+ *
+ * The return value will be true if it is supported
+ */
+bool sec_firmware_support_hwrng(void)
+{
+ uint8_t rand[8];
+ if (sec_firmware_addr & SEC_FIRMWARE_RUNNING) {
+ if (!sec_firmware_get_random(rand, 8))
+ return true;
+ }
+
+ return false;
+}
+
+/*
+ * sec_firmware_get_random - Get a random number from SEC Firmware
+ * @rand: random number buffer to be filled
+ * @bytes: Number of bytes of random number to be supported
+ * @eret: -1 in case of error, 0 for success
+ */
+int sec_firmware_get_random(uint8_t *rand, int bytes)
+{
+ unsigned long long num;
+ struct pt_regs regs;
+ int param1;
+
+ if (!bytes || bytes > 8) {
+ printf("Max Random bytes genration supported is 8\n");
+ return -1;
+ }
+#define SIP_RNG_64 0xC200FF11
+ regs.regs[0] = SIP_RNG_64;
+
+ if (bytes <= 4)
+ param1 = 0;
+ else
+ param1 = 1;
+ regs.regs[1] = param1;
+
+ smc_call(®s);
+
+ if (regs.regs[0])
+ return -1;
+
+ num = regs.regs[1];
+ memcpy(rand, &num, bytes);
+
+ return 0;
+}
+
+/*
* sec_firmware_init - Initialize the SEC Firmware
* @sec_firmware_img: the SEC Firmware image address
* @eret_hold_l: the address to hold exception return address low
@@ -278,3 +331,49 @@ int sec_firmware_init(const void *sec_firmware_img,
return 0;
}
+
+/*
+ * fdt_fix_kaslr - Add kalsr-seed node in Device tree
+ * @fdt: Device tree
+ * @eret: 0 in case of error, 1 for success
+ */
+int fdt_fixup_kaslr(void *fdt)
+{
+ int nodeoffset;
+ int err, ret = 0;
+ u8 rand[8];
+
+#if defined(CONFIG_ARMV8_SEC_FIRMWARE_SUPPORT)
+ /* Check if random seed generation is supported */
+ if (sec_firmware_support_hwrng() == false)
+ return 0;
+
+ ret = sec_firmware_get_random(rand, 8);
+ if (ret < 0) {
+ printf("WARNING: No random number to set kaslr-seed\n");
+ return 0;
+ }
+
+ err = fdt_check_header(fdt);
+ if (err < 0) {
+ printf("fdt_chosen: %s\n", fdt_strerror(err));
+ return 0;
+ }
+
+ /* find or create "/chosen" node. */
+ nodeoffset = fdt_find_or_add_subnode(fdt, 0, "chosen");
+ if (nodeoffset < 0)
+ return 0;
+
+ err = fdt_setprop(fdt, nodeoffset, "kaslr-seed", rand,
+ sizeof(rand));
+ if (err < 0) {
+ printf("WARNING: can't set kaslr-seed %s.\n",
+ fdt_strerror(err));
+ return 0;
+ }
+ ret = 1;
+#endif
+
+ return ret;
+}
diff --git a/arch/arm/include/asm/armv8/sec_firmware.h b/arch/arm/include/asm/armv8/sec_firmware.h
index bc1d97d..6d42a71 100644
--- a/arch/arm/include/asm/armv8/sec_firmware.h
+++ b/arch/arm/include/asm/armv8/sec_firmware.h
@@ -8,10 +8,14 @@
#define __SEC_FIRMWARE_H_
#define PSCI_INVALID_VER 0xffffffff
+#define SEC_JR3_OFFSET 0x40000
int sec_firmware_init(const void *, u32 *, u32 *);
int _sec_firmware_entry(const void *, u32 *, u32 *);
bool sec_firmware_is_valid(const void *);
+bool sec_firmware_support_hwrng(void);
+int sec_firmware_get_random(uint8_t *rand, int bytes);
+int fdt_fixup_kaslr(void *fdt);
#ifdef CONFIG_SEC_FIRMWARE_ARMV8_PSCI
unsigned int sec_firmware_support_psci_version(void);
unsigned int _sec_firmware_support_psci_version(void);
@@ -22,4 +26,9 @@ static inline unsigned int sec_firmware_support_psci_version(void)
}
#endif
+static inline unsigned int sec_firmware_used_jobring_offset(void)
+{
+ return SEC_JR3_OFFSET;
+}
+
#endif /* __SEC_FIRMWARE_H_ */
--
2.7.4
More information about the U-Boot
mailing list