[U-Boot] [PATCH v3 1/2] LS1088A_QSPI: SECURE_BOOT: Images validation

Udit Agarwal udit.agarwal at nxp.com
Wed Nov 1 11:05:10 UTC 2017


> -----Original Message-----
> From: York Sun
> Sent: Tuesday, October 24, 2017 3:04 AM
> To: Udit Agarwal <udit.agarwal at nxp.com>; u-boot at lists.denx.de
> Cc: Ruchika Gupta <ruchika.gupta at nxp.com>; Sumit Garg <sumit.garg at nxp.com>;
> Prabhakar Kushwaha <prabhakar.kushwaha at nxp.com>
> Subject: Re: [PATCH v3 1/2] LS1088A_QSPI: SECURE_BOOT: Images validation
> 
> On 10/15/2017 10:03 PM, Udit Agarwal wrote:
> > Validates PPA, MC, DPC, Bootscript, DPL and Kernel images in ESBC
> > phase using esbc_validate command. Add images validation in default
> > environment under mcinitcmd prior to MC initialization.
> >
> > Add header address for PPA to be validated during ESBC phase for
> > LS1088A platform based on LAyerscape Chasis 3.
> >
> > Moves sec_init prior to ppa_init as for validation of PPA sec must be
> > initialised before the PPA is initialised.
> >
> > Signed-off-by: Udit Agarwal <udit.agarwal at nxp.com>
> > ---
> > Changes in v3:
> > Removes CONFIG_FSL_CAAM. Will be enabled via defconfig.
> >
> >  arch/arm/cpu/armv8/fsl-layerscape/Kconfig |  1 +
> >  board/freescale/ls1088a/Kconfig           |  2 ++
> >  board/freescale/ls1088a/ls1088a.c         |  6 +++---
> >  include/configs/ls1088a_common.h          |  3 ---
> >  include/configs/ls1088aqds.h              | 21 +++++++++++++++++++++
> >  include/configs/ls1088ardb.h              | 22 +++++++++++++++++++++-
> >  6 files changed, 48 insertions(+), 7 deletions(-)
> >
> > diff --git a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig
> > b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig
> > index 3518d86..7883623 100644
> > --- a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig
> > +++ b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig
> > @@ -242,6 +242,7 @@ config SYS_LS_PPA_ESBC_ADDR
> >  	default 0x40680000 if SYS_LS_PPA_FW_IN_XIP && ARCH_LS1012A
> >  	default 0x20680000 if SYS_LS_PPA_FW_IN_XIP && QSPI_BOOT &&
> ARCH_LS2080A
> >  	default 0x580680000 if SYS_LS_PPA_FW_IN_XIP && ARCH_LS2080A
> > +	default 0x20680000 if SYS_LS_PPA_FW_IN_XIP && ARCH_LS1088A
> >  	default 0x680000 if SYS_LS_PPA_FW_IN_MMC
> >  	default 0x680000 if SYS_LS_PPA_FW_IN_NAND
> >  	help
> > diff --git a/board/freescale/ls1088a/Kconfig
> > b/board/freescale/ls1088a/Kconfig index 1ada661..4479dd0 100644
> > --- a/board/freescale/ls1088a/Kconfig
> > +++ b/board/freescale/ls1088a/Kconfig
> > @@ -12,6 +12,7 @@ config SYS_SOC
> >  config SYS_CONFIG_NAME
> >  	default "ls1088aqds"
> >
> > +source "board/freescale/common/Kconfig"
> >  endif
> >
> >  if TARGET_LS1088ARDB
> > @@ -28,4 +29,5 @@ config SYS_SOC
> >  config SYS_CONFIG_NAME
> >  	default "ls1088ardb"
> >
> > +source "board/freescale/common/Kconfig"
> >  endif
> > diff --git a/board/freescale/ls1088a/ls1088a.c
> > b/board/freescale/ls1088a/ls1088a.c
> > index 96d9ae7..1860f9c 100644
> > --- a/board/freescale/ls1088a/ls1088a.c
> > +++ b/board/freescale/ls1088a/ls1088a.c
> > @@ -315,6 +315,9 @@ int board_init(void)
> >  	out_le32(irq_ccsr + IRQCR_OFFSET / 4, AQR105_IRQ_MASK);  #endif
> >
> > +#ifdef CONFIG_FSL_CAAM
> > +	sec_init();
> > +#endif
> >  #ifdef CONFIG_FSL_LS_PPA
> >  	ppa_init();
> >  #endif
> > @@ -337,9 +340,6 @@ void detail_board_ddr_info(void)  #if
> > defined(CONFIG_ARCH_MISC_INIT)  int arch_misc_init(void)  { -#ifdef
> > CONFIG_FSL_CAAM
> > -	sec_init();
> > -#endif
> >  	return 0;
> >  }
> >  #endif
> > diff --git a/include/configs/ls1088a_common.h
> > b/include/configs/ls1088a_common.h
> > index 84e9b14..6b82ee3 100644
> > --- a/include/configs/ls1088a_common.h
> > +++ b/include/configs/ls1088a_common.h
> > @@ -132,9 +132,6 @@ unsigned long long get_qixis_addr(void);  #if
> > defined(CONFIG_FSL_MC_ENET)
> >  #define CONFIG_SYS_LS_MC_DRAM_BLOCK_MIN_SIZE		(512UL *
> 1024 * 1024)
> >  #endif
> > -
> > -#define CONFIG_FSL_CAAM			/* Enable SEC/CAAM */
> > -
> >  /* Command line configuration */
> >  #define CONFIG_CMD_GREPENV
> >  #define CONFIG_CMD_CACHE
> > diff --git a/include/configs/ls1088aqds.h
> > b/include/configs/ls1088aqds.h index 3547b0b..ff0cb7e 100644
> > --- a/include/configs/ls1088aqds.h
> > +++ b/include/configs/ls1088aqds.h
> > @@ -329,6 +329,26 @@ unsigned long get_board_ddr_clk(void);
> >  	QIXIS_SDID_MASK) != QIXIS_ESDHC_NO_ADAPTER)
> >
> >  /* Initial environment variables */
> > +#ifdef CONFIG_SECURE_BOOT
> > +#undef CONFIG_EXTRA_ENV_SETTINGS
> > +#define CONFIG_EXTRA_ENV_SETTINGS		\
> > +	"hwconfig=fsl_ddr:bank_intlv=auto\0"	\
> > +	"loadaddr=0x90100000\0"			\
> > +	"kernel_addr=0x100000\0"		\
> > +	"ramdisk_addr=0x800000\0"		\
> > +	"ramdisk_size=0x2000000\0"		\
> > +	"fdt_high=0xa0000000\0"			\
> > +	"initrd_high=0xffffffffffffffff\0"	\
> > +	"kernel_start=0x1000000\0"		\
> > +	"kernel_load=0xa0000000\0"		\
> > +	"kernel_size=0x2800000\0"		\
> > +	"mcinitcmd=sf probe 0:0;sf read 0xa0a00000 0xa00000 0x100000;"	\
> > +	"sf read 0xa0700000 0x700000 0x4000; esbc_validate 0xa0700000;"	\
> > +	"sf read 0xa0e00000 0xe00000 0x100000;"	\
> > +	"sf read 0xa0740000 0x740000 0x4000;esbc_validate 0xa0740000;"	\
> > +	"fsl_mc start mc 0xa0a00000 0xa0e00000\0"			\
> > +	"mcmemsize=0x70000000 \0"
> > +#else /* if !(CONFIG_SECURE_BOOT) */
> >  #if defined(CONFIG_QSPI_BOOT)
> >  #undef CONFIG_EXTRA_ENV_SETTINGS
> >  #define CONFIG_EXTRA_ENV_SETTINGS		\
> > @@ -362,6 +382,7 @@ unsigned long get_board_ddr_clk(void);
> >  	"mcinitcmd=fsl_mc start mc 0x580A00000 0x580E00000\0"	\
> >  	"mcmemsize=0x70000000 \0"
> >  #endif
> > +#endif /* CONFIG_SECURE_BOOT */
> >
> >  #ifdef CONFIG_FSL_MC_ENET
> >  #define CONFIG_FSL_MEMAC
> > diff --git a/include/configs/ls1088ardb.h
> > b/include/configs/ls1088ardb.h index 3223278..cb16a27 100644
> > --- a/include/configs/ls1088ardb.h
> > +++ b/include/configs/ls1088ardb.h
> > @@ -251,6 +251,26 @@
> >  #define CONFIG_FSL_MEMAC
> >
> >  /* Initial environment variables */
> > +#ifdef CONFIG_SECURE_BOOT
> > +#undef CONFIG_EXTRA_ENV_SETTINGS
> > +#define CONFIG_EXTRA_ENV_SETTINGS		\
> > +	"hwconfig=fsl_ddr:bank_intlv=auto\0"	\
> > +	"loadaddr=0x90100000\0"			\
> > +	"kernel_addr=0x100000\0"		\
> > +	"ramdisk_addr=0x800000\0"		\
> > +	"ramdisk_size=0x2000000\0"		\
> > +	"fdt_high=0xa0000000\0"			\
> > +	"initrd_high=0xffffffffffffffff\0"	\
> > +	"kernel_start=0x1000000\0"		\
> > +	"kernel_load=0xa0000000\0"		\
> > +	"kernel_size=0x2800000\0"		\
> > +	"mcinitcmd=sf probe 0:0;sf read 0xa0a00000 0xa00000 0x100000;"	\
> > +	"sf read 0xa0700000 0x700000 0x4000; esbc_validate 0xa0700000;"	\
> > +	"sf read 0xa0e00000 0xe00000 0x100000;"	\
> > +	"sf read 0xa0740000 0x740000 0x4000; esbc_validate 0xa0740000;"	\
> > +	"fsl_mc start mc 0xa0a00000 0xa0e00000\0"	\
> > +	"mcmemsize=0x70000000 \0"
> > +#else /* if !(CONFIG_SECURE_BOOT) */
> >  #if defined(CONFIG_QSPI_BOOT)
> >  #undef CONFIG_EXTRA_ENV_SETTINGS
> >  #define CONFIG_EXTRA_ENV_SETTINGS		\
> > @@ -270,7 +290,7 @@
> >  	"mcmemsize=0x70000000 \0"
> >
> >  #endif
> > -
> > +#endif /* CONFIG_SECURE_BOOT */
> >  /* MAC/PHY configuration */
> >  #ifdef CONFIG_FSL_MC_ENET
> >  #define CONFIG_PHYLIB_10G
> >
> 
> Please briefly explain how you define the boot command. I lost track.
> How do you deal with the failure of mcinitcmd?
> 
> York


These patches are for secure boot in which we add esbc_validate command in mcinitcmd to verify the MC and DPC images. If there is any failure in validation of these images secure boot will fail and SNVS state transition will take place + core will go in spin loop (based on ITS value). 
No boot command added in these patches as it is same as that of non-secure flow.


More information about the U-Boot mailing list