[v4 2/7] arm: socfpga: soc64: Support Vendor Authorized Boot (VAB)

Tan, Ley Foon ley.foon.tan at intel.com
Mon Mar 1 02:55:47 CET 2021



> -----Original Message-----
> From: Lim, Elly Siew Chin <elly.siew.chin.lim at intel.com>
> Sent: Saturday, February 27, 2021 12:11 AM
> To: u-boot at lists.denx.de
> Cc: Marek Vasut <marex at denx.de>; Tan, Ley Foon
> <ley.foon.tan at intel.com>; See, Chin Liang <chin.liang.see at intel.com>;
> Simon Goldschmidt <simon.k.r.goldschmidt at gmail.com>; Chee, Tien Fong
> <tien.fong.chee at intel.com>; Westergreen, Dalon
> <dalon.westergreen at intel.com>; Simon Glass <sjg at chromium.org>; Gan,
> Yau Wai <yau.wai.gan at intel.com>; Lim, Elly Siew Chin
> <elly.siew.chin.lim at intel.com>
> Subject: [v4 2/7] arm: socfpga: soc64: Support Vendor Authorized Boot (VAB)
> 
> Vendor Authorized Boot is a security feature for authenticating the images
> such as U-Boot, ARM trusted Firmware, Linux kernel, device tree blob and
> etc loaded from FIT. After those images are loaded from FIT, the VAB
> certificate and signature block appended at the end of each image are sent
> to Secure Device Manager (SDM) for authentication. U-Boot will validate the
> SHA384 of the image against the SHA384 hash stored in the VAB certificate
> before sending the image to SDM for authentication.
> 
> Signed-off-by: Siew Chin Lim <elly.siew.chin.lim at intel.com>
> 
> ---
> v4:
> - Move function 'board_fit_image_post_process' and 'board_prep_linux' to
>   arch/arm/mach-socfpga/board.c
> 
> v3:
> - Add description for function 'socfpga_vendor_authentication'.
> - Relocate vab certificate to first memory bank before trigger SMC call
>   to send mailbox command because ATF only able to access first memory
> bank.
> - Report error instead of bypass the authentication in SPL if
>   Secure Device Manager (SDM) does not support VAB.
> - Print success string if VAB success.
> - Replace #ifdef with if(IS_ENABLED(CONFIG_...)).
> ---
>  arch/arm/mach-socfpga/Kconfig                    |  15 ++
>  arch/arm/mach-socfpga/Makefile                   |   2 +
>  arch/arm/mach-socfpga/board.c                    |  43 +++++-
>  arch/arm/mach-socfpga/include/mach/mailbox_s10.h |   1 +
>  arch/arm/mach-socfpga/include/mach/secure_vab.h  |  63 ++++++++
>  arch/arm/mach-socfpga/secure_vab.c               | 186
> +++++++++++++++++++++++
>  common/Kconfig.boot                              |   2 +-
>  7 files changed, 307 insertions(+), 5 deletions(-)  create mode 100644
> arch/arm/mach-socfpga/include/mach/secure_vab.h
>  create mode 100644 arch/arm/mach-socfpga/secure_vab.c
> 
>  #include <common.h>
> -#include <errno.h>
> -#include <fdtdec.h>
> -#include <init.h>
> -#include <asm/arch/reset_manager.h>
>  #include <asm/arch/clock_manager.h>
>  #include <asm/arch/misc.h>
> +#include <asm/arch/reset_manager.h>
> +#include <asm/arch/secure_vab.h>
>  #include <asm/io.h>
> +#include <errno.h>
> +#include <fdtdec.h>
> +#include <hang.h>
> +#include <image.h>
> +#include <init.h>
>  #include <log.h>
>  #include <usb.h>
>  #include <usb/dwc2_udc.h>
> @@ -97,3 +100,35 @@ __weak int board_fit_config_name_match(const char
> *name)
>  	return 0;
>  }
>  #endif
> +
> +#if IS_ENABLED(CONFIG_SOCFPGA_SECURE_VAB_AUTH)
> +void board_fit_image_post_process(void **p_image, size_t *p_size) {
> +	if (socfpga_vendor_authentication(p_image, p_size))
> +		hang();
> +}
> +
> +void board_prep_linux(bootm_headers_t *images) {

Check CONFIG_SOCFPGA_SECURE_VAB_AUTH setting, then only include code below.

> +	if (!IS_ENABLED(CONFIG_SPL_BUILD)) {
> +		if
> (!IS_ENABLED(CONFIG_SECURE_VAB_AUTH_ALLOW_NON_FIT_IMAGE)) {
> +			/*
> +			 * Ensure the OS is always booted from FIT and with
> +			 * VAB signed certificate
> +			 */
> +			if (!images->fit_uname_cfg) {
> +				printf("Please use FIT with VAB signed
> images!\n");
> +				hang();
> +			}
> +
> +			env_set_hex("fdt_addr", (ulong)images->ft_addr);
> +			debug("images->ft_addr = 0x%08lx\n",
> (ulong)images->ft_addr);
> +		}
> +
> +		if (IS_ENABLED(CONFIG_CADENCE_QSPI)) {
> +			if (env_get("linux_qspi_enable"))
> +
> 	run_command(env_get("linux_qspi_enable"), 0);
Can always run " linux_qspi_enable" command for all target SOC64? Then can remove linux_qspi_enable from BOOTCOMMAND.

Regards
Ley Foon


More information about the U-Boot mailing list