[PATCH 4/4] arm: mach-k3: security: Remove certificate if detected on GP device

[Andrew Davis]

If the device is a GP and we detect a signing certificate then remove it.
It would fail to authenticate otherwise as the device is GP and has no
secure authentication services in SYSFW.

This shouldn't happen often as trying to boot signed images on GP devices
doesn't make much sense, but if we run into a signed image we should at
least try to ignore the certificate and boot the image anyway. This could
help with users of GP devices who only have HS images available.

If this does happen, print a nice big warning.

Signed-off-by: Andrew Davis <afd at ti.com>
---
 arch/arm/mach-k3/security.c | 30 +++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/arch/arm/mach-k3/security.c b/arch/arm/mach-k3/security.c
index add7f413a4..d8d41ec515 100644
--- a/arch/arm/mach-k3/security.c
+++ b/arch/arm/mach-k3/security.c
@@ -30,10 +30,19 @@ static bool ti_secure_cert_detected(void *p_image)
 		((u8 *)p_image)[4] == 0x30 && ((u8 *)p_image)[5] == 0x82);
 }
 
+/* Primitive certificate length, assumes one 2-Octet sized SEQUENCE */
+static size_t ti_secure_cert_length(void *p_image)
+{
+	size_t seq_length = be16_to_cpu(readw_relaxed(p_image + 2));
+	/* Add 4 for the SEQUENCE tag length */
+	return seq_length + 4;
+}
+
 void ti_secure_image_post_process(void **p_image, size_t *p_size)
 {
 	struct ti_sci_handle *ti_sci = get_ti_sci_handle();
 	struct ti_sci_proc_ops *proc_ops = &ti_sci->ops.proc_ops;
+	size_t cert_length;
 	u64 image_addr;
 	u32 image_size;
 	int ret;
@@ -41,9 +50,28 @@ void ti_secure_image_post_process(void **p_image, size_t *p_size)
 	image_addr = (uintptr_t)*p_image;
 	image_size = *p_size;
 
-	if (!image_size || get_device_type() == K3_DEVICE_TYPE_GP)
+	if (!image_size)
 		return;
 
+	if (get_device_type() == K3_DEVICE_TYPE_GP) {
+		if (ti_secure_cert_detected(*p_image)) {
+			printf("Warning: Detected image signing certificate on GP device. "
+			       "Skipping certificate to prevent boot failure. "
+			       "This will fail if the image was also encrypted\n");
+
+			cert_length = ti_secure_cert_length(*p_image);
+			if (cert_length > *p_size) {
+				printf("Invalid signing certificate size\n");
+				return;
+			}
+
+			*p_image += cert_length;
+			*p_size -= cert_length;
+		}
+
+		return;
+	}
+
 	if (get_device_type() != K3_DEVICE_TYPE_HS_SE &&
 	    !ti_secure_cert_detected(*p_image)) {
 		printf("Warning: Did not detect image signing certificate. "
-- 
2.36.1