[PATCH v5 1/1] board: zynqmp: add cmd for getting boot auth state

Tomas Melin tomas.melin at vaisala.com
Thu Jan 8 08:55:45 CET 2026 

Hi Neal,

Few comments below for consideration, apart from that:

Reviewed-by: Tomas Melin <tomas.melin at vaisala.com>

On 08/01/2026 09:46, Neal Frager wrote:
> Add command for checking if boot was authenticated.
> 
> Signed-off-by: Igor Opaniuk <igor.opaniuk at foundries.io>
> Signed-off-by: Neal Frager <neal.frager at amd.com>
> ---
> V1->V2:
> - extended zynqmp command with verify_auth sub-command
> - changed return value, so it can be used with scripts
> V2->V3:
> - separated status and ret values
> - replaced BIT(0) with ZYNQMP_CSU_STATUS_AUTHENTICATED
> - changed env variable name to "boot_auth"
> V3->V4:
> - removed unnecessary zynqmp_verify_auth function
> V4->V5:
> - added newline to zynqmp_mmio_read error msg
> ---
>  arch/arm/mach-zynqmp/zynqmp.c | 35 ++++++++++++++++++++++++++++++++++-
>  1 file changed, 34 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/arm/mach-zynqmp/zynqmp.c b/arch/arm/mach-zynqmp/zynqmp.c
> index c0398a466ff..bcfbe229148 100644
> --- a/arch/arm/mach-zynqmp/zynqmp.c
> +++ b/arch/arm/mach-zynqmp/zynqmp.c
> @@ -362,6 +362,36 @@ static int do_zynqmp_reboot(struct cmd_tbl *cmdtp, int flag,
>  	return CMD_RET_SUCCESS;
>  }
>  
> +static int do_zynqmp_verify_auth(struct cmd_tbl *cmdtp, int flag,
> +				 int argc, char * const argv[])
> +{
> +	u32 status;
> +	int ret;
> +
> +	ret = zynqmp_mmio_read((ulong)&csu_base->status, &status);
> +	if (ret) {
> +		printf("Can't obtain boot auth state\n");
> +		return CMD_RET_FAILURE;
> +	}
> +
> +	status &= ZYNQMP_CSU_STATUS_AUTHENTICATED;
> +	if (status) {
Even cleaner could simply be
        if (status & ZYNQMP_CSU_STATUS_AUTHENTICATED) {


> +		printf("Boot is authenticated\n");
These prints (is/is not) seem redundant to me as the env is populated
with the required boot_auth value. Perhaps change to debug statements or
remove?

Thanks,
Tomas

> +
> +		ret = env_set("boot_auth", "1");
> +		if (ret)
> +			return CMD_RET_FAILURE;
> +	} else {
> +		printf("Boot is not authenticated\n");
> +
> +		ret = env_set("boot_auth", "0");
> +		if (ret)
> +			return CMD_RET_FAILURE;
> +	}
> +
> +	return CMD_RET_SUCCESS;
> +}
> +
>  static struct cmd_tbl cmd_zynqmp_sub[] = {
>  	U_BOOT_CMD_MKENT(secure, 5, 0, do_zynqmp_verify_secure, "", ""),
>  	U_BOOT_CMD_MKENT(pmufw, 4, 0, do_zynqmp_pmufw, "", ""),
> @@ -371,6 +401,7 @@ static struct cmd_tbl cmd_zynqmp_sub[] = {
>  	U_BOOT_CMD_MKENT(rsa, 7, 0, do_zynqmp_rsa, "", ""),
>  	U_BOOT_CMD_MKENT(sha3, 5, 0, do_zynqmp_sha3, "", ""),
>  	U_BOOT_CMD_MKENT(reboot, 3, 0, do_zynqmp_reboot, "", ""),
> +	U_BOOT_CMD_MKENT(verify_auth, 2, 0, do_zynqmp_verify_auth, "", ""),
>  #ifdef CONFIG_DEFINE_TCM_OCM_MMAP
>  	U_BOOT_CMD_MKENT(tcminit, 3, 0, do_zynqmp_tcm_init, "", ""),
>  #endif
> @@ -446,10 +477,12 @@ U_BOOT_LONGHELP(zynqmp,
>  	"	48 bytes hash value into srcaddr\n"
>  	"	Optional key_addr can be specified for saving sha3 hash value\n"
>  	"	Note: srcaddr/srclen should not be 0\n"
> +	"zynqmp verify_auth - verifies if boot.bin was authenticated\n"
> +	"	Returns boot_auth : 0 not authenticated, 1 authenticated\n"
>  	);
>  
>  U_BOOT_CMD(
> -	zynqmp, 9, 1, do_zynqmp,
> +	zynqmp, 10, 1, do_zynqmp,
>  	"ZynqMP sub-system",
>  	zynqmp_help_text
>  );

More information about the U-Boot mailing list