summaryrefslogtreecommitdiff
path: root/arch/arm
diff options
context:
space:
mode:
authorTom Rini <trini@konsulko.com>2017-01-02 16:32:05 -0500
committerTom Rini <trini@konsulko.com>2017-01-02 16:32:05 -0500
commit516457013e5a88f65f9d6c11e9171cb03871cc92 (patch)
tree583cfafeddbacd1d1a456f49f1e687c4eb8e062c /arch/arm
parent99b02b4dce0b2fc759fb8ced5701c0d4fb7b2200 (diff)
parent7c4f0ff81e6fc3b58b8af5f64c3da98624e40132 (diff)
Merge branch 'master' of git://www.denx.de/git/u-boot-imx
Diffstat (limited to 'arch/arm')
-rw-r--r--arch/arm/Makefile2
-rw-r--r--arch/arm/imx-common/Makefile6
-rw-r--r--arch/arm/imx-common/hab.c129
-rw-r--r--arch/arm/imx-common/spl.c25
-rw-r--r--arch/arm/imx-common/spl_sd.cfg10
-rw-r--r--arch/arm/include/asm/imx-common/hab.h2
6 files changed, 114 insertions, 60 deletions
diff --git a/arch/arm/Makefile b/arch/arm/Makefile
index ef4f69d377..4b8bf80c40 100644
--- a/arch/arm/Makefile
+++ b/arch/arm/Makefile
@@ -95,7 +95,7 @@ libs-y += arch/arm/cpu/
libs-y += arch/arm/lib/
ifeq ($(CONFIG_SPL_BUILD),y)
-ifneq (,$(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_MX35)$(filter $(SOC), mx25 mx27 mx5 mx6 mx7 mx31 mx35))
+ifneq (,$(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_MX35)$(filter $(SOC), mx25 mx5 mx6 mx7 mx35))
libs-y += arch/arm/imx-common/
endif
else
diff --git a/arch/arm/imx-common/Makefile b/arch/arm/imx-common/Makefile
index 1873185fa2..da53f627a1 100644
--- a/arch/arm/imx-common/Makefile
+++ b/arch/arm/imx-common/Makefile
@@ -34,9 +34,11 @@ endif
ifeq ($(SOC),$(filter $(SOC),vf610))
obj-y += ddrmc-vf610.o
endif
+ifneq ($(CONFIG_SPL_BUILD),y)
obj-$(CONFIG_CMD_BMODE) += cmd_bmode.o
obj-$(CONFIG_CMD_HDMIDETECT) += cmd_hdmidet.o
obj-$(CONFIG_CMD_DEKBLOB) += cmd_dek.o
+endif
PLUGIN = board/$(BOARDDIR)/plugin
@@ -66,6 +68,7 @@ $(IMX_CONFIG): %.cfgtmp: % FORCE
MKIMAGEFLAGS_u-boot.imx = -n $(filter-out $(PLUGIN).bin $< $(PHONY),$^) -T imximage \
-e $(CONFIG_SYS_TEXT_BASE)
+u-boot.imx: MKIMAGEOUTPUT = u-boot.imx.log
u-boot.imx: u-boot.bin $(IMX_CONFIG) $(PLUGIN).bin FORCE
$(call if_changed,mkimage)
@@ -73,6 +76,7 @@ u-boot.imx: u-boot.bin $(IMX_CONFIG) $(PLUGIN).bin FORCE
ifeq ($(CONFIG_OF_SEPARATE),y)
MKIMAGEFLAGS_u-boot-dtb.imx = -n $(filter-out $(PLUGIN).bin $< $(PHONY),$^) -T imximage \
-e $(CONFIG_SYS_TEXT_BASE)
+u-boot-dtb.imx: MKIMAGEOUTPUT = u-boot-dtb.imx.log
u-boot-dtb.imx: u-boot-dtb.bin $(IMX_CONFIG) $(PLUGIN).bin FORCE
$(call if_changed,mkimage)
@@ -81,6 +85,8 @@ endif
MKIMAGEFLAGS_SPL = -n $(filter-out $(PLUGIN).bin $< $(PHONY),$^) -T imximage \
-e $(CONFIG_SPL_TEXT_BASE)
+SPL: MKIMAGEOUTPUT = SPL.log
+
SPL: spl/u-boot-spl.bin $(IMX_CONFIG) $(PLUGIN).bin FORCE
$(call if_changed,mkimage)
diff --git a/arch/arm/imx-common/hab.c b/arch/arm/imx-common/hab.c
index 6731825060..7449487f0d 100644
--- a/arch/arm/imx-common/hab.c
+++ b/arch/arm/imx-common/hab.c
@@ -110,6 +110,10 @@
* +------------+ + CSF_PAD_SIZE
*/
+static bool is_hab_enabled(void);
+
+#if !defined(CONFIG_SPL_BUILD)
+
#define MAX_RECORD_BYTES (8*1024) /* 4 kbytes */
struct record {
@@ -257,22 +261,6 @@ uint8_t hab_engines[16] = {
-1
};
-bool is_hab_enabled(void)
-{
- struct imx_sec_config_fuse_t *fuse =
- (struct imx_sec_config_fuse_t *)&imx_sec_config_fuse;
- uint32_t reg;
- int ret;
-
- ret = fuse_read(fuse->bank, fuse->word, &reg);
- if (ret) {
- puts("\nSecure boot fuse read error\n");
- return ret;
- }
-
- return (reg & IS_HAB_ENABLED_BIT) == IS_HAB_ENABLED_BIT;
-}
-
static inline uint8_t get_idx(uint8_t *list, uint8_t tgt)
{
uint8_t idx = 0;
@@ -359,6 +347,68 @@ int get_hab_status(void)
return 0;
}
+int do_hab_status(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
+{
+ if ((argc != 1)) {
+ cmd_usage(cmdtp);
+ return 1;
+ }
+
+ get_hab_status();
+
+ return 0;
+}
+
+static int do_authenticate_image(cmd_tbl_t *cmdtp, int flag, int argc,
+ char * const argv[])
+{
+ ulong addr, ivt_offset;
+ int rcode = 0;
+
+ if (argc < 3)
+ return CMD_RET_USAGE;
+
+ addr = simple_strtoul(argv[1], NULL, 16);
+ ivt_offset = simple_strtoul(argv[2], NULL, 16);
+
+ rcode = authenticate_image(addr, ivt_offset);
+
+ return rcode;
+}
+
+U_BOOT_CMD(
+ hab_status, CONFIG_SYS_MAXARGS, 1, do_hab_status,
+ "display HAB status",
+ ""
+ );
+
+U_BOOT_CMD(
+ hab_auth_img, 3, 0, do_authenticate_image,
+ "authenticate image via HAB",
+ "addr ivt_offset\n"
+ "addr - image hex address\n"
+ "ivt_offset - hex offset of IVT in the image"
+ );
+
+
+#endif /* !defined(CONFIG_SPL_BUILD) */
+
+static bool is_hab_enabled(void)
+{
+ struct imx_sec_config_fuse_t *fuse =
+ (struct imx_sec_config_fuse_t *)&imx_sec_config_fuse;
+ uint32_t reg;
+ int ret;
+
+ ret = fuse_read(fuse->bank, fuse->word, &reg);
+ if (ret) {
+ puts("\nSecure boot fuse read error\n");
+ return ret;
+ }
+
+ return (reg & IS_HAB_ENABLED_BIT) == IS_HAB_ENABLED_BIT;
+}
+
uint32_t authenticate_image(uint32_t ddr_start, uint32_t image_size)
{
uint32_t load_addr = 0;
@@ -400,7 +450,9 @@ uint32_t authenticate_image(uint32_t ddr_start, uint32_t image_size)
(void *)(ddr_start + ivt_offset+IVT_SIZE),
4, 0x10, 0);
+#if !defined(CONFIG_SPL_BUILD)
get_hab_status();
+#endif
puts("\nCalling authenticate_image in ROM\n");
printf("\tivt_offset = 0x%x\n", ivt_offset);
@@ -449,7 +501,9 @@ uint32_t authenticate_image(uint32_t ddr_start, uint32_t image_size)
hab_caam_clock_enable(0);
+#if !defined(CONFIG_SPL_BUILD)
get_hab_status();
+#endif
} else {
puts("hab fuse not enabled\n");
}
@@ -459,46 +513,3 @@ uint32_t authenticate_image(uint32_t ddr_start, uint32_t image_size)
return result;
}
-
-int do_hab_status(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
-{
- if ((argc != 1)) {
- cmd_usage(cmdtp);
- return 1;
- }
-
- get_hab_status();
-
- return 0;
-}
-
-static int do_authenticate_image(cmd_tbl_t *cmdtp, int flag, int argc,
- char * const argv[])
-{
- ulong addr, ivt_offset;
- int rcode = 0;
-
- if (argc < 3)
- return CMD_RET_USAGE;
-
- addr = simple_strtoul(argv[1], NULL, 16);
- ivt_offset = simple_strtoul(argv[2], NULL, 16);
-
- rcode = authenticate_image(addr, ivt_offset);
-
- return rcode;
-}
-
-U_BOOT_CMD(
- hab_status, CONFIG_SYS_MAXARGS, 1, do_hab_status,
- "display HAB status",
- ""
- );
-
-U_BOOT_CMD(
- hab_auth_img, 3, 0, do_authenticate_image,
- "authenticate image via HAB",
- "addr ivt_offset\n"
- "addr - image hex address\n"
- "ivt_offset - hex offset of IVT in the image"
- );
diff --git a/arch/arm/imx-common/spl.c b/arch/arm/imx-common/spl.c
index bdcda7de93..c86b6f83b8 100644
--- a/arch/arm/imx-common/spl.c
+++ b/arch/arm/imx-common/spl.c
@@ -12,6 +12,7 @@
#include <asm/arch/imx-regs.h>
#include <asm/spl.h>
#include <spl.h>
+#include <asm/imx-common/hab.h>
#if defined(CONFIG_MX6)
/* determine boot device from SRC_SBMR1 (BOOT_CFG[4:1]) or SRC_GPR9 register */
@@ -90,3 +91,27 @@ u32 spl_boot_mode(const u32 boot_device)
}
}
#endif
+
+#if defined(CONFIG_SECURE_BOOT)
+
+__weak void __noreturn jump_to_image_no_args(struct spl_image_info *spl_image)
+{
+ typedef void __noreturn (*image_entry_noargs_t)(void);
+
+ image_entry_noargs_t image_entry =
+ (image_entry_noargs_t)(unsigned long)spl_image->entry_point;
+
+ debug("image entry point: 0x%X\n", spl_image->entry_point);
+
+ /* HAB looks for the CSF at the end of the authenticated data therefore,
+ * we need to subtract the size of the CSF from the actual filesize */
+ if (authenticate_image(spl_image->load_addr,
+ spl_image->size - CONFIG_CSF_SIZE)) {
+ image_entry();
+ } else {
+ puts("spl: ERROR: image authentication unsuccessful\n");
+ hang();
+ }
+}
+
+#endif
diff --git a/arch/arm/imx-common/spl_sd.cfg b/arch/arm/imx-common/spl_sd.cfg
index 5fc3e8af38..14c135c549 100644
--- a/arch/arm/imx-common/spl_sd.cfg
+++ b/arch/arm/imx-common/spl_sd.cfg
@@ -4,5 +4,15 @@
* SPDX-License-Identifier: GPL-2.0+
*/
+#define __ASSEMBLY__
+#include <config.h>
+
IMAGE_VERSION 2
BOOT_FROM sd
+
+/*
+ * Secure boot support
+ */
+#ifdef CONFIG_SECURE_BOOT
+CSF CONFIG_CSF_SIZE
+#endif \ No newline at end of file
diff --git a/arch/arm/include/asm/imx-common/hab.h b/arch/arm/include/asm/imx-common/hab.h
index dab6789b10..e0ff459d53 100644
--- a/arch/arm/include/asm/imx-common/hab.h
+++ b/arch/arm/include/asm/imx-common/hab.h
@@ -145,4 +145,6 @@ typedef void hapi_clock_init_t(void);
/* ----------- end of HAB API updates ------------*/
+uint32_t authenticate_image(uint32_t ddr_start, uint32_t image_size);
+
#endif