diff options
Diffstat (limited to 'arch/arm/imx-common')
| -rw-r--r-- | arch/arm/imx-common/Makefile | 6 | ||||
| -rw-r--r-- | arch/arm/imx-common/hab.c | 129 | ||||
| -rw-r--r-- | arch/arm/imx-common/spl.c | 25 | ||||
| -rw-r--r-- | arch/arm/imx-common/spl_sd.cfg | 10 |
4 files changed, 111 insertions, 59 deletions
diff --git a/arch/arm/imx-common/Makefile b/arch/arm/imx-common/Makefile index 1873185fa2..da53f627a1 100644 --- a/arch/arm/imx-common/Makefile +++ b/arch/arm/imx-common/Makefile @@ -34,9 +34,11 @@ endif ifeq ($(SOC),$(filter $(SOC),vf610)) obj-y += ddrmc-vf610.o endif +ifneq ($(CONFIG_SPL_BUILD),y) obj-$(CONFIG_CMD_BMODE) += cmd_bmode.o obj-$(CONFIG_CMD_HDMIDETECT) += cmd_hdmidet.o obj-$(CONFIG_CMD_DEKBLOB) += cmd_dek.o +endif PLUGIN = board/$(BOARDDIR)/plugin @@ -66,6 +68,7 @@ $(IMX_CONFIG): %.cfgtmp: % FORCE MKIMAGEFLAGS_u-boot.imx = -n $(filter-out $(PLUGIN).bin $< $(PHONY),$^) -T imximage \ -e $(CONFIG_SYS_TEXT_BASE) +u-boot.imx: MKIMAGEOUTPUT = u-boot.imx.log u-boot.imx: u-boot.bin $(IMX_CONFIG) $(PLUGIN).bin FORCE $(call if_changed,mkimage) @@ -73,6 +76,7 @@ u-boot.imx: u-boot.bin $(IMX_CONFIG) $(PLUGIN).bin FORCE ifeq ($(CONFIG_OF_SEPARATE),y) MKIMAGEFLAGS_u-boot-dtb.imx = -n $(filter-out $(PLUGIN).bin $< $(PHONY),$^) -T imximage \ -e $(CONFIG_SYS_TEXT_BASE) +u-boot-dtb.imx: MKIMAGEOUTPUT = u-boot-dtb.imx.log u-boot-dtb.imx: u-boot-dtb.bin $(IMX_CONFIG) $(PLUGIN).bin FORCE $(call if_changed,mkimage) @@ -81,6 +85,8 @@ endif MKIMAGEFLAGS_SPL = -n $(filter-out $(PLUGIN).bin $< $(PHONY),$^) -T imximage \ -e $(CONFIG_SPL_TEXT_BASE) +SPL: MKIMAGEOUTPUT = SPL.log + SPL: spl/u-boot-spl.bin $(IMX_CONFIG) $(PLUGIN).bin FORCE $(call if_changed,mkimage) diff --git a/arch/arm/imx-common/hab.c b/arch/arm/imx-common/hab.c index 6731825060..7449487f0d 100644 --- a/arch/arm/imx-common/hab.c +++ b/arch/arm/imx-common/hab.c @@ -110,6 +110,10 @@ * +------------+ + CSF_PAD_SIZE */ +static bool is_hab_enabled(void); + +#if !defined(CONFIG_SPL_BUILD) + #define MAX_RECORD_BYTES (8*1024) /* 4 kbytes */ struct record { @@ -257,22 +261,6 @@ uint8_t hab_engines[16] = { -1 }; -bool is_hab_enabled(void) -{ - struct imx_sec_config_fuse_t *fuse = - (struct imx_sec_config_fuse_t *)&imx_sec_config_fuse; - uint32_t reg; - int ret; - - ret = fuse_read(fuse->bank, fuse->word, ®); - if (ret) { - puts("\nSecure boot fuse read error\n"); - return ret; - } - - return (reg & IS_HAB_ENABLED_BIT) == IS_HAB_ENABLED_BIT; -} - static inline uint8_t get_idx(uint8_t *list, uint8_t tgt) { uint8_t idx = 0; @@ -359,6 +347,68 @@ int get_hab_status(void) return 0; } +int do_hab_status(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[]) +{ + if ((argc != 1)) { + cmd_usage(cmdtp); + return 1; + } + + get_hab_status(); + + return 0; +} + +static int do_authenticate_image(cmd_tbl_t *cmdtp, int flag, int argc, + char * const argv[]) +{ + ulong addr, ivt_offset; + int rcode = 0; + + if (argc < 3) + return CMD_RET_USAGE; + + addr = simple_strtoul(argv[1], NULL, 16); + ivt_offset = simple_strtoul(argv[2], NULL, 16); + + rcode = authenticate_image(addr, ivt_offset); + + return rcode; +} + +U_BOOT_CMD( + hab_status, CONFIG_SYS_MAXARGS, 1, do_hab_status, + "display HAB status", + "" + ); + +U_BOOT_CMD( + hab_auth_img, 3, 0, do_authenticate_image, + "authenticate image via HAB", + "addr ivt_offset\n" + "addr - image hex address\n" + "ivt_offset - hex offset of IVT in the image" + ); + + +#endif /* !defined(CONFIG_SPL_BUILD) */ + +static bool is_hab_enabled(void) +{ + struct imx_sec_config_fuse_t *fuse = + (struct imx_sec_config_fuse_t *)&imx_sec_config_fuse; + uint32_t reg; + int ret; + + ret = fuse_read(fuse->bank, fuse->word, ®); + if (ret) { + puts("\nSecure boot fuse read error\n"); + return ret; + } + + return (reg & IS_HAB_ENABLED_BIT) == IS_HAB_ENABLED_BIT; +} + uint32_t authenticate_image(uint32_t ddr_start, uint32_t image_size) { uint32_t load_addr = 0; @@ -400,7 +450,9 @@ uint32_t authenticate_image(uint32_t ddr_start, uint32_t image_size) (void *)(ddr_start + ivt_offset+IVT_SIZE), 4, 0x10, 0); +#if !defined(CONFIG_SPL_BUILD) get_hab_status(); +#endif puts("\nCalling authenticate_image in ROM\n"); printf("\tivt_offset = 0x%x\n", ivt_offset); @@ -449,7 +501,9 @@ uint32_t authenticate_image(uint32_t ddr_start, uint32_t image_size) hab_caam_clock_enable(0); +#if !defined(CONFIG_SPL_BUILD) get_hab_status(); +#endif } else { puts("hab fuse not enabled\n"); } @@ -459,46 +513,3 @@ uint32_t authenticate_image(uint32_t ddr_start, uint32_t image_size) return result; } - -int do_hab_status(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[]) -{ - if ((argc != 1)) { - cmd_usage(cmdtp); - return 1; - } - - get_hab_status(); - - return 0; -} - -static int do_authenticate_image(cmd_tbl_t *cmdtp, int flag, int argc, - char * const argv[]) -{ - ulong addr, ivt_offset; - int rcode = 0; - - if (argc < 3) - return CMD_RET_USAGE; - - addr = simple_strtoul(argv[1], NULL, 16); - ivt_offset = simple_strtoul(argv[2], NULL, 16); - - rcode = authenticate_image(addr, ivt_offset); - - return rcode; -} - -U_BOOT_CMD( - hab_status, CONFIG_SYS_MAXARGS, 1, do_hab_status, - "display HAB status", - "" - ); - -U_BOOT_CMD( - hab_auth_img, 3, 0, do_authenticate_image, - "authenticate image via HAB", - "addr ivt_offset\n" - "addr - image hex address\n" - "ivt_offset - hex offset of IVT in the image" - ); diff --git a/arch/arm/imx-common/spl.c b/arch/arm/imx-common/spl.c index bdcda7de93..c86b6f83b8 100644 --- a/arch/arm/imx-common/spl.c +++ b/arch/arm/imx-common/spl.c @@ -12,6 +12,7 @@ #include <asm/arch/imx-regs.h> #include <asm/spl.h> #include <spl.h> +#include <asm/imx-common/hab.h> #if defined(CONFIG_MX6) /* determine boot device from SRC_SBMR1 (BOOT_CFG[4:1]) or SRC_GPR9 register */ @@ -90,3 +91,27 @@ u32 spl_boot_mode(const u32 boot_device) } } #endif + +#if defined(CONFIG_SECURE_BOOT) + +__weak void __noreturn jump_to_image_no_args(struct spl_image_info *spl_image) +{ + typedef void __noreturn (*image_entry_noargs_t)(void); + + image_entry_noargs_t image_entry = + (image_entry_noargs_t)(unsigned long)spl_image->entry_point; + + debug("image entry point: 0x%X\n", spl_image->entry_point); + + /* HAB looks for the CSF at the end of the authenticated data therefore, + * we need to subtract the size of the CSF from the actual filesize */ + if (authenticate_image(spl_image->load_addr, + spl_image->size - CONFIG_CSF_SIZE)) { + image_entry(); + } else { + puts("spl: ERROR: image authentication unsuccessful\n"); + hang(); + } +} + +#endif diff --git a/arch/arm/imx-common/spl_sd.cfg b/arch/arm/imx-common/spl_sd.cfg index 5fc3e8af38..14c135c549 100644 --- a/arch/arm/imx-common/spl_sd.cfg +++ b/arch/arm/imx-common/spl_sd.cfg @@ -4,5 +4,15 @@ * SPDX-License-Identifier: GPL-2.0+ */ +#define __ASSEMBLY__ +#include <config.h> + IMAGE_VERSION 2 BOOT_FROM sd + +/* + * Secure boot support + */ +#ifdef CONFIG_SECURE_BOOT +CSF CONFIG_CSF_SIZE +#endif
\ No newline at end of file |