summaryrefslogtreecommitdiff
path: root/arch
diff options
context:
space:
mode:
Diffstat (limited to 'arch')
-rw-r--r--arch/arm/cpu/armv8/fsl-layerscape/ppa.c21
-rw-r--r--arch/arm/include/asm/fsl_secure_boot.h18
2 files changed, 39 insertions, 0 deletions
diff --git a/arch/arm/cpu/armv8/fsl-layerscape/ppa.c b/arch/arm/cpu/armv8/fsl-layerscape/ppa.c
index f54ac3f431..b68e87d657 100644
--- a/arch/arm/cpu/armv8/fsl-layerscape/ppa.c
+++ b/arch/arm/cpu/armv8/fsl-layerscape/ppa.c
@@ -17,6 +17,9 @@
#ifdef CONFIG_ARMV8_SEC_FIRMWARE_SUPPORT
#include <asm/armv8/sec_firmware.h>
#endif
+#ifdef CONFIG_CHAIN_OF_TRUST
+#include <fsl_validate.h>
+#endif
int ppa_init(void)
{
@@ -24,12 +27,30 @@ int ppa_init(void)
u32 *boot_loc_ptr_l, *boot_loc_ptr_h;
int ret;
+#ifdef CONFIG_CHAIN_OF_TRUST
+ uintptr_t ppa_esbc_hdr = CONFIG_SYS_LS_PPA_ESBC_ADDR;
+ uintptr_t ppa_img_addr = 0;
+#endif
+
#ifdef CONFIG_SYS_LS_PPA_FW_IN_XIP
ppa_fit_addr = (void *)CONFIG_SYS_LS_PPA_FW_ADDR;
#else
#error "No CONFIG_SYS_LS_PPA_FW_IN_xxx defined"
#endif
+#ifdef CONFIG_CHAIN_OF_TRUST
+ ppa_img_addr = (uintptr_t)ppa_fit_addr;
+ if (fsl_check_boot_mode_secure() != 0) {
+ ret = fsl_secboot_validate(ppa_esbc_hdr,
+ CONFIG_PPA_KEY_HASH,
+ &ppa_img_addr);
+ if (ret != 0)
+ printf("PPA validation failed\n");
+ else
+ printf("PPA validation Successful\n");
+ }
+#endif
+
#ifdef CONFIG_FSL_LSCH3
struct ccsr_gur __iomem *gur = (void *)(CONFIG_SYS_FSL_GUTS_ADDR);
boot_loc_ptr_l = &gur->bootlocptrl;
diff --git a/arch/arm/include/asm/fsl_secure_boot.h b/arch/arm/include/asm/fsl_secure_boot.h
index b35c271bba..6b9d3e426e 100644
--- a/arch/arm/include/asm/fsl_secure_boot.h
+++ b/arch/arm/include/asm/fsl_secure_boot.h
@@ -126,6 +126,24 @@
/* BOOTSCRIPT_ADDR is not required */
#endif
+#ifdef CONFIG_FSL_LS_PPA
+#ifdef CONFIG_SYS_LS_PPA_FW_IN_XIP
+#ifdef CONFIG_LS1043A
+#define CONFIG_SYS_LS_PPA_ESBC_ADDR 0x600c0000
+#endif
+#else
+#error "No CONFIG_SYS_LS_PPA_FW_IN_xxx defined"
+#endif /* ifdef CONFIG_SYS_LS_PPA_FW_IN_XIP */
+
+/* Define the key hash here if SRK used for signing PPA image is
+ * different from SRK hash put in SFP used for U-Boot.
+ * Example
+ * #define CONFIG_PPA_KEY_HASH \
+ * "41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b"
+ */
+#define CONFIG_PPA_KEY_HASH NULL
+#endif /* ifdef CONFIG_FSL_LS_PPA */
+
#include <config_fsl_chain_trust.h>
#endif /* #ifndef CONFIG_SPL_BUILD */
#endif /* #ifdef CONFIG_CHAIN_OF_TRUST */
generated by cgit (git 2.34.1) at 2025-01-19 14:54:51 +0000