From a1b6b0a9c1f91756b93e6d804837dc178d79d39e Mon Sep 17 00:00:00 2001
From: Mario Six <mario.six@gdsys.cc>
Date: Wed, 11 Jan 2017 16:01:00 +0100
Subject: arm: mvebu: Implement secure boot

The patch implements secure booting for the mvebu architecture.

This includes:
- The addition of secure headers and all needed signatures and keys in
  mkimage
- Commands capable of writing the board's efuses to both write the
  needed cryptographic data and enable the secure booting mechanism
- The creation of convenience text files containing the necessary
  commands to write the efuses

The KAK and CSK keys are expected to reside in the files kwb_kak.key and
kwb_csk.key (OpenSSL 2048 bit private keys) in the top-level directory.

Signed-off-by: Reinhard Pfau <reinhard.pfau@gdsys.cc>
Signed-off-by: Mario Six <mario.six@gdsys.cc>
Reviewed-by: Stefan Roese <sr@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Stefan Roese <sr@denx.de>
---
 arch/arm/mach-mvebu/include/mach/cpu.h   |  2 +
 arch/arm/mach-mvebu/include/mach/efuse.h | 69 ++++++++++++++++++++++++++++++++
 2 files changed, 71 insertions(+)
 create mode 100644 arch/arm/mach-mvebu/include/mach/efuse.h

(limited to 'arch/arm/mach-mvebu/include/mach')

diff --git a/arch/arm/mach-mvebu/include/mach/cpu.h b/arch/arm/mach-mvebu/include/mach/cpu.h
index 66f7680fb3..d241eea956 100644
--- a/arch/arm/mach-mvebu/include/mach/cpu.h
+++ b/arch/arm/mach-mvebu/include/mach/cpu.h
@@ -36,7 +36,9 @@ enum cpu_target {
 	CPU_TARGET_ETH01 = 0x7,
 	CPU_TARGET_PCIE13 = 0x8,
 	CPU_TARGET_SASRAM = 0x9,
+	CPU_TARGET_SATA01 = 0xa, /* A38X */
 	CPU_TARGET_NAND = 0xd,
+	CPU_TARGET_SATA23_DFX = 0xe, /* A38X */
 };
 
 enum cpu_attrib {
diff --git a/arch/arm/mach-mvebu/include/mach/efuse.h b/arch/arm/mach-mvebu/include/mach/efuse.h
new file mode 100644
index 0000000000..ef693e6749
--- /dev/null
+++ b/arch/arm/mach-mvebu/include/mach/efuse.h
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2015 Reinhard Pfau <reinhard.pfau@gdsys.cc>
+ *
+ * SPDX-License-Identifier:	GPL-2.0+
+ */
+
+#ifndef _MVEBU_EFUSE_H
+#define _MVEBU_EFUSE_H
+
+#include <common.h>
+
+struct efuse_val {
+	union {
+		struct {
+			u8 d[8];
+		} bytes;
+		struct {
+			u16 d[4];
+		} words;
+		struct {
+			u32 d[2];
+		} dwords;
+	};
+	u32 lock;
+};
+
+#if defined(CONFIG_ARMADA_38X)
+
+enum efuse_line {
+	EFUSE_LINE_SECURE_BOOT = 24,
+	EFUSE_LINE_PUBKEY_DIGEST_0 = 26,
+	EFUSE_LINE_PUBKEY_DIGEST_1 = 27,
+	EFUSE_LINE_PUBKEY_DIGEST_2 = 28,
+	EFUSE_LINE_PUBKEY_DIGEST_3 = 29,
+	EFUSE_LINE_PUBKEY_DIGEST_4 = 30,
+	EFUSE_LINE_CSK_0_VALID = 31,
+	EFUSE_LINE_CSK_1_VALID = 32,
+	EFUSE_LINE_CSK_2_VALID = 33,
+	EFUSE_LINE_CSK_3_VALID = 34,
+	EFUSE_LINE_CSK_4_VALID = 35,
+	EFUSE_LINE_CSK_5_VALID = 36,
+	EFUSE_LINE_CSK_6_VALID = 37,
+	EFUSE_LINE_CSK_7_VALID = 38,
+	EFUSE_LINE_CSK_8_VALID = 39,
+	EFUSE_LINE_CSK_9_VALID = 40,
+	EFUSE_LINE_CSK_10_VALID = 41,
+	EFUSE_LINE_CSK_11_VALID = 42,
+	EFUSE_LINE_CSK_12_VALID = 43,
+	EFUSE_LINE_CSK_13_VALID = 44,
+	EFUSE_LINE_CSK_14_VALID = 45,
+	EFUSE_LINE_CSK_15_VALID = 46,
+	EFUSE_LINE_FLASH_ID = 47,
+	EFUSE_LINE_BOX_ID = 48,
+
+	EFUSE_LINE_MIN = 0,
+	EFUSE_LINE_MAX = 63,
+};
+
+#endif
+
+int mvebu_efuse_init_hw(void);
+
+int mvebu_read_efuse(int nr, struct efuse_val *val);
+
+int mvebu_write_efuse(int nr, struct efuse_val *val);
+
+int mvebu_lock_efuse(int nr);
+
+#endif
-- 
cgit