From 9711f52806655bcfa28fe5594b91fed430beb72e Mon Sep 17 00:00:00 2001 From: Aneesh Bansal Date: Tue, 8 Dec 2015 13:54:29 +0530 Subject: armv8/ls1043ardb: add SECURE BOOT target for NOR LS1043ARDB Secure Boot Target from NOR has been added. - Configs defined to enable esbc_validate. - ESBC Address in header is made 64 bit. - SMMU is re-configured in Bypass mode. Signed-off-by: Aneesh Bansal Reviewed-by: York Sun --- arch/arm/include/asm/arch-fsl-layerscape/config.h | 4 +-- .../include/asm/arch-fsl-layerscape/immap_lsch2.h | 2 +- arch/arm/include/asm/fsl_secure_boot.h | 6 +++- board/freescale/common/fsl_validate.c | 34 ++++++++++++++-------- board/freescale/ls1043ardb/MAINTAINERS | 5 ++++ board/freescale/ls1043ardb/ls1043ardb.c | 18 +++++++++++- common/cmd_blob.c | 6 ++-- configs/ls1043ardb_SECURE_BOOT_defconfig | 9 ++++++ include/configs/ls1043ardb.h | 10 +++++++ include/fsl_validate.h | 9 +++++- 10 files changed, 82 insertions(+), 21 deletions(-) create mode 100644 configs/ls1043ardb_SECURE_BOOT_defconfig diff --git a/arch/arm/include/asm/arch-fsl-layerscape/config.h b/arch/arm/include/asm/arch-fsl-layerscape/config.h index b39281260d..6e5224ea1c 100644 --- a/arch/arm/include/asm/arch-fsl-layerscape/config.h +++ b/arch/arm/include/asm/arch-fsl-layerscape/config.h @@ -153,8 +153,8 @@ #define CONFIG_SYS_FSL_PCIE_COMPAT "fsl,qoriq-pcie-v2.4" #define CONFIG_SYS_FSL_SFP_VER_3_2 -#define CONFIG_SYS_FSL_SNVS_LE -#define CONFIG_SYS_FSL_SEC_LE +#define CONFIG_SYS_FSL_SEC_MON_BE +#define CONFIG_SYS_FSL_SEC_BE #define CONFIG_SYS_FSL_SFP_BE #define CONFIG_SYS_FSL_SRK_LE #define CONFIG_KEY_REVOCATION diff --git a/arch/arm/include/asm/arch-fsl-layerscape/immap_lsch2.h b/arch/arm/include/asm/arch-fsl-layerscape/immap_lsch2.h index 83caa918bd..e7def3ac4a 100644 --- a/arch/arm/include/asm/arch-fsl-layerscape/immap_lsch2.h +++ b/arch/arm/include/asm/arch-fsl-layerscape/immap_lsch2.h @@ -38,7 +38,7 @@ #define CONFIG_SYS_PCIE3_ADDR (CONFIG_SYS_IMMR + 0x2600000) #define CONFIG_SYS_FSL_SEC_ADDR (CONFIG_SYS_IMMR + 0x700000) #define CONFIG_SYS_FSL_JR0_ADDR (CONFIG_SYS_IMMR + 0x710000) -#define CONFIG_SYS_SNVS_ADDR (CONFIG_SYS_IMMR + 0xe90000) +#define CONFIG_SYS_SEC_MON_ADDR (CONFIG_SYS_IMMR + 0xe90000) #define CONFIG_SYS_SFP_ADDR (CONFIG_SYS_IMMR + 0xe80200) #define CONFIG_SYS_FSL_TIMER_ADDR 0x02b00000 diff --git a/arch/arm/include/asm/fsl_secure_boot.h b/arch/arm/include/asm/fsl_secure_boot.h index f2d4c3c5f9..806302bc61 100644 --- a/arch/arm/include/asm/fsl_secure_boot.h +++ b/arch/arm/include/asm/fsl_secure_boot.h @@ -11,13 +11,17 @@ #define CONFIG_CMD_ESBC_VALIDATE #define CONFIG_FSL_SEC_MON #define CONFIG_SHA_PROG_HW_ACCEL -#define CONFIG_DM #define CONFIG_RSA #define CONFIG_RSA_FREESCALE_EXP + #ifndef CONFIG_FSL_CAAM #define CONFIG_FSL_CAAM #endif +#ifndef CONFIG_DM +#define CONFIG_DM +#endif + #define CONFIG_KEY_REVOCATION #ifndef CONFIG_SYS_RAMBOOT /* The key used for verification of next level images diff --git a/board/freescale/common/fsl_validate.c b/board/freescale/common/fsl_validate.c index 73b6718db9..b510c71c40 100644 --- a/board/freescale/common/fsl_validate.c +++ b/board/freescale/common/fsl_validate.c @@ -15,7 +15,7 @@ #include #include #include -#ifndef CONFIG_MPC85xx +#ifdef CONFIG_LS102XA #include #endif @@ -99,7 +99,8 @@ int get_csf_base_addr(u32 *csf_addr, u32 *flash_base_addr) struct ccsr_gur __iomem *gur = (void *)(CONFIG_SYS_FSL_GUTS_ADDR); u32 csf_hdr_addr = in_be32(&gur->scratchrw[0]); - if (memcmp((u8 *)csf_hdr_addr, barker_code, ESBC_BARKER_LEN)) + if (memcmp((u8 *)(uintptr_t)csf_hdr_addr, + barker_code, ESBC_BARKER_LEN)) return -1; *csf_addr = csf_hdr_addr; @@ -117,7 +118,7 @@ static int get_ie_info_addr(u32 *ie_addr) if (get_csf_base_addr(&csf_addr, &flash_base_addr)) return -1; - hdr = (struct fsl_secboot_img_hdr *)csf_addr; + hdr = (struct fsl_secboot_img_hdr *)(uintptr_t)csf_addr; /* For SoC's with Trust Architecture v1 with corenet bus * the sg table field in CSF header has absolute address @@ -130,7 +131,7 @@ static int get_ie_info_addr(u32 *ie_addr) (((u32)hdr->psgtable & ~(CONFIG_SYS_PBI_FLASH_BASE)) + flash_base_addr); #else - sg_tbl = (struct fsl_secboot_sg_table *)(csf_addr + + sg_tbl = (struct fsl_secboot_sg_table *)(uintptr_t)(csf_addr + (u32)hdr->psgtable); #endif @@ -379,8 +380,8 @@ static int calc_img_key_hash(struct fsl_secboot_img_priv *img) #ifdef CONFIG_KEY_REVOCATION if (check_srk(img)) { ret = algo->hash_update(algo, ctx, - (u8 *)(img->ehdrloc + img->hdr.srk_tbl_off), - img->hdr.len_kr.num_srk * sizeof(struct srk_table), 1); + (u8 *)(uintptr_t)(img->ehdrloc + img->hdr.srk_tbl_off), + img->hdr.len_kr.num_srk * sizeof(struct srk_table), 1); srk = 1; } #endif @@ -438,8 +439,8 @@ static int calc_esbchdr_esbc_hash(struct fsl_secboot_img_priv *img) #ifdef CONFIG_KEY_REVOCATION if (check_srk(img)) { ret = algo->hash_update(algo, ctx, - (u8 *)(img->ehdrloc + img->hdr.srk_tbl_off), - img->hdr.len_kr.num_srk * sizeof(struct srk_table), 0); + (u8 *)(uintptr_t)(img->ehdrloc + img->hdr.srk_tbl_off), + img->hdr.len_kr.num_srk * sizeof(struct srk_table), 0); key_hash = 1; } #endif @@ -454,8 +455,13 @@ static int calc_esbchdr_esbc_hash(struct fsl_secboot_img_priv *img) return ret; /* Update hash for actual Image */ +#ifdef CONFIG_ESBC_ADDR_64BIT ret = algo->hash_update(algo, ctx, - (u8 *)img->hdr.pimg, img->hdr.img_size, 1); + (u8 *)(uintptr_t)img->hdr.pimg64, img->hdr.img_size, 1); +#else + ret = algo->hash_update(algo, ctx, + (u8 *)(uintptr_t)img->hdr.pimg, img->hdr.img_size, 1); +#endif if (ret) return ret; @@ -533,7 +539,7 @@ static int read_validate_esbc_client_header(struct fsl_secboot_img_priv *img) { char buf[20]; struct fsl_secboot_img_hdr *hdr = &img->hdr; - void *esbc = (u8 *)img->ehdrloc; + void *esbc = (u8 *)(uintptr_t)img->ehdrloc; u8 *k, *s; #ifdef CONFIG_KEY_REVOCATION u32 ret; @@ -549,7 +555,11 @@ static int read_validate_esbc_client_header(struct fsl_secboot_img_priv *img) if (memcmp(hdr->barker, barker_code, ESBC_BARKER_LEN)) return ERROR_ESBC_CLIENT_HEADER_BARKER; +#ifdef CONFIG_ESBC_ADDR_64BIT + sprintf(buf, "%llx", hdr->pimg64); +#else sprintf(buf, "%x", hdr->pimg); +#endif setenv("img_addr", buf); if (!hdr->img_size) @@ -594,7 +604,7 @@ static int read_validate_esbc_client_header(struct fsl_secboot_img_priv *img) if (!key_found && check_ie(img)) { if (get_ie_info_addr(&img->ie_addr)) return ERROR_IE_TABLE_NOT_FOUND; - ie_info = (struct ie_key_info *)img->ie_addr; + ie_info = (struct ie_key_info *)(uintptr_t)img->ie_addr; if (ie_info->num_keys == 0 || ie_info->num_keys > 32) return ERROR_ESBC_CLIENT_HEADER_INVALID_IE_NUM_ENTRY; @@ -748,7 +758,7 @@ int fsl_secboot_validate(cmd_tbl_t *cmdtp, int flag, int argc, hdr = &img->hdr; img->ehdrloc = addr; - esbc = (u8 *)img->ehdrloc; + esbc = (u8 *)(uintptr_t)img->ehdrloc; memcpy(hdr, esbc, sizeof(struct fsl_secboot_img_hdr)); diff --git a/board/freescale/ls1043ardb/MAINTAINERS b/board/freescale/ls1043ardb/MAINTAINERS index efca5bf245..84ffb638d8 100644 --- a/board/freescale/ls1043ardb/MAINTAINERS +++ b/board/freescale/ls1043ardb/MAINTAINERS @@ -7,3 +7,8 @@ F: include/configs/ls1043ardb.h F: configs/ls1043ardb_defconfig F: configs/ls1043ardb_nand_defconfig F: configs/ls1043ardb_sdcard_defconfig + +LS1043A_SECURE_BOOT BOARD +M: Aneesh Bansal +S: Maintained +F: configs/ls1043ardb_SECURE_BOOT_defconfig diff --git a/board/freescale/ls1043ardb/ls1043ardb.c b/board/freescale/ls1043ardb/ls1043ardb.c index 4556ea8ad1..c8f723a108 100644 --- a/board/freescale/ls1043ardb/ls1043ardb.c +++ b/board/freescale/ls1043ardb/ls1043ardb.c @@ -18,6 +18,8 @@ #include #include #include +#include +#include #include "cpld.h" DECLARE_GLOBAL_DATA_PTR; @@ -123,7 +125,21 @@ int config_board_mux(void) int misc_init_r(void) { config_board_mux(); - +#ifdef CONFIG_SECURE_BOOT + /* In case of Secure Boot, the IBR configures the SMMU + * to allow only Secure transactions. + * SMMU must be reset in bypass mode. + * Set the ClientPD bit and Clear the USFCFG Bit + */ + u32 val; + val = (in_le32(SMMU_SCR0) | SCR0_CLIENTPD_MASK) & ~(SCR0_USFCFG_MASK); + out_le32(SMMU_SCR0, val); + val = (in_le32(SMMU_NSCR0) | SCR0_CLIENTPD_MASK) & ~(SCR0_USFCFG_MASK); + out_le32(SMMU_NSCR0, val); +#endif +#ifdef CONFIG_FSL_CAAM + return sec_init(); +#endif return 0; } #endif diff --git a/common/cmd_blob.c b/common/cmd_blob.c index d3f22a1afc..ac8b268e0b 100644 --- a/common/cmd_blob.c +++ b/common/cmd_blob.c @@ -73,9 +73,9 @@ static int do_blob(cmd_tbl_t *cmdtp, int flag, int argc, char *const argv[]) len = simple_strtoul(argv[4], NULL, 16); key_addr = simple_strtoul(argv[5], NULL, 16); - km_ptr = (uint8_t *)key_addr; - src_ptr = (uint8_t *)src_addr; - dst_ptr = (uint8_t *)dst_addr; + km_ptr = (uint8_t *)(uintptr_t)key_addr; + src_ptr = (uint8_t *)(uintptr_t)src_addr; + dst_ptr = (uint8_t *)(uintptr_t)dst_addr; if (enc) ret = blob_encap(km_ptr, src_ptr, dst_ptr, len); diff --git a/configs/ls1043ardb_SECURE_BOOT_defconfig b/configs/ls1043ardb_SECURE_BOOT_defconfig new file mode 100644 index 0000000000..d9d6c97809 --- /dev/null +++ b/configs/ls1043ardb_SECURE_BOOT_defconfig @@ -0,0 +1,9 @@ +CONFIG_ARM=y +CONFIG_TARGET_LS1043ARDB=y +CONFIG_SYS_EXTRA_OPTIONS="SYS_FSL_DDR4, SECURE_BOOT" +CONFIG_SYS_NS16550=y +CONFIG_DEFAULT_DEVICE_TREE="fsl-ls1043a-rdb" +CONFIG_OF_CONTROL=y +CONFIG_DM=y +CONFIG_SPI_FLASH=y +CONFIG_DM_SPI=y \ No newline at end of file diff --git a/include/configs/ls1043ardb.h b/include/configs/ls1043ardb.h index 683407499a..585114f3d5 100644 --- a/include/configs/ls1043ardb.h +++ b/include/configs/ls1043ardb.h @@ -291,4 +291,14 @@ #define CONFIG_CMD_EXT2 #endif +#ifdef CONFIG_SECURE_BOOT +#define CONFIG_CMD_HASH +#define CONFIG_SHA_HW_ACCEL +#define CONFIG_CMD_BLOB +/* For LS1043 (ARMv8), ESBC image Address in Header is 64 bit */ +#define CONFIG_ESBC_ADDR_64BIT +#endif + +#include + #endif /* __LS1043ARDB_H__ */ diff --git a/include/fsl_validate.h b/include/fsl_validate.h index 92dd98bb61..a62dc74e69 100644 --- a/include/fsl_validate.h +++ b/include/fsl_validate.h @@ -83,7 +83,9 @@ struct fsl_secboot_img_hdr { u32 sign_len; /* length of the signature in bytes */ union { u32 psgtable; /* ptr to SG table */ +#ifndef CONFIG_ESBC_ADDR_64BIT u32 pimg; /* ptr to ESBC client image */ +#endif }; union { u32 sg_entries; /* no of entries in SG table */ @@ -97,7 +99,12 @@ struct fsl_secboot_img_hdr { u32 reserved1[2]; u32 fsl_uid_1; u32 oem_uid_1; - u32 reserved2[2]; + union { + u32 reserved2[2]; +#ifdef CONFIG_ESBC_ADDR_64BIT + u64 pimg64; /* 64 bit pointer to ESBC Image */ +#endif + }; u32 ie_flag; u32 ie_key_sel; }; -- cgit v1.2.3