ls1043ardb: PPA: add PPA validation in case of secure boot

As part of Secure Boot Chain of trust, PPA image must be validated
before the image is started.
The code for the same has been added.

Signed-off-by: Aneesh Bansal <aneesh.bansal@nxp.com>
Signed-off-by: Sumit Garg <sumit.garg@nxp.com>
Reviewed-by: York Sun <york.sun@nxp.com>

diff --git a/arch/arm/cpu/armv8/fsl-layerscape/ppa.c b/arch/arm/cpu/armv8/fsl-layerscape/ppa.c
index f54ac3f431e58f0ee293fbe59a7c2415e5e820ff..b68e87d657176308662440cdf56a3e5d31cf62c4 100644 (file)
--- a/arch/arm/cpu/armv8/fsl-layerscape/ppa.c
+++ b/arch/arm/cpu/armv8/fsl-layerscape/ppa.c
@@ -17,6 +17,9 @@
 #ifdef CONFIG_ARMV8_SEC_FIRMWARE_SUPPORT
 #include <asm/armv8/sec_firmware.h>
 #endif
+#ifdef CONFIG_CHAIN_OF_TRUST
+#include <fsl_validate.h>
+#endif
 
 int ppa_init(void)
 {
@@ -24,12 +27,30 @@ int ppa_init(void)
        u32 *boot_loc_ptr_l, *boot_loc_ptr_h;
        int ret;
 
+#ifdef CONFIG_CHAIN_OF_TRUST
+       uintptr_t ppa_esbc_hdr = CONFIG_SYS_LS_PPA_ESBC_ADDR;
+       uintptr_t ppa_img_addr = 0;
+#endif
+
 #ifdef CONFIG_SYS_LS_PPA_FW_IN_XIP
        ppa_fit_addr = (void *)CONFIG_SYS_LS_PPA_FW_ADDR;
 #else
 #error "No CONFIG_SYS_LS_PPA_FW_IN_xxx defined"
 #endif
 
+#ifdef CONFIG_CHAIN_OF_TRUST
+       ppa_img_addr = (uintptr_t)ppa_fit_addr;
+       if (fsl_check_boot_mode_secure() != 0) {
+               ret = fsl_secboot_validate(ppa_esbc_hdr,
+                                          CONFIG_PPA_KEY_HASH,
+                                          &ppa_img_addr);
+               if (ret != 0)
+                       printf("PPA validation failed\n");
+               else
+                       printf("PPA validation Successful\n");
+       }
+#endif
+
 #ifdef CONFIG_FSL_LSCH3
        struct ccsr_gur __iomem *gur = (void *)(CONFIG_SYS_FSL_GUTS_ADDR);
        boot_loc_ptr_l = &gur->bootlocptrl;

diff --git a/arch/arm/include/asm/fsl_secure_boot.h b/arch/arm/include/asm/fsl_secure_boot.h
index b35c271bba17a3c352397c5b518a72406c0f47d9..6b9d3e426e32f8752c3214832af6f70a4d88941c 100644 (file)
--- a/arch/arm/include/asm/fsl_secure_boot.h
+++ b/arch/arm/include/asm/fsl_secure_boot.h
@@ -126,6 +126,24 @@
 /* BOOTSCRIPT_ADDR is not required */
 #endif
 
+#ifdef CONFIG_FSL_LS_PPA
+#ifdef CONFIG_SYS_LS_PPA_FW_IN_XIP
+#ifdef CONFIG_LS1043A
+#define CONFIG_SYS_LS_PPA_ESBC_ADDR    0x600c0000
+#endif
+#else
+#error "No CONFIG_SYS_LS_PPA_FW_IN_xxx defined"
+#endif /* ifdef CONFIG_SYS_LS_PPA_FW_IN_XIP */
+
+/* Define the key hash here if SRK used for signing PPA image is
+ * different from SRK hash put in SFP used for U-Boot.
+ * Example
+ * #define CONFIG_PPA_KEY_HASH \
+ *     "41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b"
+ */
+#define CONFIG_PPA_KEY_HASH            NULL
+#endif /* ifdef CONFIG_FSL_LS_PPA */
+
 #include <config_fsl_chain_trust.h>
 #endif /* #ifndef CONFIG_SPL_BUILD */
 #endif /* #ifdef CONFIG_CHAIN_OF_TRUST */