ls1043ardb: PPA: add PPA validation in case of secure boot
authorSumit Garg <sumit.garg@nxp.com>
Thu, 1 Sep 2016 16:56:44 +0000 (12:56 -0400)
committerYork Sun <york.sun@nxp.com>
Wed, 14 Sep 2016 21:06:39 +0000 (14:06 -0700)
As part of Secure Boot Chain of trust, PPA image must be validated
before the image is started.
The code for the same has been added.

Signed-off-by: Aneesh Bansal <aneesh.bansal@nxp.com>
Signed-off-by: Sumit Garg <sumit.garg@nxp.com>
Reviewed-by: York Sun <york.sun@nxp.com>
arch/arm/cpu/armv8/fsl-layerscape/ppa.c
arch/arm/include/asm/fsl_secure_boot.h

index f54ac3f431e58f0ee293fbe59a7c2415e5e820ff..b68e87d657176308662440cdf56a3e5d31cf62c4 100644 (file)
@@ -17,6 +17,9 @@
 #ifdef CONFIG_ARMV8_SEC_FIRMWARE_SUPPORT
 #include <asm/armv8/sec_firmware.h>
 #endif
+#ifdef CONFIG_CHAIN_OF_TRUST
+#include <fsl_validate.h>
+#endif
 
 int ppa_init(void)
 {
@@ -24,12 +27,30 @@ int ppa_init(void)
        u32 *boot_loc_ptr_l, *boot_loc_ptr_h;
        int ret;
 
+#ifdef CONFIG_CHAIN_OF_TRUST
+       uintptr_t ppa_esbc_hdr = CONFIG_SYS_LS_PPA_ESBC_ADDR;
+       uintptr_t ppa_img_addr = 0;
+#endif
+
 #ifdef CONFIG_SYS_LS_PPA_FW_IN_XIP
        ppa_fit_addr = (void *)CONFIG_SYS_LS_PPA_FW_ADDR;
 #else
 #error "No CONFIG_SYS_LS_PPA_FW_IN_xxx defined"
 #endif
 
+#ifdef CONFIG_CHAIN_OF_TRUST
+       ppa_img_addr = (uintptr_t)ppa_fit_addr;
+       if (fsl_check_boot_mode_secure() != 0) {
+               ret = fsl_secboot_validate(ppa_esbc_hdr,
+                                          CONFIG_PPA_KEY_HASH,
+                                          &ppa_img_addr);
+               if (ret != 0)
+                       printf("PPA validation failed\n");
+               else
+                       printf("PPA validation Successful\n");
+       }
+#endif
+
 #ifdef CONFIG_FSL_LSCH3
        struct ccsr_gur __iomem *gur = (void *)(CONFIG_SYS_FSL_GUTS_ADDR);
        boot_loc_ptr_l = &gur->bootlocptrl;
index b35c271bba17a3c352397c5b518a72406c0f47d9..6b9d3e426e32f8752c3214832af6f70a4d88941c 100644 (file)
 /* BOOTSCRIPT_ADDR is not required */
 #endif
 
+#ifdef CONFIG_FSL_LS_PPA
+#ifdef CONFIG_SYS_LS_PPA_FW_IN_XIP
+#ifdef CONFIG_LS1043A
+#define CONFIG_SYS_LS_PPA_ESBC_ADDR    0x600c0000
+#endif
+#else
+#error "No CONFIG_SYS_LS_PPA_FW_IN_xxx defined"
+#endif /* ifdef CONFIG_SYS_LS_PPA_FW_IN_XIP */
+
+/* Define the key hash here if SRK used for signing PPA image is
+ * different from SRK hash put in SFP used for U-Boot.
+ * Example
+ * #define CONFIG_PPA_KEY_HASH \
+ *     "41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b"
+ */
+#define CONFIG_PPA_KEY_HASH            NULL
+#endif /* ifdef CONFIG_FSL_LS_PPA */
+
 #include <config_fsl_chain_trust.h>
 #endif /* #ifndef CONFIG_SPL_BUILD */
 #endif /* #ifdef CONFIG_CHAIN_OF_TRUST */