LS1012AFRWY: Add Secure Boot support
authorVinitha V Pillai <vinitha.pillai@nxp.com>
Wed, 23 May 2018 05:33:31 +0000 (11:03 +0530)
committerYork Sun <york.sun@nxp.com>
Mon, 11 Jun 2018 19:34:45 +0000 (12:34 -0700)
Added the following:
1. defconfig for LS1012AFRWY Secure boot
2. PfE Validation support

Signed-off-by: Vinitha V Pillai <vinitha.pillai@nxp.com>
Reviewed-by: York Sun <york.sun@nxp.com>
arch/arm/Kconfig
board/freescale/ls1012afrdm/Kconfig
board/freescale/ls1012afrdm/MAINTAINERS
board/freescale/ls1012afrdm/ls1012afrdm.c
configs/ls1012afrwy_qspi_SECURE_BOOT_defconfig [new file with mode: 0644]
drivers/net/pfe_eth/pfe_firmware.c
include/configs/ls1012afrwy.h

index e9f68cc3af40a20561120a8452a5a9a41293aa55..22234cde2ab6aa4b98c3b595515a15da45f04e6b 100644 (file)
@@ -1037,6 +1037,7 @@ config TARGET_LS1012A2G5RDB
 config TARGET_LS1012AFRWY
        bool "Support ls1012afrwy"
        select ARCH_LS1012A
+       select BOARD_LATE_INIT
        select ARM64
        imply SCSI
        imply SCSI_AHCI
index 5255bce0d2bdb4aeef6bf1caca33a68b919422de..55b414e16898ec30d09335068230711948cd1496 100644 (file)
@@ -69,6 +69,14 @@ config SYS_LS_PPA_FW_ADDR
        hex "PPA Firmware Addr"
        default 0x40060000
 
+config SYS_LS_PPA_ESBC_ADDR
+       hex "PPA Firmware HDR Addr"
+       default 0x401f4000
+
+config SYS_LS_PFE_ESBC_ADDR
+       hex "PFE Firmware HDR Addr"
+       default 0x401f8000
+
 endif
 
 if TARGET_LS1012AFRDM || TARGET_LS1012AFRWY
index 36e3e5ac732a8f78c838c1be99a9738c2e99002b..f3fcdb87ae72425ce045cc18aef5b55df7b48d36 100644 (file)
@@ -11,3 +11,7 @@ S:      Maintained
 F:      board/freescale/ls1012afrwy/
 F:      include/configs/ls1012afrwy.h
 F:      configs/ls1012afrwy_qspi_defconfig
+
+M:     Vinitha V Pillai <vinitha.pillai@nxp.com>
+S:     Maintained
+F:     configs/ls1012afrwy_qspi_SECURE_BOOT_defconfig
index e30ad6edcf505c2511c1d204db04e3bcfe85a3b7..315da8b866d3703025108d58a1a36793344634b3 100644 (file)
@@ -18,6 +18,7 @@
 #include <environment.h>
 #include <fsl_mmdc.h>
 #include <netdev.h>
+#include <fsl_sec.h>
 
 DECLARE_GLOBAL_DATA_PTR;
 
@@ -140,6 +141,10 @@ int board_init(void)
        gd->env_addr = (ulong)&default_environment[0];
 #endif
 
+#ifdef CONFIG_FSL_CAAM
+       sec_init();
+#endif
+
 #ifdef CONFIG_FSL_LS_PPA
        ppa_init();
 #endif
diff --git a/configs/ls1012afrwy_qspi_SECURE_BOOT_defconfig b/configs/ls1012afrwy_qspi_SECURE_BOOT_defconfig
new file mode 100644 (file)
index 0000000..bfc120a
--- /dev/null
@@ -0,0 +1,54 @@
+CONFIG_ARM=y
+CONFIG_TARGET_LS1012AFRWY=y
+CONFIG_SECURE_BOOT=y
+CONFIG_SYS_TEXT_BASE=0x40100000
+CONFIG_FSL_LS_PPA=y
+CONFIG_DEFAULT_DEVICE_TREE="fsl-ls1012a-frwy"
+CONFIG_DISTRO_DEFAULTS=y
+# CONFIG_SYS_MALLOC_F is not set
+CONFIG_FIT_VERBOSE=y
+CONFIG_OF_BOARD_SETUP=y
+CONFIG_OF_STDOUT_VIA_ALIAS=y
+CONFIG_SYS_EXTRA_OPTIONS="QSPI_BOOT"
+CONFIG_QSPI_BOOT=y
+CONFIG_BOOTDELAY=10
+CONFIG_USE_BOOTARGS=y
+CONFIG_BOOTARGS="console=ttyS0,115200 root=/dev/ram0 earlycon=uart8250,mmio,0x21c0500 quiet lpj=250000"
+# CONFIG_DISPLAY_BOARDINFO is not set
+CONFIG_DISPLAY_BOARDINFO_LATE=y
+CONFIG_CMD_GREPENV=y
+CONFIG_CMD_GPT=y
+CONFIG_CMD_I2C=y
+CONFIG_CMD_MMC=y
+CONFIG_CMD_PCI=y
+CONFIG_CMD_SF=y
+CONFIG_CMD_USB=y
+CONFIG_CMD_CACHE=y
+CONFIG_OF_CONTROL=y
+CONFIG_ENV_IS_IN_SPI_FLASH=y
+CONFIG_NET_RANDOM_ETHADDR=y
+CONFIG_DM=y
+# CONFIG_BLK is not set
+CONFIG_DM_MMC=y
+# CONFIG_DM_MMC_OPS is not set
+CONFIG_DM_SPI_FLASH=y
+CONFIG_SPI_FLASH=y
+CONFIG_DM_ETH=y
+CONFIG_SPI_FLASH_WINBOND=y
+CONFIG_NETDEVICES=y
+CONFIG_E1000=y
+CONFIG_FSL_PFE=y
+CONFIG_PCI=y
+CONFIG_DM_PCI=y
+CONFIG_DM_PCI_COMPAT=y
+CONFIG_PCIE_LAYERSCAPE=y
+CONFIG_SYS_NS16550=y
+CONFIG_DM_SPI=y
+CONFIG_FSL_DSPI=y
+CONFIG_USB=y
+CONFIG_DM_USB=y
+CONFIG_USB_XHCI_HCD=y
+CONFIG_USB_XHCI_DWC3=y
+CONFIG_USB_STORAGE=y
+CONFIG_RSA=y
+CONFIG_RSA_SOFTWARE_EXP=y
index f06ed3729284a9187460a319ae6ba2db39bb711c..adb2d06010ce3a75c364e8e4514985a47c8ae634 100644 (file)
@@ -12,6 +12,9 @@
 
 #include <net/pfe_eth/pfe_eth.h>
 #include <net/pfe_eth/pfe_firmware.h>
+#ifdef CONFIG_CHAIN_OF_TRUST
+#include <fsl_validate.h>
+#endif
 
 #define PFE_FIRMEWARE_FIT_CNF_NAME     "config@1"
 
@@ -168,10 +171,15 @@ static int pfe_fit_check(void)
  */
 int pfe_firmware_init(void)
 {
+#define PFE_KEY_HASH   NULL
        char *pfe_firmware_name;
        const void *raw_image_addr;
        size_t raw_image_size = 0;
        u8 *pfe_firmware;
+#ifdef CONFIG_CHAIN_OF_TRUST
+       uintptr_t pfe_esbc_hdr = 0;
+       uintptr_t pfe_img_addr = 0;
+#endif
        int ret = 0;
        int fw_count;
 
@@ -179,6 +187,27 @@ int pfe_firmware_init(void)
        if (ret)
                goto err;
 
+#ifdef CONFIG_CHAIN_OF_TRUST
+       pfe_esbc_hdr = CONFIG_SYS_LS_PFE_ESBC_ADDR;
+       pfe_img_addr = (uintptr_t)pfe_fit_addr;
+       if (fsl_check_boot_mode_secure() != 0) {
+               /*
+                * In case of failure in validation, fsl_secboot_validate
+                * would not return back in case of Production environment
+                * with ITS=1. In Development environment (ITS=0 and
+                * SB_EN=1), the function may return back in case of
+                * non-fatal failures.
+                */
+               ret = fsl_secboot_validate(pfe_esbc_hdr,
+                                          PFE_KEY_HASH,
+                                          &pfe_img_addr);
+               if (ret != 0)
+                       printf("PFE firmware(s) validation failed\n");
+               else
+                       printf("PFE firmware(s) validation Successful\n");
+       }
+#endif
+
        for (fw_count = 0; fw_count < 2; fw_count++) {
                if (fw_count == 0)
                        pfe_firmware_name = "class";
index 982f74262774f5780ba6fd8e0565015414d4cd0e..35578c3e41f11dbba94084d87b73675b38c9679e 100644 (file)
        "initrd_high=0xffffffffffffffff\0"      \
        "fdt_addr=0x00f00000\0"                 \
        "kernel_addr=0x01000000\0"              \
+       "kernel_size_sd=0x16000\0"              \
+       "kernelhdr_size_sd=0x10\0"              \
+       "kernel_addr_sd=0x8000\0"               \
+       "kernelhdr_addr_sd=0x4000\0"            \
+       "kernelheader_addr=0x1fc000\0"          \
        "kernelheader_addr=0x1fc000\0"          \
        "scriptaddr=0x80000000\0"               \
        "scripthdraddr=0x80080000\0"            \
        "fdtheader_addr_r=0x80100000\0"         \
        "kernelheader_addr_r=0x80200000\0"      \
+       "kernelheader_size=0x40000\0"           \
        "kernel_addr_r=0x81000000\0"            \
        "fdt_addr_r=0x90000000\0"               \
        "load_addr=0x96000000\0"                \
                "$kernel_addr $kernel_size; env exists secureboot "     \
                "&& sf read $kernelheader_addr_r $kernelheader_addr "   \
                "$kernelheader_size && esbc_validate ${kernelheader_addr_r}; " \
+               "bootm $load_addr#$board\0"     \
+       "sd_bootcmd=echo Trying load from sd card..;"           \
+               "mmcinfo; mmc read $load_addr "                 \
+               "$kernel_addr_sd $kernel_size_sd ;"             \
+               "env exists secureboot && mmc read $kernelheader_addr_r "\
+               "$kernelhdr_addr_sd $kernelhdr_size_sd "                \
+               " && esbc_validate ${kernelheader_addr_r};"     \
                "bootm $load_addr#$board\0"
 
 #undef CONFIG_BOOTCOMMAND
-#define CONFIG_BOOTCOMMAND "pfe stop; run distro_bootcmd; run qspi_bootcmd; "\
+#define CONFIG_BOOTCOMMAND "pfe stop; run distro_bootcmd; run sd_bootcmd; "\
                           "env exists secureboot && esbc_halt;"
 #define CONFIG_CMD_MEMINFO
 #define CONFIG_CMD_MEMTEST
 
 #include <asm/fsl_secure_boot.h>
 
+#include <asm/fsl_secure_boot.h>
 #endif /* __LS1012AFRWY_H__ */