armv8: LS1088A_QSPI: SECURE_BOOT: Images validation
authorUdit Agarwal <udit.agarwal@nxp.com>
Wed, 22 Nov 2017 03:31:26 +0000 (09:01 +0530)
committerYork Sun <york.sun@nxp.com>
Wed, 6 Dec 2017 22:55:17 +0000 (14:55 -0800)
Validates PPA, MC, DPC, Bootscript, DPL and Kernel images in ESBC
phase using esbc_validate command.

Enable validation of boot.scr script prior to its execution dependent
on "secureboot" flag in environment

Add header address for PPA to be validated during ESBC phase for
LS1088A platform based on LAyerscape Chasis 3.

Moves sec_init prior to ppa_init as for validation of PPA sec must
be initialised before the PPA is initialised.

Signed-off-by: Udit Agarwal <udit.agarwal@nxp.com>
Signed-off-by: Vinitha Pillai-B57223 <vinitha.pillai@nxp.com>
Signed-off-by: Sumit Garg <sumit.garg@nxp.com>
Reviewed-by: York Sun <york.sun@nxp.com>
arch/arm/cpu/armv8/fsl-layerscape/Kconfig
board/freescale/ls1088a/Kconfig
board/freescale/ls1088a/ls1088a.c
include/configs/ls1088a_common.h
include/configs/ls1088aqds.h
include/configs/ls1088ardb.h

index 4866550c0dcaa9ddf97c56e3b9971379179ef622..5a75920400939a4294139a85518b96a32bfad489 100644 (file)
@@ -248,6 +248,7 @@ config SYS_LS_PPA_ESBC_ADDR
        default 0x40680000 if SYS_LS_PPA_FW_IN_XIP && ARCH_LS1012A
        default 0x20680000 if SYS_LS_PPA_FW_IN_XIP && QSPI_BOOT && ARCH_LS2080A
        default 0x580680000 if SYS_LS_PPA_FW_IN_XIP && ARCH_LS2080A
+       default 0x20680000 if SYS_LS_PPA_FW_IN_XIP && ARCH_LS1088A
        default 0x680000 if SYS_LS_PPA_FW_IN_MMC
        default 0x680000 if SYS_LS_PPA_FW_IN_NAND
        help
index 1ada661743ed12d7a03aeeb9a07075e5e986f6b8..4479dd075844d8eb6d79057c859a54f159298ecf 100644 (file)
@@ -12,6 +12,7 @@ config SYS_SOC
 config SYS_CONFIG_NAME
        default "ls1088aqds"
 
+source "board/freescale/common/Kconfig"
 endif
 
 if TARGET_LS1088ARDB
@@ -28,4 +29,5 @@ config SYS_SOC
 config SYS_CONFIG_NAME
        default "ls1088ardb"
 
+source "board/freescale/common/Kconfig"
 endif
index b8d015f3e53429e6ab3b148f59c8eb259d593b10..9daa00759083040c6c2c46f2a20d91e0ae40f844 100644 (file)
@@ -315,6 +315,9 @@ int board_init(void)
        out_le32(irq_ccsr + IRQCR_OFFSET / 4, AQR105_IRQ_MASK);
 #endif
 
+#ifdef CONFIG_FSL_CAAM
+       sec_init();
+#endif
 #ifdef CONFIG_FSL_LS_PPA
        ppa_init();
 #endif
@@ -337,9 +340,6 @@ void detail_board_ddr_info(void)
 #if defined(CONFIG_ARCH_MISC_INIT)
 int arch_misc_init(void)
 {
-#ifdef CONFIG_FSL_CAAM
-       sec_init();
-#endif
        return 0;
 }
 #endif
index 6b71d47c5acc8030c5ad4ca5fb6e73b3c26ca5cc..b99257e547a8771db38a549984fe10b48be3d76c 100644 (file)
@@ -144,9 +144,6 @@ unsigned long long get_qixis_addr(void);
 #if defined(CONFIG_FSL_MC_ENET)
 #define CONFIG_SYS_LS_MC_DRAM_BLOCK_MIN_SIZE           (512UL * 1024 * 1024)
 #endif
-
-#define CONFIG_FSL_CAAM                        /* Enable SEC/CAAM */
-
 /* Command line configuration */
 #define CONFIG_CMD_GREPENV
 #define CONFIG_CMD_CACHE
index 310e8fd59f3f41cde3777f65b7f5a014797e65a3..e7e3afefd9a8fbd2d5912f93112d2a3fc4998f54 100644 (file)
@@ -335,6 +335,26 @@ unsigned long get_board_ddr_clk(void);
        QIXIS_SDID_MASK) != QIXIS_ESDHC_NO_ADAPTER)
 
 /* Initial environment variables */
+#ifdef CONFIG_SECURE_BOOT
+#undef CONFIG_EXTRA_ENV_SETTINGS
+#define CONFIG_EXTRA_ENV_SETTINGS              \
+       "hwconfig=fsl_ddr:bank_intlv=auto\0"    \
+       "loadaddr=0x90100000\0"                 \
+       "kernel_addr=0x100000\0"                \
+       "ramdisk_addr=0x800000\0"               \
+       "ramdisk_size=0x2000000\0"              \
+       "fdt_high=0xa0000000\0"                 \
+       "initrd_high=0xffffffffffffffff\0"      \
+       "kernel_start=0x1000000\0"              \
+       "kernel_load=0xa0000000\0"              \
+       "kernel_size=0x2800000\0"               \
+       "mcinitcmd=sf probe 0:0;sf read 0xa0a00000 0xa00000 0x100000;"  \
+       "sf read 0xa0700000 0x700000 0x4000; esbc_validate 0xa0700000;" \
+       "sf read 0xa0e00000 0xe00000 0x100000;" \
+       "sf read 0xa0740000 0x740000 0x4000;esbc_validate 0xa0740000;"  \
+       "fsl_mc start mc 0xa0a00000 0xa0e00000\0"                       \
+       "mcmemsize=0x70000000 \0"
+#else /* if !(CONFIG_SECURE_BOOT) */
 #if defined(CONFIG_QSPI_BOOT)
 #undef CONFIG_EXTRA_ENV_SETTINGS
 #define CONFIG_EXTRA_ENV_SETTINGS              \
@@ -385,6 +405,7 @@ unsigned long get_board_ddr_clk(void);
        "mcinitcmd=fsl_mc start mc 0x580A00000 0x580E00000\0"   \
        "mcmemsize=0x70000000 \0"
 #endif
+#endif /* CONFIG_SECURE_BOOT */
 
 #ifdef CONFIG_FSL_MC_ENET
 #define CONFIG_FSL_MEMAC
index e6bf2b8d8733d86f459748375b8f3f54b757e3d7..65ca1c206dfe9fd06e4d35726cadc9341d0012a6 100644 (file)
 #define MC_INIT_CMD                            \
        "mcinitcmd=sf probe 0:0;sf read 0x80000000 0xA00000 0x100000;"  \
        "sf read 0x80100000 0xE00000 0x100000;"                         \
-       "fsl_mc start mc 0x80000000 0x80100000\0"                       \
+       "env exists secureboot && "                     \
+       "sf read 0x80700000 0x700000 0x40000 && "       \
+       "sf read 0x80740000 0x740000 0x40000 && "       \
+       "esbc_validate 0x80700000 && "                  \
+       "esbc_validate 0x80740000 ;"                    \
+       "fsl_mc start mc 0x80000000 0x80100000\0"       \
        "mcmemsize=0x70000000\0"
 #elif defined(CONFIG_SD_BOOT)
 #define MC_INIT_CMD                            \
        "mcinitcmd=mmcinfo;mmc read 0x80000000 0x5000 0x800;"           \
        "mmc read 0x80100000 0x7000 0x800;"                             \
-       "fsl_mc start mc 0x80000000 0x80100000\0"                       \
+       "env exists secureboot && "                     \
+       "mmc read 0x80700000 0x3800 0x10 && "           \
+       "mmc read 0x80740000 0x3A00 0x10 && "           \
+       "esbc_validate 0x80700000 && "                  \
+       "esbc_validate 0x80740000 ;"                    \
+       "fsl_mc start mc 0x80000000 0x80100000\0"       \
        "mcmemsize=0x70000000\0"
 #endif
 
        "fdt_addr=0x64f00000\0"                 \
        "kernel_addr=0x1000000\0"               \
        "kernel_addr_sd=0x8000\0"               \
+       "kernelhdr_addr_sd=0x4000\0"            \
        "kernel_start=0x580100000\0"            \
        "kernelheader_start=0x580800000\0"      \
        "scriptaddr=0x80000000\0"               \
        "load_addr=0xa0000000\0"                \
        "kernel_size=0x2800000\0"               \
        "kernel_size_sd=0x14000\0"              \
+       "kernelhdr_size_sd=0x10\0"              \
        MC_INIT_CMD                             \
        BOOTENV                                 \
        "boot_scripts=ls1088ardb_boot.scr\0"    \
                "bootm $load_addr#ls1088ardb\0"                 \
        "qspi_bootcmd=echo Trying load from qspi..;"            \
                "sf probe && sf read $load_addr "               \
-               "$kernel_addr $kernel_size &&"                  \
+               "$kernel_addr $kernel_size ; env exists secureboot "    \
+               "&& sf read $kernelheader_addr_r $kernelheader_addr "   \
+               "$kernelheader_size && esbc_validate ${kernelheader_addr_r}; "\
                "bootm $load_addr#$BOARD\0"                     \
-       "sd_bootcmd=echo Trying load from sd card..;"           \
+               "sd_bootcmd=echo Trying load from sd card..;"           \
                "mmcinfo; mmc read $load_addr "                 \
                "$kernel_addr_sd $kernel_size_sd ;"             \
+               "env exists secureboot && mmc read $kernelheader_addr_r "\
+               "$kernelhdr_addr_sd $kernelhdr_size_sd "        \
+               " && esbc_validate ${kernelheader_addr_r};"     \
                "bootm $load_addr#$BOARD\0"
 
 #undef CONFIG_BOOTCOMMAND
 #if defined(CONFIG_QSPI_BOOT)
 /* Try to boot an on-QSPI kernel first, then do normal distro boot */
 #define CONFIG_BOOTCOMMAND                                      \
-               "env exists mcinitcmd && run mcinitcmd && "     \
-               "sf read 0x80200000 0xd00000 0x100000;" \
-               " fsl_mc apply dpl 0x80200000;"         \
-               "run distro_bootcmd;run qspi_bootcmd"
+               "sf read 0x80200000 0xd00000 0x100000;"         \
+               "env exists mcinitcmd && env exists secureboot "        \
+               " && sf read 0x80780000 0x780000 0x100000 "     \
+               "&& esbc_validate 0x80780000;env exists mcinitcmd "     \
+               "&& fsl_mc apply dpl 0x80200000;"               \
+               "run distro_bootcmd;run qspi_bootcmd;"          \
+               "env exists secureboot && esbc_halt;"
+
 /* Try to boot an on-SD kernel first, then do normal distro boot */
 #elif defined(CONFIG_SD_BOOT)
 #define CONFIG_BOOTCOMMAND                                      \
-               "env exists mcinitcmd && run mcinitcmd ;"       \
-               "&& env exists mcinitcmd && mmcinfo; "          \
-               "mmc read 0x88000000 0x6800 0x800; "            \
-               "&& fsl_mc apply dpl 0x88000000;"               \
-               "run distro_bootcmd;run sd_bootcmd"
+               "env exists mcinitcmd && mmcinfo; "             \
+               "mmc read 0x80200000 0x6800 0x800; "            \
+               "env exists mcinitcmd && env exists secureboot "        \
+               " && mmc read 0x80780000 0x3800 0x10 "          \
+               "&& esbc_validate 0x80780000;env exists mcinitcmd "     \
+               "&& fsl_mc apply dpl 0x80200000;"               \
+               "run distro_bootcmd;run sd_bootcmd;"            \
+               "env exists secureboot && esbc_halt;"
 #endif
 
 /* MAC/PHY configuration */