imx: add status reporting for HAB status
authorStefano Babic <sbabic@denx.de>
Thu, 27 Jun 2013 22:20:21 +0000 (00:20 +0200)
committerStefano Babic <sbabic@denx.de>
Sat, 31 Aug 2013 13:06:29 +0000 (15:06 +0200)
Add functions to report the HAB (High Assurance Boot) status
of e.g. i.MX6 CPUs.

This is taken from

git://git.freescale.com/imx/uboot-imx.git branch imx_v2009.08_3.0.35_4.0.0
cpu/arm_cortexa8/mx6/generic.c
include/asm-arm/arch-mx6/mx6_secure.h

Signed-off-by: Stefano Babic <sbabic@denx.de>
arch/arm/cpu/armv7/mx6/Makefile
arch/arm/cpu/armv7/mx6/hab.c [new file with mode: 0644]
arch/arm/include/asm/arch-mx6/hab.h [new file with mode: 0644]
arch/arm/include/asm/arch-mx6/imx-regs.h

index c5e98582d06fa9dd1a144d9b7ebc44a01a873445..6d736174dbb09e38b50c4b9432c91dc94b6795e6 100644 (file)
@@ -11,10 +11,11 @@ include $(TOPDIR)/config.mk
 
 LIB    = $(obj)lib$(SOC).o
 
-COBJS  = soc.o clock.o
+COBJS-y        = soc.o clock.o
+COBJS-$(CONFIG_SECURE_BOOT)    += hab.o
 
-SRCS   := $(SOBJS:.o=.S) $(COBJS:.o=.c)
-OBJS   := $(addprefix $(obj),$(SOBJS) $(COBJS))
+SRCS   := $(SOBJS:.o=.S) $(COBJS-y:.o=.c)
+OBJS   := $(addprefix $(obj),$(SOBJS) $(COBJS-y))
 
 all:   $(obj).depend $(LIB)
 
diff --git a/arch/arm/cpu/armv7/mx6/hab.c b/arch/arm/cpu/armv7/mx6/hab.c
new file mode 100644 (file)
index 0000000..5187775
--- /dev/null
@@ -0,0 +1,104 @@
+/*
+ * Copyright (C) 2010-2013 Freescale Semiconductor, Inc.
+ *
+ * SPDX-License-Identifier:    GPL-2.0+
+ */
+
+#include <common.h>
+#include <asm/io.h>
+#include <asm/arch/hab.h>
+
+/* -------- start of HAB API updates ------------*/
+#define hab_rvt_report_event ((hab_rvt_report_event_t *)HAB_RVT_REPORT_EVENT)
+#define hab_rvt_report_status ((hab_rvt_report_status_t *)HAB_RVT_REPORT_STATUS)
+#define hab_rvt_authenticate_image \
+       ((hab_rvt_authenticate_image_t *)HAB_RVT_AUTHENTICATE_IMAGE)
+#define hab_rvt_entry ((hab_rvt_entry_t *)HAB_RVT_ENTRY)
+#define hab_rvt_exit ((hab_rvt_exit_t *)HAB_RVT_EXIT)
+#define hab_rvt_clock_init HAB_RVT_CLOCK_INIT
+
+bool is_hab_enabled(void)
+{
+       struct ocotp_regs *ocotp = (struct ocotp_regs *)OCOTP_BASE_ADDR;
+       struct fuse_bank *bank = &ocotp->bank[0];
+       struct fuse_bank0_regs *fuse =
+               (struct fuse_bank0_regs *)bank->fuse_regs;
+       uint32_t reg = readl(&fuse->cfg5);
+
+       return (reg & 0x2) == 0x2;
+}
+
+void display_event(uint8_t *event_data, size_t bytes)
+{
+       uint32_t i;
+
+       if (!(event_data && bytes > 0))
+               return;
+
+       for (i = 0; i < bytes; i++) {
+               if (i == 0)
+                       printf("\t0x%02x", event_data[i]);
+               else if ((i % 8) == 0)
+                       printf("\n\t0x%02x", event_data[i]);
+               else
+                       printf(" 0x%02x", event_data[i]);
+       }
+}
+
+int get_hab_status(void)
+{
+       uint32_t index = 0; /* Loop index */
+       uint8_t event_data[128]; /* Event data buffer */
+       size_t bytes = sizeof(event_data); /* Event size in bytes */
+       enum hab_config config = 0;
+       enum hab_state state = 0;
+
+       if (is_hab_enabled())
+               puts("\nSecure boot enabled\n");
+       else
+               puts("\nSecure boot disabled\n");
+
+       /* Check HAB status */
+       if (hab_rvt_report_status(&config, &state) != HAB_SUCCESS) {
+               printf("\nHAB Configuration: 0x%02x, HAB State: 0x%02x\n",
+                      config, state);
+
+               /* Display HAB Error events */
+               while (hab_rvt_report_event(HAB_FAILURE, index, event_data,
+                                       &bytes) == HAB_SUCCESS) {
+                       puts("\n");
+                       printf("--------- HAB Event %d -----------------\n",
+                              index + 1);
+                       puts("event data:\n");
+                       display_event(event_data, bytes);
+                       puts("\n");
+                       bytes = sizeof(event_data);
+                       index++;
+               }
+       }
+       /* Display message if no HAB events are found */
+       else {
+               printf("\nHAB Configuration: 0x%02x, HAB State: 0x%02x\n",
+                      config, state);
+               puts("No HAB Events Found!\n\n");
+       }
+       return 0;
+}
+
+int do_hab_status(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
+{
+       if ((argc != 1)) {
+               cmd_usage(cmdtp);
+               return 1;
+       }
+
+       get_hab_status();
+
+       return 0;
+}
+
+U_BOOT_CMD(
+               hab_status, CONFIG_SYS_MAXARGS, 1, do_hab_status,
+               "display HAB status",
+               ""
+         );
diff --git a/arch/arm/include/asm/arch-mx6/hab.h b/arch/arm/include/asm/arch-mx6/hab.h
new file mode 100644 (file)
index 0000000..d724f20
--- /dev/null
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2012 Freescale Semiconductor, Inc. All Rights Reserved.
+ *
+ * SPDX-License-Identifier:    GPL-2.0+
+ *
+*/
+
+#ifndef __SECURE_MX6Q_H__
+#define __SECURE_MX6Q_H__
+
+#include <linux/types.h>
+
+/* -------- start of HAB API updates ------------*/
+/* The following are taken from HAB4 SIS */
+
+/* Status definitions */
+enum hab_status {
+       HAB_STS_ANY = 0x00,
+       HAB_FAILURE = 0x33,
+       HAB_WARNING = 0x69,
+       HAB_SUCCESS = 0xf0
+};
+
+/* Security Configuration definitions */
+enum hab_config {
+       HAB_CFG_RETURN = 0x33, /**< Field Return IC */
+       HAB_CFG_OPEN = 0xf0, /**< Non-secure IC */
+       HAB_CFG_CLOSED = 0xcc /**< Secure IC */
+};
+
+/* State definitions */
+enum hab_state {
+       HAB_STATE_INITIAL = 0x33, /**< Initialising state (transitory) */
+       HAB_STATE_CHECK = 0x55, /**< Check state (non-secure) */
+       HAB_STATE_NONSECURE = 0x66, /**< Non-secure state */
+       HAB_STATE_TRUSTED = 0x99, /**< Trusted state */
+       HAB_STATE_SECURE = 0xaa, /**< Secure state */
+       HAB_STATE_FAIL_SOFT = 0xcc, /**< Soft fail state */
+       HAB_STATE_FAIL_HARD = 0xff, /**< Hard fail state (terminal) */
+       HAB_STATE_NONE = 0xf0, /**< No security state machine */
+       HAB_STATE_MAX
+};
+
+/*Function prototype description*/
+typedef enum hab_status hab_rvt_report_event_t(enum hab_status, uint32_t,
+               uint8_t* , size_t*);
+typedef enum hab_status hab_rvt_report_status_t(enum hab_config *,
+               enum hab_state *);
+typedef enum hab_status hab_loader_callback_f_t(void**, size_t*, const void*);
+typedef enum hab_status hab_rvt_entry_t(void);
+typedef enum hab_status hab_rvt_exit_t(void);
+typedef void *hab_rvt_authenticate_image_t(uint8_t, ptrdiff_t,
+               void **, size_t *, hab_loader_callback_f_t);
+typedef void hapi_clock_init_t(void);
+
+#define HAB_RVT_REPORT_EVENT (*(uint32_t *)0x000000B4)
+#define HAB_RVT_REPORT_STATUS (*(uint32_t *)0x000000B8)
+#define HAB_RVT_AUTHENTICATE_IMAGE (*(uint32_t *)0x000000A4)
+#define HAB_RVT_ENTRY (*(uint32_t *)0x00000098)
+#define HAB_RVT_EXIT (*(uint32_t *)0x0000009C)
+#define HAB_RVT_CLOCK_INIT ((hapi_clock_init_t *)0x0000024D)
+
+#define HAB_CID_ROM 0 /**< ROM Caller ID */
+#define HAB_CID_UBOOT 1 /**< UBOOT Caller ID*/
+/* ----------- end of HAB API updates ------------*/
+
+#endif
index 5d6bccbc0c9b590cd2d0af38b0a1e8d63c6585c4..621919f82e89ac64ff276db287f4d309b988f955 100644 (file)
@@ -456,7 +456,13 @@ struct fuse_bank0_regs {
        u32     uid_low;
        u32     rsvd1[3];
        u32     uid_high;
-       u32     rsvd2[0x17];
+       u32     rsvd2[3];
+       u32     rsvd3[4];
+       u32     rsvd4[4];
+       u32     rsvd5[4];
+       u32     cfg5;
+       u32     rsvd6[3];
+       u32     rsvd7[4];
 };
 
 struct fuse_bank4_regs {