armv8/ls1043ardb: add SECURE BOOT target for NOR

LS1043ARDB Secure Boot Target from NOR has been added.
- Configs defined to enable esbc_validate.
- ESBC Address in header is made 64 bit.
- SMMU is re-configured in Bypass mode.

Signed-off-by: Aneesh Bansal <aneesh.bansal@freescale.com>
Reviewed-by: York Sun <yorksun@freescale.com>

diff --git a/arch/arm/include/asm/arch-fsl-layerscape/config.h b/arch/arm/include/asm/arch-fsl-layerscape/config.h
index b39281260d9c0903b431b916438cb0d21f55e4e9..6e5224ea1c98b2ad83e7b5c735df8a35355953ce 100644 (file)
--- a/arch/arm/include/asm/arch-fsl-layerscape/config.h
+++ b/arch/arm/include/asm/arch-fsl-layerscape/config.h
@@ -153,8 +153,8 @@
 #define CONFIG_SYS_FSL_PCIE_COMPAT             "fsl,qoriq-pcie-v2.4"
 
 #define CONFIG_SYS_FSL_SFP_VER_3_2
-#define CONFIG_SYS_FSL_SNVS_LE
-#define CONFIG_SYS_FSL_SEC_LE
+#define CONFIG_SYS_FSL_SEC_MON_BE
+#define CONFIG_SYS_FSL_SEC_BE
 #define CONFIG_SYS_FSL_SFP_BE
 #define CONFIG_SYS_FSL_SRK_LE
 #define CONFIG_KEY_REVOCATION

diff --git a/arch/arm/include/asm/arch-fsl-layerscape/immap_lsch2.h b/arch/arm/include/asm/arch-fsl-layerscape/immap_lsch2.h
index 83caa918bd4feda8f8c9fce870b660b4c647c971..e7def3ac4a296f2f6164a791c6a9fbf59ce87558 100644 (file)
--- a/arch/arm/include/asm/arch-fsl-layerscape/immap_lsch2.h
+++ b/arch/arm/include/asm/arch-fsl-layerscape/immap_lsch2.h
@@ -38,7 +38,7 @@
 #define CONFIG_SYS_PCIE3_ADDR                  (CONFIG_SYS_IMMR + 0x2600000)
 #define CONFIG_SYS_FSL_SEC_ADDR                        (CONFIG_SYS_IMMR + 0x700000)
 #define CONFIG_SYS_FSL_JR0_ADDR                        (CONFIG_SYS_IMMR + 0x710000)
-#define CONFIG_SYS_SNVS_ADDR                   (CONFIG_SYS_IMMR + 0xe90000)
+#define CONFIG_SYS_SEC_MON_ADDR                        (CONFIG_SYS_IMMR + 0xe90000)
 #define CONFIG_SYS_SFP_ADDR                    (CONFIG_SYS_IMMR + 0xe80200)
 
 #define CONFIG_SYS_FSL_TIMER_ADDR              0x02b00000

diff --git a/arch/arm/include/asm/fsl_secure_boot.h b/arch/arm/include/asm/fsl_secure_boot.h
index f2d4c3c5f99baa93b5e7e3a5832f8da9417bc4df..806302bc610801a8bb892f8315df287929312d56 100644 (file)
--- a/arch/arm/include/asm/fsl_secure_boot.h
+++ b/arch/arm/include/asm/fsl_secure_boot.h
@@ -11,13 +11,17 @@
 #define CONFIG_CMD_ESBC_VALIDATE
 #define CONFIG_FSL_SEC_MON
 #define CONFIG_SHA_PROG_HW_ACCEL
-#define CONFIG_DM
 #define CONFIG_RSA
 #define CONFIG_RSA_FREESCALE_EXP
+
 #ifndef CONFIG_FSL_CAAM
 #define CONFIG_FSL_CAAM
 #endif
 
+#ifndef CONFIG_DM
+#define CONFIG_DM
+#endif
+
 #define CONFIG_KEY_REVOCATION
 #ifndef CONFIG_SYS_RAMBOOT
 /* The key used for verification of next level images

diff --git a/board/freescale/common/fsl_validate.c b/board/freescale/common/fsl_validate.c
index 73b6718db9c869b42970de161424210f12f10f07..b510c71c4095e046c6d865c934e3fddd6360bd57 100644 (file)
--- a/board/freescale/common/fsl_validate.c
+++ b/board/freescale/common/fsl_validate.c
@@ -15,7 +15,7 @@
 #include <u-boot/rsa-mod-exp.h>
 #include <hash.h>
 #include <fsl_secboot_err.h>
-#ifndef CONFIG_MPC85xx
+#ifdef CONFIG_LS102XA
 #include <asm/arch/immap_ls102xa.h>
 #endif
 
@@ -99,7 +99,8 @@ int get_csf_base_addr(u32 *csf_addr, u32 *flash_base_addr)
        struct ccsr_gur __iomem *gur = (void *)(CONFIG_SYS_FSL_GUTS_ADDR);
        u32 csf_hdr_addr = in_be32(&gur->scratchrw[0]);
 
-       if (memcmp((u8 *)csf_hdr_addr, barker_code, ESBC_BARKER_LEN))
+       if (memcmp((u8 *)(uintptr_t)csf_hdr_addr,
+                  barker_code, ESBC_BARKER_LEN))
                return -1;
 
        *csf_addr = csf_hdr_addr;
@@ -117,7 +118,7 @@ static int get_ie_info_addr(u32 *ie_addr)
        if (get_csf_base_addr(&csf_addr, &flash_base_addr))
                return -1;
 
-       hdr = (struct fsl_secboot_img_hdr *)csf_addr;
+       hdr = (struct fsl_secboot_img_hdr *)(uintptr_t)csf_addr;
 
        /* For SoC's with Trust Architecture v1 with corenet bus
         * the sg table field in CSF header has absolute address
@@ -130,7 +131,7 @@ static int get_ie_info_addr(u32 *ie_addr)
                 (((u32)hdr->psgtable & ~(CONFIG_SYS_PBI_FLASH_BASE)) +
                  flash_base_addr);
 #else
-       sg_tbl = (struct fsl_secboot_sg_table *)(csf_addr +
+       sg_tbl = (struct fsl_secboot_sg_table *)(uintptr_t)(csf_addr +
                                                 (u32)hdr->psgtable);
 #endif
 
@@ -379,8 +380,8 @@ static int calc_img_key_hash(struct fsl_secboot_img_priv *img)
 #ifdef CONFIG_KEY_REVOCATION
        if (check_srk(img)) {
                ret = algo->hash_update(algo, ctx,
-                       (u8 *)(img->ehdrloc + img->hdr.srk_tbl_off),
-                       img->hdr.len_kr.num_srk * sizeof(struct srk_table), 1);
+                     (u8 *)(uintptr_t)(img->ehdrloc + img->hdr.srk_tbl_off),
+                     img->hdr.len_kr.num_srk * sizeof(struct srk_table), 1);
                srk = 1;
        }
 #endif
@@ -438,8 +439,8 @@ static int calc_esbchdr_esbc_hash(struct fsl_secboot_img_priv *img)
 #ifdef CONFIG_KEY_REVOCATION
        if (check_srk(img)) {
                ret = algo->hash_update(algo, ctx,
-                       (u8 *)(img->ehdrloc + img->hdr.srk_tbl_off),
-                       img->hdr.len_kr.num_srk * sizeof(struct srk_table), 0);
+                     (u8 *)(uintptr_t)(img->ehdrloc + img->hdr.srk_tbl_off),
+                     img->hdr.len_kr.num_srk * sizeof(struct srk_table), 0);
                key_hash = 1;
        }
 #endif
@@ -454,8 +455,13 @@ static int calc_esbchdr_esbc_hash(struct fsl_secboot_img_priv *img)
                return ret;
 
        /* Update hash for actual Image */
+#ifdef CONFIG_ESBC_ADDR_64BIT
        ret = algo->hash_update(algo, ctx,
-                       (u8 *)img->hdr.pimg, img->hdr.img_size, 1);
+               (u8 *)(uintptr_t)img->hdr.pimg64, img->hdr.img_size, 1);
+#else
+       ret = algo->hash_update(algo, ctx,
+               (u8 *)(uintptr_t)img->hdr.pimg, img->hdr.img_size, 1);
+#endif
        if (ret)
                return ret;
 
@@ -533,7 +539,7 @@ static int read_validate_esbc_client_header(struct fsl_secboot_img_priv *img)
 {
        char buf[20];
        struct fsl_secboot_img_hdr *hdr = &img->hdr;
-       void *esbc = (u8 *)img->ehdrloc;
+       void *esbc = (u8 *)(uintptr_t)img->ehdrloc;
        u8 *k, *s;
 #ifdef CONFIG_KEY_REVOCATION
        u32 ret;
@@ -549,7 +555,11 @@ static int read_validate_esbc_client_header(struct fsl_secboot_img_priv *img)
        if (memcmp(hdr->barker, barker_code, ESBC_BARKER_LEN))
                return ERROR_ESBC_CLIENT_HEADER_BARKER;
 
+#ifdef CONFIG_ESBC_ADDR_64BIT
+       sprintf(buf, "%llx", hdr->pimg64);
+#else
        sprintf(buf, "%x", hdr->pimg);
+#endif
        setenv("img_addr", buf);
 
        if (!hdr->img_size)
@@ -594,7 +604,7 @@ static int read_validate_esbc_client_header(struct fsl_secboot_img_priv *img)
        if (!key_found && check_ie(img)) {
                if (get_ie_info_addr(&img->ie_addr))
                        return ERROR_IE_TABLE_NOT_FOUND;
-               ie_info = (struct ie_key_info *)img->ie_addr;
+               ie_info = (struct ie_key_info *)(uintptr_t)img->ie_addr;
                if (ie_info->num_keys == 0 || ie_info->num_keys > 32)
                        return ERROR_ESBC_CLIENT_HEADER_INVALID_IE_NUM_ENTRY;
 
@@ -748,7 +758,7 @@ int fsl_secboot_validate(cmd_tbl_t *cmdtp, int flag, int argc,
 
        hdr = &img->hdr;
        img->ehdrloc = addr;
-       esbc = (u8 *)img->ehdrloc;
+       esbc = (u8 *)(uintptr_t)img->ehdrloc;
 
        memcpy(hdr, esbc, sizeof(struct fsl_secboot_img_hdr));
 

diff --git a/board/freescale/ls1043ardb/MAINTAINERS b/board/freescale/ls1043ardb/MAINTAINERS
index efca5bf2455fac0fad9c2a0ff2bbe375808f137d..84ffb638d8e19b41158b6f4dfffd769d3ee358a6 100644 (file)
--- a/board/freescale/ls1043ardb/MAINTAINERS
+++ b/board/freescale/ls1043ardb/MAINTAINERS
@@ -7,3 +7,8 @@ F:      include/configs/ls1043ardb.h
 F:     configs/ls1043ardb_defconfig
 F:     configs/ls1043ardb_nand_defconfig
 F:     configs/ls1043ardb_sdcard_defconfig
+
+LS1043A_SECURE_BOOT BOARD
+M:     Aneesh Bansal <aneesh.bansal@freescale.com>
+S:     Maintained
+F:     configs/ls1043ardb_SECURE_BOOT_defconfig

diff --git a/board/freescale/ls1043ardb/ls1043ardb.c b/board/freescale/ls1043ardb/ls1043ardb.c
index 4556ea8ad11b73f7a7ebc7e52b4b3ec61ea2ebf1..c8f723a1085a5bae4b9b4ec01e604bc83b6c47bc 100644 (file)
--- a/board/freescale/ls1043ardb/ls1043ardb.c
+++ b/board/freescale/ls1043ardb/ls1043ardb.c
@@ -18,6 +18,8 @@
 #include <fsl_csu.h>
 #include <fsl_esdhc.h>
 #include <fsl_ifc.h>
+#include <environment.h>
+#include <fsl_sec.h>
 #include "cpld.h"
 
 DECLARE_GLOBAL_DATA_PTR;
@@ -123,7 +125,21 @@ int config_board_mux(void)
 int misc_init_r(void)
 {
        config_board_mux();
-
+#ifdef CONFIG_SECURE_BOOT
+       /* In case of Secure Boot, the IBR configures the SMMU
+        * to allow only Secure transactions.
+        * SMMU must be reset in bypass mode.
+        * Set the ClientPD bit and Clear the USFCFG Bit
+        */
+       u32 val;
+       val = (in_le32(SMMU_SCR0) | SCR0_CLIENTPD_MASK) & ~(SCR0_USFCFG_MASK);
+       out_le32(SMMU_SCR0, val);
+       val = (in_le32(SMMU_NSCR0) | SCR0_CLIENTPD_MASK) & ~(SCR0_USFCFG_MASK);
+       out_le32(SMMU_NSCR0, val);
+#endif
+#ifdef CONFIG_FSL_CAAM
+       return sec_init();
+#endif
        return 0;
 }
 #endif

diff --git a/common/cmd_blob.c b/common/cmd_blob.c
index d3f22a1afc908fd16c7ff41873c4aa133ccea092..ac8b268e0b83735f7c487a425a8195b0d73f3d4f 100644 (file)
--- a/common/cmd_blob.c
+++ b/common/cmd_blob.c
@@ -73,9 +73,9 @@ static int do_blob(cmd_tbl_t *cmdtp, int flag, int argc, char *const argv[])
        len = simple_strtoul(argv[4], NULL, 16);
        key_addr = simple_strtoul(argv[5], NULL, 16);
 
-       km_ptr = (uint8_t *)key_addr;
-       src_ptr = (uint8_t *)src_addr;
-       dst_ptr = (uint8_t *)dst_addr;
+       km_ptr = (uint8_t *)(uintptr_t)key_addr;
+       src_ptr = (uint8_t *)(uintptr_t)src_addr;
+       dst_ptr = (uint8_t *)(uintptr_t)dst_addr;
 
        if (enc)
                ret = blob_encap(km_ptr, src_ptr, dst_ptr, len);

diff --git a/configs/ls1043ardb_SECURE_BOOT_defconfig b/configs/ls1043ardb_SECURE_BOOT_defconfig
new file mode 100644 (file)
index 0000000..d9d6c97
--- /dev/null
+++ b/configs/ls1043ardb_SECURE_BOOT_defconfig
@@ -0,0 +1,9 @@
+CONFIG_ARM=y
+CONFIG_TARGET_LS1043ARDB=y
+CONFIG_SYS_EXTRA_OPTIONS="SYS_FSL_DDR4, SECURE_BOOT"
+CONFIG_SYS_NS16550=y
+CONFIG_DEFAULT_DEVICE_TREE="fsl-ls1043a-rdb"
+CONFIG_OF_CONTROL=y
+CONFIG_DM=y
+CONFIG_SPI_FLASH=y
+CONFIG_DM_SPI=y
\ No newline at end of file

diff --git a/include/configs/ls1043ardb.h b/include/configs/ls1043ardb.h
index 683407499a5dff86af5cd90b2469719eb57d88e7..585114f3d58d1b155fd9d10d05dfc8fc1162da18 100644 (file)
--- a/include/configs/ls1043ardb.h
+++ b/include/configs/ls1043ardb.h
@@ -291,4 +291,14 @@
 #define CONFIG_CMD_EXT2
 #endif
 
+#ifdef CONFIG_SECURE_BOOT
+#define CONFIG_CMD_HASH
+#define CONFIG_SHA_HW_ACCEL
+#define CONFIG_CMD_BLOB
+/* For LS1043 (ARMv8), ESBC image Address in Header is 64 bit */
+#define CONFIG_ESBC_ADDR_64BIT
+#endif
+
+#include <asm/fsl_secure_boot.h>
+
 #endif /* __LS1043ARDB_H__ */

diff --git a/include/fsl_validate.h b/include/fsl_validate.h
index 92dd98bb6156d0586cdd676d8c2b42146d6cd8f7..a62dc74e69467999b0c86a636c9ecea8a558d240 100644 (file)
--- a/include/fsl_validate.h
+++ b/include/fsl_validate.h
@@ -83,7 +83,9 @@ struct fsl_secboot_img_hdr {
        u32 sign_len;           /* length of the signature in bytes */
        union {
                u32 psgtable;   /* ptr to SG table */
+#ifndef CONFIG_ESBC_ADDR_64BIT
                u32 pimg;       /* ptr to ESBC client image */
+#endif
        };
        union {
                u32 sg_entries; /* no of entries in SG table */
@@ -97,7 +99,12 @@ struct fsl_secboot_img_hdr {
        u32 reserved1[2];
        u32 fsl_uid_1;
        u32 oem_uid_1;
-       u32 reserved2[2];
+       union {
+               u32 reserved2[2];
+#ifdef CONFIG_ESBC_ADDR_64BIT
+               u64 pimg64;     /* 64 bit pointer to ESBC Image */
+#endif
+       };
        u32 ie_flag;
        u32 ie_key_sel;
 };