secure_boot: enable chain of trust for ARM platforms

Chain of Trust is enabled for ARM platforms (LS1021 and LS1043).
In board_late_init(), fsl_setenv_chain_of_trust() is called which
will perform the following:
- If boot mode is non-secure, return (No Change)
- If boot mode is secure, set the following environmet variables:
   bootdelay = 0 (To disable Boot Prompt)
   bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute Boot script)

Signed-off-by: Aneesh Bansal <aneesh.bansal@nxp.com>
Acked-by: Ruchika Gupta <ruchika.gupta@nxp.com>
Reviewed-by: York Sun <york.sun@nxp.com>

diff --git a/arch/arm/cpu/armv8/fsl-layerscape/soc.c b/arch/arm/cpu/armv8/fsl-layerscape/soc.c
index 23d6b73e3d307126c56786dd814522bd1b77b1de..d97a445179ae883094f0374e005a62444b163ae9 100644 (file)
--- a/arch/arm/cpu/armv8/fsl-layerscape/soc.c
+++ b/arch/arm/cpu/armv8/fsl-layerscape/soc.c
@@ -12,6 +12,9 @@
 #include <asm/io.h>
 #include <asm/global_data.h>
 #include <asm/arch-fsl-layerscape/config.h>
+#ifdef CONFIG_CHAIN_OF_TRUST
+#include <fsl_validate.h>
+#endif
 
 DECLARE_GLOBAL_DATA_PTR;
 
@@ -241,6 +244,9 @@ int board_late_init(void)
 #ifdef CONFIG_SCSI_AHCI_PLAT
        sata_init();
 #endif
+#ifdef CONFIG_CHAIN_OF_TRUST
+       fsl_setenv_chain_of_trust();
+#endif
 
        return 0;
 }

diff --git a/board/freescale/common/Makefile b/board/freescale/common/Makefile
index 51d2814a434dd515fede2063f9b4607ca3accfe4..be114cebef2fee44b77306d67c73817b30f3e99f 100644 (file)
--- a/board/freescale/common/Makefile
+++ b/board/freescale/common/Makefile
@@ -76,5 +76,6 @@ obj-$(CONFIG_LAYERSCAPE_NS_ACCESS)    += ns_access.o
 ifdef CONFIG_SECURE_BOOT
 obj-$(CONFIG_CMD_ESBC_VALIDATE) += fsl_validate.o cmd_esbc_validate.o
 endif
+obj-$(CONFIG_CHAIN_OF_TRUST) += fsl_chain_of_trust.o
 
 endif

diff --git a/board/freescale/common/fsl_chain_of_trust.c b/board/freescale/common/fsl_chain_of_trust.c
index ff67bd7b8f99dbd8e4e88491dde9489d7ffa437c..ecfcc8253a88b5a5700678cbbedeb83c26bbdc4b 100644 (file)
--- a/board/freescale/common/fsl_chain_of_trust.c
+++ b/board/freescale/common/fsl_chain_of_trust.c
@@ -51,3 +51,20 @@ int fsl_check_boot_mode_secure(void)
 #endif
        return 0;
 }
+
+int fsl_setenv_chain_of_trust(void)
+{
+       /* Check Boot Mode
+        * If Boot Mode is Non-Secure, no changes are required
+        */
+       if (fsl_check_boot_mode_secure() == 0)
+               return 0;
+
+       /* If Boot mode is Secure, set the environment variables
+        * bootdelay = 0 (To disable Boot Prompt)
+        * bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute Boot script)
+        */
+       setenv("bootdelay", "0");
+       setenv("bootcmd", CONFIG_CHAIN_BOOT_CMD);
+       return 0;
+}

diff --git a/board/freescale/ls1021aqds/ls1021aqds.c b/board/freescale/ls1021aqds/ls1021aqds.c
index be3358a564a8195b5ed3b511f34e200dd878f0e8..5f4ec9d878f9839a9b2027f97877df20cd59d166 100644 (file)
--- a/board/freescale/ls1021aqds/ls1021aqds.c
+++ b/board/freescale/ls1021aqds/ls1021aqds.c
@@ -22,6 +22,7 @@
 #include <fsl_sec.h>
 #include <spl.h>
 #include <fsl_devdis.h>
+#include <fsl_validate.h>
 
 #include "../common/sleep.h"
 #include "../common/qixis.h"
@@ -369,6 +370,9 @@ int board_late_init(void)
 #ifdef CONFIG_SCSI_AHCI_PLAT
        ls1021a_sata_init();
 #endif
+#ifdef CONFIG_CHAIN_OF_TRUST
+       fsl_setenv_chain_of_trust();
+#endif
 
        return 0;
 }

diff --git a/board/freescale/ls1021atwr/ls1021atwr.c b/board/freescale/ls1021atwr/ls1021atwr.c
index 8eaff5f0cedf2d2fec4ec254c34c5af93e71f758..b85774c4a4363aeec48095209a81910e218df75e 100644 (file)
--- a/board/freescale/ls1021atwr/ls1021atwr.c
+++ b/board/freescale/ls1021atwr/ls1021atwr.c
@@ -30,6 +30,7 @@
 #ifdef CONFIG_U_QE
 #include "../../../drivers/qe/qe.h"
 #endif
+#include <fsl_validate.h>
 
 
 DECLARE_GLOBAL_DATA_PTR;
@@ -549,6 +550,9 @@ int board_late_init(void)
 #ifdef CONFIG_SCSI_AHCI_PLAT
        ls1021a_sata_init();
 #endif
+#ifdef CONFIG_CHAIN_OF_TRUST
+       fsl_setenv_chain_of_trust();
+#endif
 
        return 0;
 }

diff --git a/include/fsl_validate.h b/include/fsl_validate.h
index ad14867eac8ed9edf24b976033e25077474197b1..83efcf49ada7c1ee4610925d3a9adc48244ec774 100644 (file)
--- a/include/fsl_validate.h
+++ b/include/fsl_validate.h
@@ -205,4 +205,6 @@ int fsl_secboot_blob_encap(cmd_tbl_t *cmdtp, int flag, int argc,
 int fsl_secboot_blob_decap(cmd_tbl_t *cmdtp, int flag, int argc,
        char * const argv[]);
 
+int fsl_check_boot_mode_secure(void);
+int fsl_setenv_chain_of_trust(void);
 #endif