diff options
author | Sumit Garg <sumit.garg@nxp.com> | 2016-09-01 12:56:44 -0400 |
---|---|---|
committer | York Sun <york.sun@nxp.com> | 2016-09-14 14:06:39 -0700 |
commit | 07806e622963902efa57959a447c1dd6419e126b (patch) | |
tree | 5d144775799b5d3050873485b348fe285c59c82b | |
parent | 285c74811ec34c79b177e5d79936ffe0980a99a4 (diff) | |
download | u-boot-imx-07806e622963902efa57959a447c1dd6419e126b.zip u-boot-imx-07806e622963902efa57959a447c1dd6419e126b.tar.gz u-boot-imx-07806e622963902efa57959a447c1dd6419e126b.tar.bz2 |
ls1043ardb: PPA: add PPA validation in case of secure boot
As part of Secure Boot Chain of trust, PPA image must be validated
before the image is started.
The code for the same has been added.
Signed-off-by: Aneesh Bansal <aneesh.bansal@nxp.com>
Signed-off-by: Sumit Garg <sumit.garg@nxp.com>
Reviewed-by: York Sun <york.sun@nxp.com>
-rw-r--r-- | arch/arm/cpu/armv8/fsl-layerscape/ppa.c | 21 | ||||
-rw-r--r-- | arch/arm/include/asm/fsl_secure_boot.h | 18 |
2 files changed, 39 insertions, 0 deletions
diff --git a/arch/arm/cpu/armv8/fsl-layerscape/ppa.c b/arch/arm/cpu/armv8/fsl-layerscape/ppa.c index f54ac3f..b68e87d 100644 --- a/arch/arm/cpu/armv8/fsl-layerscape/ppa.c +++ b/arch/arm/cpu/armv8/fsl-layerscape/ppa.c @@ -17,6 +17,9 @@ #ifdef CONFIG_ARMV8_SEC_FIRMWARE_SUPPORT #include <asm/armv8/sec_firmware.h> #endif +#ifdef CONFIG_CHAIN_OF_TRUST +#include <fsl_validate.h> +#endif int ppa_init(void) { @@ -24,12 +27,30 @@ int ppa_init(void) u32 *boot_loc_ptr_l, *boot_loc_ptr_h; int ret; +#ifdef CONFIG_CHAIN_OF_TRUST + uintptr_t ppa_esbc_hdr = CONFIG_SYS_LS_PPA_ESBC_ADDR; + uintptr_t ppa_img_addr = 0; +#endif + #ifdef CONFIG_SYS_LS_PPA_FW_IN_XIP ppa_fit_addr = (void *)CONFIG_SYS_LS_PPA_FW_ADDR; #else #error "No CONFIG_SYS_LS_PPA_FW_IN_xxx defined" #endif +#ifdef CONFIG_CHAIN_OF_TRUST + ppa_img_addr = (uintptr_t)ppa_fit_addr; + if (fsl_check_boot_mode_secure() != 0) { + ret = fsl_secboot_validate(ppa_esbc_hdr, + CONFIG_PPA_KEY_HASH, + &ppa_img_addr); + if (ret != 0) + printf("PPA validation failed\n"); + else + printf("PPA validation Successful\n"); + } +#endif + #ifdef CONFIG_FSL_LSCH3 struct ccsr_gur __iomem *gur = (void *)(CONFIG_SYS_FSL_GUTS_ADDR); boot_loc_ptr_l = &gur->bootlocptrl; diff --git a/arch/arm/include/asm/fsl_secure_boot.h b/arch/arm/include/asm/fsl_secure_boot.h index b35c271..6b9d3e4 100644 --- a/arch/arm/include/asm/fsl_secure_boot.h +++ b/arch/arm/include/asm/fsl_secure_boot.h @@ -126,6 +126,24 @@ /* BOOTSCRIPT_ADDR is not required */ #endif +#ifdef CONFIG_FSL_LS_PPA +#ifdef CONFIG_SYS_LS_PPA_FW_IN_XIP +#ifdef CONFIG_LS1043A +#define CONFIG_SYS_LS_PPA_ESBC_ADDR 0x600c0000 +#endif +#else +#error "No CONFIG_SYS_LS_PPA_FW_IN_xxx defined" +#endif /* ifdef CONFIG_SYS_LS_PPA_FW_IN_XIP */ + +/* Define the key hash here if SRK used for signing PPA image is + * different from SRK hash put in SFP used for U-Boot. + * Example + * #define CONFIG_PPA_KEY_HASH \ + * "41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b" + */ +#define CONFIG_PPA_KEY_HASH NULL +#endif /* ifdef CONFIG_FSL_LS_PPA */ + #include <config_fsl_chain_trust.h> #endif /* #ifndef CONFIG_SPL_BUILD */ #endif /* #ifdef CONFIG_CHAIN_OF_TRUST */ |