summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSumit Garg <sumit.garg@nxp.com>2016-09-01 12:56:44 -0400
committerYork Sun <york.sun@nxp.com>2016-09-14 14:06:39 -0700
commit07806e622963902efa57959a447c1dd6419e126b (patch)
tree5d144775799b5d3050873485b348fe285c59c82b
parent285c74811ec34c79b177e5d79936ffe0980a99a4 (diff)
downloadu-boot-imx-07806e622963902efa57959a447c1dd6419e126b.zip
u-boot-imx-07806e622963902efa57959a447c1dd6419e126b.tar.gz
u-boot-imx-07806e622963902efa57959a447c1dd6419e126b.tar.bz2
ls1043ardb: PPA: add PPA validation in case of secure boot
As part of Secure Boot Chain of trust, PPA image must be validated before the image is started. The code for the same has been added. Signed-off-by: Aneesh Bansal <aneesh.bansal@nxp.com> Signed-off-by: Sumit Garg <sumit.garg@nxp.com> Reviewed-by: York Sun <york.sun@nxp.com>
-rw-r--r--arch/arm/cpu/armv8/fsl-layerscape/ppa.c21
-rw-r--r--arch/arm/include/asm/fsl_secure_boot.h18
2 files changed, 39 insertions, 0 deletions
diff --git a/arch/arm/cpu/armv8/fsl-layerscape/ppa.c b/arch/arm/cpu/armv8/fsl-layerscape/ppa.c
index f54ac3f..b68e87d 100644
--- a/arch/arm/cpu/armv8/fsl-layerscape/ppa.c
+++ b/arch/arm/cpu/armv8/fsl-layerscape/ppa.c
@@ -17,6 +17,9 @@
#ifdef CONFIG_ARMV8_SEC_FIRMWARE_SUPPORT
#include <asm/armv8/sec_firmware.h>
#endif
+#ifdef CONFIG_CHAIN_OF_TRUST
+#include <fsl_validate.h>
+#endif
int ppa_init(void)
{
@@ -24,12 +27,30 @@ int ppa_init(void)
u32 *boot_loc_ptr_l, *boot_loc_ptr_h;
int ret;
+#ifdef CONFIG_CHAIN_OF_TRUST
+ uintptr_t ppa_esbc_hdr = CONFIG_SYS_LS_PPA_ESBC_ADDR;
+ uintptr_t ppa_img_addr = 0;
+#endif
+
#ifdef CONFIG_SYS_LS_PPA_FW_IN_XIP
ppa_fit_addr = (void *)CONFIG_SYS_LS_PPA_FW_ADDR;
#else
#error "No CONFIG_SYS_LS_PPA_FW_IN_xxx defined"
#endif
+#ifdef CONFIG_CHAIN_OF_TRUST
+ ppa_img_addr = (uintptr_t)ppa_fit_addr;
+ if (fsl_check_boot_mode_secure() != 0) {
+ ret = fsl_secboot_validate(ppa_esbc_hdr,
+ CONFIG_PPA_KEY_HASH,
+ &ppa_img_addr);
+ if (ret != 0)
+ printf("PPA validation failed\n");
+ else
+ printf("PPA validation Successful\n");
+ }
+#endif
+
#ifdef CONFIG_FSL_LSCH3
struct ccsr_gur __iomem *gur = (void *)(CONFIG_SYS_FSL_GUTS_ADDR);
boot_loc_ptr_l = &gur->bootlocptrl;
diff --git a/arch/arm/include/asm/fsl_secure_boot.h b/arch/arm/include/asm/fsl_secure_boot.h
index b35c271..6b9d3e4 100644
--- a/arch/arm/include/asm/fsl_secure_boot.h
+++ b/arch/arm/include/asm/fsl_secure_boot.h
@@ -126,6 +126,24 @@
/* BOOTSCRIPT_ADDR is not required */
#endif
+#ifdef CONFIG_FSL_LS_PPA
+#ifdef CONFIG_SYS_LS_PPA_FW_IN_XIP
+#ifdef CONFIG_LS1043A
+#define CONFIG_SYS_LS_PPA_ESBC_ADDR 0x600c0000
+#endif
+#else
+#error "No CONFIG_SYS_LS_PPA_FW_IN_xxx defined"
+#endif /* ifdef CONFIG_SYS_LS_PPA_FW_IN_XIP */
+
+/* Define the key hash here if SRK used for signing PPA image is
+ * different from SRK hash put in SFP used for U-Boot.
+ * Example
+ * #define CONFIG_PPA_KEY_HASH \
+ * "41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b"
+ */
+#define CONFIG_PPA_KEY_HASH NULL
+#endif /* ifdef CONFIG_FSL_LS_PPA */
+
#include <config_fsl_chain_trust.h>
#endif /* #ifndef CONFIG_SPL_BUILD */
#endif /* #ifdef CONFIG_CHAIN_OF_TRUST */