MLK-12500-1 HAB: Add kernel image authentication in image loading

To support the trust boot chain, we integrate the authentication
into the kernel image loading process. The kernel image will be verified
at its load address. So when signing the kernel image, we need to
use this load address which may change on different platforms.

Signed-off-by: Ye Li <ye.li@nxp.com>

1 files changed, 33 insertions, 0 deletions

diff --git a/cmd/bootm.c b/cmd/bootm.c
index 555ccbc..dce7392 100644
--- a/cmd/bootm.c
+++ b/cmd/bootm.c
@@ -128,6 +128,31 @@ int do_bootm(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
 			return do_bootm_subcommand(cmdtp, flag, argc, argv);
 	}
 
+#ifdef CONFIG_SECURE_BOOT
+	extern uint32_t authenticate_image(
+			uint32_t ddr_start, uint32_t image_size);
+
+	switch (genimg_get_format((const void *)load_addr)) {
+#if defined(CONFIG_IMAGE_FORMAT_LEGACY)
+	case IMAGE_FORMAT_LEGACY:
+		if (authenticate_image(load_addr,
+			image_get_image_size((image_header_t *)load_addr)) == 0) {
+			printf("Authenticate uImage Fail, Please check\n");
+			return 1;
+		}
+		break;
+#endif
+#ifdef CONFIG_ANDROID_BOOT_IMAGE
+	case IMAGE_FORMAT_ANDROID:
+		/* Do this authentication in boota command */
+		break;
+#endif
+	default:
+		printf("Not valid image format for Authentication, Please check\n");
+		return 1;
+	}
+#endif
+
 	return do_bootm_states(cmdtp, flag, argc, argv, BOOTM_STATE_START |
 		BOOTM_STATE_FINDOS | BOOTM_STATE_FINDOTHER |
 		BOOTM_STATE_LOADOS |
@@ -583,6 +608,14 @@ static int bootz_start(cmd_tbl_t *cmdtp, int flag, int argc,
 	if (bootm_find_images(flag, argc, argv))
 		return 1;
 
+#ifdef CONFIG_SECURE_BOOT
+	extern uint32_t authenticate_image(
+			uint32_t ddr_start, uint32_t image_size);
+	if (authenticate_image(images->ep, zi_end - zi_start) == 0) {
+		printf("Authenticate zImage Fail, Please check\n");
+		return 1;
+	}
+#endif
 	return 0;
 }