From a994b3deb00bf3177cdf9f92060baec4f640f466 Mon Sep 17 00:00:00 2001 From: Shengzhou Liu Date: Wed, 16 Dec 2015 16:45:41 +0800 Subject: driver/ddr/fsl: Add workaround for A009663 Erratum A-009663 workaround requires to set DDR_INTERVAL[BSTOPRE] to 0 before setting DDR_SDRAM_CFG[MEM_EN] and set DDR_INTERVAL[BSTOPRE] to the desired value after DDR initialization has completed. When DDR controller is configured to operate in auto-precharge mode(DDR_INTERVAL[BSTOPRE]=0), this workaround is not needed. Signed-off-by: Shengzhou Liu Reviewed-by: York Sun --- arch/powerpc/cpu/mpc85xx/cmd_errata.c | 3 +++ arch/powerpc/include/asm/config_mpc85xx.h | 2 ++ 2 files changed, 5 insertions(+) (limited to 'arch/powerpc') diff --git a/arch/powerpc/cpu/mpc85xx/cmd_errata.c b/arch/powerpc/cpu/mpc85xx/cmd_errata.c index a493556..3b06ae4 100644 --- a/arch/powerpc/cpu/mpc85xx/cmd_errata.c +++ b/arch/powerpc/cpu/mpc85xx/cmd_errata.c @@ -326,6 +326,9 @@ static int do_errata(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[]) #if defined(CONFIG_SYS_FSL_B4860QDS_XFI_ERR) && defined(CONFIG_B4860QDS) puts("Work-around for Erratum XFI on B4860QDS enabled\n"); #endif +#ifdef CONFIG_SYS_FSL_ERRATUM_A009663 + puts("Work-around for Erratum A009663 enabled\n"); +#endif return 0; } diff --git a/arch/powerpc/include/asm/config_mpc85xx.h b/arch/powerpc/include/asm/config_mpc85xx.h index 674fac8..eccc146 100644 --- a/arch/powerpc/include/asm/config_mpc85xx.h +++ b/arch/powerpc/include/asm/config_mpc85xx.h @@ -808,6 +808,7 @@ defined(CONFIG_PPC_T1020) || defined(CONFIG_PPC_T1022) #define QE_NUM_OF_SNUM 28 #define CONFIG_SYS_FSL_SFP_VER_3_0 #define CONFIG_SYS_FSL_ERRATUM_A008378 +#define CONFIG_SYS_FSL_ERRATUM_A009663 #elif defined(CONFIG_PPC_T1024) || defined(CONFIG_PPC_T1023) ||\ defined(CONFIG_PPC_T1014) || defined(CONFIG_PPC_T1013) @@ -856,6 +857,7 @@ defined(CONFIG_PPC_T1014) || defined(CONFIG_PPC_T1013) #define QE_NUM_OF_SNUM 28 #define CONFIG_SYS_FSL_SFP_VER_3_0 #define CONFIG_SYS_FSL_ERRATUM_A008378 +#define CONFIG_SYS_FSL_ERRATUM_A009663 #elif defined(CONFIG_PPC_T2080) || defined(CONFIG_PPC_T2081) #define CONFIG_E6500 -- cgit v1.1 From 74eecd820f251c6700c828d662a600c01651217f Mon Sep 17 00:00:00 2001 From: Aneesh Bansal Date: Fri, 22 Jan 2016 16:37:23 +0530 Subject: secure_boot: include/configs: move definition of CONFIG_CMD_BLOB CONFIG_CMD_BLOB must be defined in case of Secure Boot. It was earlier defined in all config files. The definition has been moved to a common file which is included by all configs. Signed-off-by: Aneesh Bansal Acked-by: Ruchika Gupta Reviewed-by: York Sun --- arch/powerpc/include/asm/fsl_secure_boot.h | 1 + 1 file changed, 1 insertion(+) (limited to 'arch/powerpc') diff --git a/arch/powerpc/include/asm/fsl_secure_boot.h b/arch/powerpc/include/asm/fsl_secure_boot.h index 87415b1..7d217a6 100644 --- a/arch/powerpc/include/asm/fsl_secure_boot.h +++ b/arch/powerpc/include/asm/fsl_secure_boot.h @@ -10,6 +10,7 @@ #ifdef CONFIG_SECURE_BOOT #define CONFIG_CMD_ESBC_VALIDATE +#define CONFIG_CMD_BLOB #define CONFIG_FSL_SEC_MON #define CONFIG_SHA_PROG_HW_ACCEL #define CONFIG_DM -- cgit v1.1 From bdc22074c511def222f93d1a9d94ec95c462c062 Mon Sep 17 00:00:00 2001 From: Aneesh Bansal Date: Fri, 22 Jan 2016 16:37:24 +0530 Subject: secure_boot: split the secure boot functionality in two parts There are two phases in Secure Boot 1. ISBC: In BootROM, validate the BootLoader (U-Boot). 2. ESBC: In U-Boot, continuing the Chain of Trust by validating and booting LINUX. For ESBC phase, there is no difference in SoC's based on ARM or PowerPC cores. But the exit conditions after ISBC phase i.e. entry conditions for U-Boot are different for ARM and PowerPC. PowerPC: If Secure Boot is executed, a separate U-Boot target is required which must be compiled with a diffrent Text Base as compared to Non-Secure Boot. There are some LAW and TLB settings which are required specifically for Secure Boot scenario. ARM: ARM based SoC's have a fixed memory map and exit conditions from BootROM are same irrespective of boot mode (Secure or Non-Secure). Thus the current Secure Boot functionlity has been split into two parts: CONFIG_CHAIN_OF_TRUST This will have the following functionality as part of U-Boot: 1. Enable commands like esbc_validate, esbc_halt 2. Change the environment settings based on bootmode, determined at run time: - If bootmode is non-secure, no change - If bootmode is secure, set the following: - bootdelay = 0 (Don't give boot prompt) - bootcmd = Validate and execute the bootscript. CONFIG_SECURE_BOOT This is defined only for creating a different compile time target for secure boot. Traditionally, both these functionalities were defined under CONFIG_SECURE_BOOT. This patch is aimed at removing the requirement for a separate Secure Boot target for ARM based SoC's. CONFIG_CHAIN_OF_TRUST will be defined and boot mode will be determine at run time. Another Security Requirement for running CHAIN_OF_TRUST is that U-Boot environemnt must not be picked from flash/external memory. This cannot be done based on bootmode at run time in current U-Boot architecture. Once this dependency is resolved, no separate SECURE_BOOT target will be required for ARM based SoC's. Currently, the only code under CONFIG_SECURE_BOOT for ARM SoC's is defining CONFIG_ENV_IS_NOWHERE Signed-off-by: Aneesh Bansal Acked-by: Ruchika Gupta Reviewed-by: York Sun --- arch/powerpc/include/asm/fsl_secure_boot.h | 41 +++++++++++++++++------------- 1 file changed, 24 insertions(+), 17 deletions(-) (limited to 'arch/powerpc') diff --git a/arch/powerpc/include/asm/fsl_secure_boot.h b/arch/powerpc/include/asm/fsl_secure_boot.h index 7d217a6..41058d1 100644 --- a/arch/powerpc/include/asm/fsl_secure_boot.h +++ b/arch/powerpc/include/asm/fsl_secure_boot.h @@ -9,19 +9,11 @@ #include #ifdef CONFIG_SECURE_BOOT -#define CONFIG_CMD_ESBC_VALIDATE -#define CONFIG_CMD_BLOB -#define CONFIG_FSL_SEC_MON -#define CONFIG_SHA_PROG_HW_ACCEL -#define CONFIG_DM -#define CONFIG_RSA -#define CONFIG_RSA_FREESCALE_EXP -#ifndef CONFIG_FSL_CAAM -#define CONFIG_FSL_CAAM -#endif + +#ifndef CONFIG_FIT_SIGNATURE +#define CONFIG_CHAIN_OF_TRUST #endif -#ifdef CONFIG_SECURE_BOOT #if defined(CONFIG_FSL_CORENET) #define CONFIG_SYS_PBI_FLASH_BASE 0xc0000000 #elif defined(CONFIG_BSC9132QDS) @@ -76,8 +68,25 @@ */ #define CONFIG_FSL_ISBC_KEY_EXT #endif +#endif /* #ifdef CONFIG_SECURE_BOOT */ + +#ifdef CONFIG_CHAIN_OF_TRUST + +#define CONFIG_CMD_ESBC_VALIDATE +#define CONFIG_CMD_BLOB +#define CONFIG_FSL_SEC_MON +#define CONFIG_SHA_PROG_HW_ACCEL +#define CONFIG_RSA +#define CONFIG_RSA_FREESCALE_EXP + +#ifndef CONFIG_DM +#define CONFIG_DM +#endif + +#ifndef CONFIG_FSL_CAAM +#define CONFIG_FSL_CAAM +#endif -#ifndef CONFIG_FIT_SIGNATURE /* If Boot Script is not on NOR and is required to be copied on RAM */ #ifdef CONFIG_BOOTSCRIPT_COPY_RAM #define CONFIG_BS_HDR_ADDR_RAM 0x00010000 @@ -105,10 +114,8 @@ #define CONFIG_BOOTSCRIPT_HDR_ADDR 0xee020000 #endif -#endif - -#include -#endif +#endif /* #ifdef CONFIG_BOOTSCRIPT_COPY_RAM */ -#endif +#include +#endif /* #ifdef CONFIG_CHAIN_OF_TRUST */ #endif -- cgit v1.1 From 0a6b2714adfffce6a1497bd2ed6cbf4f7b4b0236 Mon Sep 17 00:00:00 2001 From: Aneesh Bansal Date: Fri, 22 Jan 2016 16:37:25 +0530 Subject: secure_boot: create function to determine boot mode A function is created to detrmine if the boot mode is secure or non-secure for differnt SoC's. Signed-off-by: Aneesh Bansal Acked-by: Ruchika Gupta Reviewed-by: York Sun --- arch/powerpc/include/asm/immap_85xx.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'arch/powerpc') diff --git a/arch/powerpc/include/asm/immap_85xx.h b/arch/powerpc/include/asm/immap_85xx.h index 101b8db..fd8aba4 100644 --- a/arch/powerpc/include/asm/immap_85xx.h +++ b/arch/powerpc/include/asm/immap_85xx.h @@ -1749,6 +1749,8 @@ typedef struct ccsr_gur { u32 brrl; /* Boot release */ u8 res17[24]; u32 rcwsr[16]; /* Reset control word status */ +#define RCW_SB_EN_REG_INDEX 7 +#define RCW_SB_EN_MASK 0x00200000 #ifdef CONFIG_SYS_FSL_QORIQ_CHASSIS2 #define FSL_CORENET_RCWSR0_MEM_PLL_RAT_SHIFT 16 @@ -2194,6 +2196,7 @@ typedef struct ccsr_gur { #define MPC85xx_PORDEVSR2_DDR_SPD_0 0x00000008 #define MPC85xx_PORDEVSR2_DDR_SPD_0_SHIFT 3 #endif +#define MPC85xx_PORDEVSR2_SBC_MASK 0x10000000 /* The 8544 RM says this is bit 26, but it's really bit 24 */ #define MPC85xx_PORDEVSR2_SEC_CFG 0x00000080 u8 res1[8]; -- cgit v1.1 From d0a6d7ce55ec40d23ad96b549d596afd8f70735c Mon Sep 17 00:00:00 2001 From: Aneesh Bansal Date: Fri, 22 Jan 2016 16:37:27 +0530 Subject: secure_boot: enable chain of trust for PowerPC platforms Chain of Trust is enabled for PowerPC platforms for Secure Boot. CONFIG_BOARD_LATE_INIT is defined. In board_late_init(), fsl_setenv_chain_of_trust() is called which will perform the following: - If boot mode is non-secure, return (No Change) - If boot mode is secure, set the following environmet variables: bootdelay = 0 (To disable Boot Prompt) bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute Boot script) Signed-off-by: Aneesh Bansal Acked-by: Ruchika Gupta Reviewed-by: York Sun --- arch/powerpc/cpu/mpc85xx/cpu_init.c | 14 ++++++++++++++ arch/powerpc/include/asm/fsl_secure_boot.h | 7 +++++++ 2 files changed, 21 insertions(+) (limited to 'arch/powerpc') diff --git a/arch/powerpc/cpu/mpc85xx/cpu_init.c b/arch/powerpc/cpu/mpc85xx/cpu_init.c index 13a7d0f..d51616b 100644 --- a/arch/powerpc/cpu/mpc85xx/cpu_init.c +++ b/arch/powerpc/cpu/mpc85xx/cpu_init.c @@ -27,6 +27,9 @@ #include #include #include "mp.h" +#ifdef CONFIG_CHAIN_OF_TRUST +#include +#endif #ifdef CONFIG_FSL_CAAM #include #endif @@ -1009,3 +1012,14 @@ void cpu_secondary_init_r(void) qe_reset(); #endif } + +#ifdef CONFIG_BOARD_LATE_INIT +int board_late_init(void) +{ +#ifdef CONFIG_CHAIN_OF_TRUST + fsl_setenv_chain_of_trust(); +#endif + + return 0; +} +#endif diff --git a/arch/powerpc/include/asm/fsl_secure_boot.h b/arch/powerpc/include/asm/fsl_secure_boot.h index 41058d1..c45cace 100644 --- a/arch/powerpc/include/asm/fsl_secure_boot.h +++ b/arch/powerpc/include/asm/fsl_secure_boot.h @@ -87,6 +87,13 @@ #define CONFIG_FSL_CAAM #endif +/* fsl_setenv_chain_of_trust() must be called from + * board_late_init() + */ +#ifndef CONFIG_BOARD_LATE_INIT +#define CONFIG_BOARD_LATE_INIT +#endif + /* If Boot Script is not on NOR and is required to be copied on RAM */ #ifdef CONFIG_BOOTSCRIPT_COPY_RAM #define CONFIG_BS_HDR_ADDR_RAM 0x00010000 -- cgit v1.1