summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSiva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>2018-02-28 13:26:53 +0530
committerMichal Simek <michal.simek@xilinx.com>2018-03-23 09:36:15 +0100
commitc436bf92f6bf4014710bfeb067a0a35692e68bd3 (patch)
tree86b4cbc163bcf1df6c5a307ff0b16e115d921d08
parent348dbf4368735c9c0a6e0a42ffff46521370dd1f (diff)
downloadu-boot-c436bf92f6bf4014710bfeb067a0a35692e68bd3.tar.gz
arm64: zynqmp: Add support for verifying secure images
This patch adds new command "zynqmp" to handle zynqmp specific commands like "zynqmp secure". This secure command is used for verifying zynqmp specific secure images. The secure image can either be authenticated or encrypted or both encrypted and authenticated. The secure image is prepared using bootgen and will be in xilinx specific BOOT.BIN format. The optional key can be used for decryption of encrypted image if user key was specified while creation BOOT.BIN. Signed-off-by: Siva Durga Prasad Paladugu <sivadur@xilinx.com> Signed-off-by: Michal Simek <michal.simek@xilinx.com>
-rw-r--r--arch/arm/Kconfig1
-rw-r--r--arch/arm/include/asm/arch-zynqmp/sys_proto.h2
-rw-r--r--board/xilinx/zynqmp/Kconfig18
-rw-r--r--board/xilinx/zynqmp/Makefile4
-rw-r--r--board/xilinx/zynqmp/cmds.c105
-rw-r--r--configs/xilinx_zynqmp_mini_emmc_defconfig1
-rw-r--r--configs/xilinx_zynqmp_mini_nand_defconfig1
7 files changed, 132 insertions, 0 deletions
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index 166e3b73a4..068ea1e877 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -1360,6 +1360,7 @@ source "board/toradex/colibri_pxa270/Kconfig"
source "board/vscom/baltos/Kconfig"
source "board/woodburn/Kconfig"
source "board/work-microwave/work_92105/Kconfig"
+source "board/xilinx/zynqmp/Kconfig"
source "board/zipitz2/Kconfig"
source "arch/arm/Kconfig.debug"
diff --git a/arch/arm/include/asm/arch-zynqmp/sys_proto.h b/arch/arm/include/asm/arch-zynqmp/sys_proto.h
index 084d55a2b0..ad3dc9aba5 100644
--- a/arch/arm/include/asm/arch-zynqmp/sys_proto.h
+++ b/arch/arm/include/asm/arch-zynqmp/sys_proto.h
@@ -11,6 +11,8 @@
#define PAYLOAD_ARG_CNT 5
#define ZYNQMP_CSU_SILICON_VER_MASK 0xF
+#define ZYNQMP_SIP_SVC_PM_SECURE_IMG_LOAD 0xC200002D
+#define KEY_PTR_LEN 32
enum {
IDCODE,
diff --git a/board/xilinx/zynqmp/Kconfig b/board/xilinx/zynqmp/Kconfig
new file mode 100644
index 0000000000..7d1f7398c3
--- /dev/null
+++ b/board/xilinx/zynqmp/Kconfig
@@ -0,0 +1,18 @@
+# Copyright (c) 2018, Xilinx, Inc.
+#
+# SPDX-License-Identifier: GPL-2.0
+
+if ARCH_ZYNQMP
+
+config CMD_ZYNQMP
+ bool "Enable ZynqMP specific commands"
+ default y
+ help
+ Enable ZynqMP specific commands like "zynqmp secure"
+ which is used for zynqmp secure image verification.
+ The secure image is a xilinx specific BOOT.BIN with
+ either authentication or encryption or both encryption
+ and authentication feature enabled while generating
+ BOOT.BIN using Xilinx bootgen tool.
+
+endif
diff --git a/board/xilinx/zynqmp/Makefile b/board/xilinx/zynqmp/Makefile
index 75aab92f04..3b7a10e202 100644
--- a/board/xilinx/zynqmp/Makefile
+++ b/board/xilinx/zynqmp/Makefile
@@ -26,6 +26,10 @@ ifneq ($(call ifdef_any_of, CONFIG_ZYNQMP_PSU_INIT_ENABLED CONFIG_SPL_BUILD),)
obj-y += $(init-objs)
endif
+ifndef CONFIG_SPL_BUILD
+obj-$(CONFIG_CMD_ZYNQMP) += cmds.o
+endif
+
# Suppress "warning: function declaration isn't a prototype"
CFLAGS_REMOVE_psu_init_gpl.o := -Wstrict-prototypes
diff --git a/board/xilinx/zynqmp/cmds.c b/board/xilinx/zynqmp/cmds.c
new file mode 100644
index 0000000000..6712d7b8cf
--- /dev/null
+++ b/board/xilinx/zynqmp/cmds.c
@@ -0,0 +1,105 @@
+/*
+ * (C) Copyright 2018 Xilinx, Inc.
+ * Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
+ *
+ * SPDX-License-Identifier: GPL-2.0
+ */
+
+#include <common.h>
+#include <malloc.h>
+#include <asm/arch/sys_proto.h>
+#include <asm/io.h>
+
+static int zynqmp_verify_secure(u8 *key_ptr, u8 *src_ptr, u32 len)
+{
+ int ret;
+ u32 src_lo, src_hi;
+ u32 key_lo = 0;
+ u32 key_hi = 0;
+ u32 ret_payload[PAYLOAD_ARG_CNT];
+ u64 addr;
+
+ if ((ulong)src_ptr != ALIGN((ulong)src_ptr,
+ CONFIG_SYS_CACHELINE_SIZE)) {
+ printf("Failed: source address not aligned:%p\n", src_ptr);
+ return -EINVAL;
+ }
+
+ src_lo = lower_32_bits((ulong)src_ptr);
+ src_hi = upper_32_bits((ulong)src_ptr);
+ flush_dcache_range((ulong)src_ptr, (ulong)(src_ptr + len));
+
+ if (key_ptr) {
+ key_lo = lower_32_bits((ulong)key_ptr);
+ key_hi = upper_32_bits((ulong)key_ptr);
+ flush_dcache_range((ulong)key_ptr,
+ (ulong)(key_ptr + KEY_PTR_LEN));
+ }
+
+ ret = invoke_smc(ZYNQMP_SIP_SVC_PM_SECURE_IMG_LOAD, src_lo, src_hi,
+ key_lo, key_hi, ret_payload);
+ if (ret) {
+ printf("Failed: secure op status:0x%x\n", ret);
+ } else {
+ addr = (u64)ret_payload[1] << 32 | ret_payload[2];
+ printf("Verified image at 0x%llx\n", addr);
+ env_set_hex("zynqmp_verified_img_addr", addr);
+ }
+
+ return ret;
+}
+
+/**
+ * do_zynqmp - Handle the "zynqmp" command-line command
+ * @cmdtp: Command data struct pointer
+ * @flag: Command flag
+ * @argc: Command-line argument count
+ * @argv: Array of command-line arguments
+ *
+ * Processes the zynqmp specific commands
+ *
+ * Return: return 0 on success and CMD_RET_USAGE incase of misuse and error
+ */
+static int do_zynqmp(cmd_tbl_t *cmdtp, int flag, int argc,
+ char *const argv[])
+{
+ u64 src_addr;
+ u32 len;
+ u8 *key_ptr = NULL;
+ u8 *src_ptr;
+ int ret;
+
+ if (argc > 5 || argc < 4 || strncmp(argv[1], "secure", 6))
+ return CMD_RET_USAGE;
+
+ src_addr = simple_strtoull(argv[2], NULL, 16);
+
+ len = simple_strtoul(argv[3], NULL, 16);
+
+ if (argc > 4)
+ key_ptr = (uint8_t *)(uintptr_t)simple_strtoull(argv[4],
+ NULL, 16);
+
+ src_ptr = (uint8_t *)(uintptr_t)src_addr;
+
+ ret = zynqmp_verify_secure(key_ptr, src_ptr, len);
+ if (ret)
+ return CMD_RET_FAILURE;
+
+ return CMD_RET_SUCCESS;
+}
+
+/***************************************************/
+#ifdef CONFIG_SYS_LONGHELP
+static char zynqmp_help_text[] =
+ "secure src len [key_addr] - verifies secure images of $len bytes\n"
+ " long at address $src. Optional key_addr\n"
+ " can be specified if user key needs to\n"
+ " be used for decryption\n";
+#endif
+
+U_BOOT_CMD(
+ zynqmp, 5, 1, do_zynqmp,
+ "Verify and load secure images",
+ zynqmp_help_text
+)
diff --git a/configs/xilinx_zynqmp_mini_emmc_defconfig b/configs/xilinx_zynqmp_mini_emmc_defconfig
index b15120e0fa..8f2596a894 100644
--- a/configs/xilinx_zynqmp_mini_emmc_defconfig
+++ b/configs/xilinx_zynqmp_mini_emmc_defconfig
@@ -2,6 +2,7 @@ CONFIG_ARM=y
CONFIG_SYS_CONFIG_NAME="xilinx_zynqmp_mini_emmc"
CONFIG_ARCH_ZYNQMP=y
CONFIG_SYS_TEXT_BASE=0x10000
+# CONFIG_CMD_ZYNQMP is not set
CONFIG_DEFAULT_DEVICE_TREE="zynqmp-mini-emmc"
CONFIG_ENV_VARS_UBOOT_CONFIG=y
CONFIG_FIT=y
diff --git a/configs/xilinx_zynqmp_mini_nand_defconfig b/configs/xilinx_zynqmp_mini_nand_defconfig
index 55200bcb05..1fec9bab7c 100644
--- a/configs/xilinx_zynqmp_mini_nand_defconfig
+++ b/configs/xilinx_zynqmp_mini_nand_defconfig
@@ -2,6 +2,7 @@ CONFIG_ARM=y
CONFIG_SYS_CONFIG_NAME="xilinx_zynqmp_mini_nand"
CONFIG_ARCH_ZYNQMP=y
CONFIG_SYS_TEXT_BASE=0x10000
+# CONFIG_CMD_ZYNQMP is not set
CONFIG_DEFAULT_DEVICE_TREE="zynqmp-mini-nand"
CONFIG_ENV_VARS_UBOOT_CONFIG=y
CONFIG_FIT=y