summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--arch/arm/imx-common/hab.c129
-rw-r--r--arch/arm/imx-common/spl.c25
-rw-r--r--arch/arm/imx-common/spl_sd.cfg10
-rw-r--r--arch/arm/include/asm/imx-common/hab.h2
-rw-r--r--include/configs/mx6_common.h3
5 files changed, 110 insertions, 59 deletions
diff --git a/arch/arm/imx-common/hab.c b/arch/arm/imx-common/hab.c
index 6731825060..7449487f0d 100644
--- a/arch/arm/imx-common/hab.c
+++ b/arch/arm/imx-common/hab.c
@@ -110,6 +110,10 @@
* +------------+ + CSF_PAD_SIZE
*/
+static bool is_hab_enabled(void);
+
+#if !defined(CONFIG_SPL_BUILD)
+
#define MAX_RECORD_BYTES (8*1024) /* 4 kbytes */
struct record {
@@ -257,22 +261,6 @@ uint8_t hab_engines[16] = {
-1
};
-bool is_hab_enabled(void)
-{
- struct imx_sec_config_fuse_t *fuse =
- (struct imx_sec_config_fuse_t *)&imx_sec_config_fuse;
- uint32_t reg;
- int ret;
-
- ret = fuse_read(fuse->bank, fuse->word, &reg);
- if (ret) {
- puts("\nSecure boot fuse read error\n");
- return ret;
- }
-
- return (reg & IS_HAB_ENABLED_BIT) == IS_HAB_ENABLED_BIT;
-}
-
static inline uint8_t get_idx(uint8_t *list, uint8_t tgt)
{
uint8_t idx = 0;
@@ -359,6 +347,68 @@ int get_hab_status(void)
return 0;
}
+int do_hab_status(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
+{
+ if ((argc != 1)) {
+ cmd_usage(cmdtp);
+ return 1;
+ }
+
+ get_hab_status();
+
+ return 0;
+}
+
+static int do_authenticate_image(cmd_tbl_t *cmdtp, int flag, int argc,
+ char * const argv[])
+{
+ ulong addr, ivt_offset;
+ int rcode = 0;
+
+ if (argc < 3)
+ return CMD_RET_USAGE;
+
+ addr = simple_strtoul(argv[1], NULL, 16);
+ ivt_offset = simple_strtoul(argv[2], NULL, 16);
+
+ rcode = authenticate_image(addr, ivt_offset);
+
+ return rcode;
+}
+
+U_BOOT_CMD(
+ hab_status, CONFIG_SYS_MAXARGS, 1, do_hab_status,
+ "display HAB status",
+ ""
+ );
+
+U_BOOT_CMD(
+ hab_auth_img, 3, 0, do_authenticate_image,
+ "authenticate image via HAB",
+ "addr ivt_offset\n"
+ "addr - image hex address\n"
+ "ivt_offset - hex offset of IVT in the image"
+ );
+
+
+#endif /* !defined(CONFIG_SPL_BUILD) */
+
+static bool is_hab_enabled(void)
+{
+ struct imx_sec_config_fuse_t *fuse =
+ (struct imx_sec_config_fuse_t *)&imx_sec_config_fuse;
+ uint32_t reg;
+ int ret;
+
+ ret = fuse_read(fuse->bank, fuse->word, &reg);
+ if (ret) {
+ puts("\nSecure boot fuse read error\n");
+ return ret;
+ }
+
+ return (reg & IS_HAB_ENABLED_BIT) == IS_HAB_ENABLED_BIT;
+}
+
uint32_t authenticate_image(uint32_t ddr_start, uint32_t image_size)
{
uint32_t load_addr = 0;
@@ -400,7 +450,9 @@ uint32_t authenticate_image(uint32_t ddr_start, uint32_t image_size)
(void *)(ddr_start + ivt_offset+IVT_SIZE),
4, 0x10, 0);
+#if !defined(CONFIG_SPL_BUILD)
get_hab_status();
+#endif
puts("\nCalling authenticate_image in ROM\n");
printf("\tivt_offset = 0x%x\n", ivt_offset);
@@ -449,7 +501,9 @@ uint32_t authenticate_image(uint32_t ddr_start, uint32_t image_size)
hab_caam_clock_enable(0);
+#if !defined(CONFIG_SPL_BUILD)
get_hab_status();
+#endif
} else {
puts("hab fuse not enabled\n");
}
@@ -459,46 +513,3 @@ uint32_t authenticate_image(uint32_t ddr_start, uint32_t image_size)
return result;
}
-
-int do_hab_status(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
-{
- if ((argc != 1)) {
- cmd_usage(cmdtp);
- return 1;
- }
-
- get_hab_status();
-
- return 0;
-}
-
-static int do_authenticate_image(cmd_tbl_t *cmdtp, int flag, int argc,
- char * const argv[])
-{
- ulong addr, ivt_offset;
- int rcode = 0;
-
- if (argc < 3)
- return CMD_RET_USAGE;
-
- addr = simple_strtoul(argv[1], NULL, 16);
- ivt_offset = simple_strtoul(argv[2], NULL, 16);
-
- rcode = authenticate_image(addr, ivt_offset);
-
- return rcode;
-}
-
-U_BOOT_CMD(
- hab_status, CONFIG_SYS_MAXARGS, 1, do_hab_status,
- "display HAB status",
- ""
- );
-
-U_BOOT_CMD(
- hab_auth_img, 3, 0, do_authenticate_image,
- "authenticate image via HAB",
- "addr ivt_offset\n"
- "addr - image hex address\n"
- "ivt_offset - hex offset of IVT in the image"
- );
diff --git a/arch/arm/imx-common/spl.c b/arch/arm/imx-common/spl.c
index bdcda7de93..c86b6f83b8 100644
--- a/arch/arm/imx-common/spl.c
+++ b/arch/arm/imx-common/spl.c
@@ -12,6 +12,7 @@
#include <asm/arch/imx-regs.h>
#include <asm/spl.h>
#include <spl.h>
+#include <asm/imx-common/hab.h>
#if defined(CONFIG_MX6)
/* determine boot device from SRC_SBMR1 (BOOT_CFG[4:1]) or SRC_GPR9 register */
@@ -90,3 +91,27 @@ u32 spl_boot_mode(const u32 boot_device)
}
}
#endif
+
+#if defined(CONFIG_SECURE_BOOT)
+
+__weak void __noreturn jump_to_image_no_args(struct spl_image_info *spl_image)
+{
+ typedef void __noreturn (*image_entry_noargs_t)(void);
+
+ image_entry_noargs_t image_entry =
+ (image_entry_noargs_t)(unsigned long)spl_image->entry_point;
+
+ debug("image entry point: 0x%X\n", spl_image->entry_point);
+
+ /* HAB looks for the CSF at the end of the authenticated data therefore,
+ * we need to subtract the size of the CSF from the actual filesize */
+ if (authenticate_image(spl_image->load_addr,
+ spl_image->size - CONFIG_CSF_SIZE)) {
+ image_entry();
+ } else {
+ puts("spl: ERROR: image authentication unsuccessful\n");
+ hang();
+ }
+}
+
+#endif
diff --git a/arch/arm/imx-common/spl_sd.cfg b/arch/arm/imx-common/spl_sd.cfg
index 5fc3e8af38..14c135c549 100644
--- a/arch/arm/imx-common/spl_sd.cfg
+++ b/arch/arm/imx-common/spl_sd.cfg
@@ -4,5 +4,15 @@
* SPDX-License-Identifier: GPL-2.0+
*/
+#define __ASSEMBLY__
+#include <config.h>
+
IMAGE_VERSION 2
BOOT_FROM sd
+
+/*
+ * Secure boot support
+ */
+#ifdef CONFIG_SECURE_BOOT
+CSF CONFIG_CSF_SIZE
+#endif \ No newline at end of file
diff --git a/arch/arm/include/asm/imx-common/hab.h b/arch/arm/include/asm/imx-common/hab.h
index dab6789b10..e0ff459d53 100644
--- a/arch/arm/include/asm/imx-common/hab.h
+++ b/arch/arm/include/asm/imx-common/hab.h
@@ -145,4 +145,6 @@ typedef void hapi_clock_init_t(void);
/* ----------- end of HAB API updates ------------*/
+uint32_t authenticate_image(uint32_t ddr_start, uint32_t image_size);
+
#endif
diff --git a/include/configs/mx6_common.h b/include/configs/mx6_common.h
index 3bb939ecf0..6e9b871103 100644
--- a/include/configs/mx6_common.h
+++ b/include/configs/mx6_common.h
@@ -98,6 +98,9 @@
#define CONFIG_FSL_CAAM
#define CONFIG_CMD_DEKBLOB
#define CONFIG_SYS_FSL_SEC_LE
+#ifdef CONFIG_SPL_BUILD
+#define CONFIG_SPL_DRIVERS_MISC_SUPPORT
+#endif
#endif
#endif