2018-05-06 21:58:06 +00:00
|
|
|
// SPDX-License-Identifier: GPL-2.0+
|
2016-03-16 13:10:08 +00:00
|
|
|
/*
|
2019-07-16 13:49:38 +00:00
|
|
|
* K2x: Secure commands file
|
2016-03-16 13:10:08 +00:00
|
|
|
*
|
2023-11-01 20:56:03 +00:00
|
|
|
* Copyright (C) 2012-2019 Texas Instruments Incorporated - https://www.ti.com/
|
2016-03-16 13:10:08 +00:00
|
|
|
*/
|
|
|
|
|
2019-12-28 17:45:07 +00:00
|
|
|
#include <hang.h>
|
2020-05-10 17:40:01 +00:00
|
|
|
#include <image.h>
|
2019-07-16 13:49:38 +00:00
|
|
|
#include <asm/unaligned.h>
|
2016-03-16 13:10:08 +00:00
|
|
|
#include <command.h>
|
|
|
|
#include <mach/mon.h>
|
2017-04-07 15:00:03 +00:00
|
|
|
#include <spl.h>
|
2016-03-16 13:10:08 +00:00
|
|
|
asm(".arch_extension sec\n\t");
|
|
|
|
|
arm: mach-keystone: Updates mon_install for K2G HS
On early K2 devices (eg. K2HK) the secure ROM code does not support
loading secure code to firewall protected memory, before decrypting,
authenticating and executing it.
To load the boot monitor on these devices, it is necessary to first
authenticate and run a copy loop from non-secure memory that copies
the boot monitor behind firewall protected memory, before decrypting
and executing it.
On K2G, the secure ROM does not allow secure code executing from
unprotected memory. Further, ROM first copies the signed and encrypted
image into firewall protected memory, then decrypts, authenticates
and executes it.
As a result of this, we cannot use the copy loop for K2G. The
mon_install has to be modified to pass the address the signed and
encrypted secure boot monitor image to the authentication API.
For backward compatibility with other K2 devices and K2G GP,
the mon_install API still supports a single argument. In this case
the second argument is set to 0 by u-boot and is ignored by ROM
Signed-off-by: Thanh Tran <thanh-tran@ti.com>
Signed-off-by: Madan Srinivas <madans@ti.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
2017-07-17 17:59:15 +00:00
|
|
|
int mon_install(u32 addr, u32 dpsc, u32 freq, u32 bm_addr)
|
2016-03-16 13:10:08 +00:00
|
|
|
{
|
|
|
|
int result;
|
|
|
|
|
|
|
|
__asm__ __volatile__ (
|
|
|
|
"stmfd r13!, {lr}\n"
|
|
|
|
"mov r0, %1\n"
|
|
|
|
"mov r1, %2\n"
|
|
|
|
"mov r2, %3\n"
|
arm: mach-keystone: Updates mon_install for K2G HS
On early K2 devices (eg. K2HK) the secure ROM code does not support
loading secure code to firewall protected memory, before decrypting,
authenticating and executing it.
To load the boot monitor on these devices, it is necessary to first
authenticate and run a copy loop from non-secure memory that copies
the boot monitor behind firewall protected memory, before decrypting
and executing it.
On K2G, the secure ROM does not allow secure code executing from
unprotected memory. Further, ROM first copies the signed and encrypted
image into firewall protected memory, then decrypts, authenticates
and executes it.
As a result of this, we cannot use the copy loop for K2G. The
mon_install has to be modified to pass the address the signed and
encrypted secure boot monitor image to the authentication API.
For backward compatibility with other K2 devices and K2G GP,
the mon_install API still supports a single argument. In this case
the second argument is set to 0 by u-boot and is ignored by ROM
Signed-off-by: Thanh Tran <thanh-tran@ti.com>
Signed-off-by: Madan Srinivas <madans@ti.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
2017-07-17 17:59:15 +00:00
|
|
|
"mov r3, %4\n"
|
2016-03-16 13:10:08 +00:00
|
|
|
"blx r0\n"
|
2017-07-17 18:02:02 +00:00
|
|
|
"mov %0, r0\n"
|
2016-03-16 13:10:08 +00:00
|
|
|
"ldmfd r13!, {lr}\n"
|
|
|
|
: "=&r" (result)
|
arm: mach-keystone: Updates mon_install for K2G HS
On early K2 devices (eg. K2HK) the secure ROM code does not support
loading secure code to firewall protected memory, before decrypting,
authenticating and executing it.
To load the boot monitor on these devices, it is necessary to first
authenticate and run a copy loop from non-secure memory that copies
the boot monitor behind firewall protected memory, before decrypting
and executing it.
On K2G, the secure ROM does not allow secure code executing from
unprotected memory. Further, ROM first copies the signed and encrypted
image into firewall protected memory, then decrypts, authenticates
and executes it.
As a result of this, we cannot use the copy loop for K2G. The
mon_install has to be modified to pass the address the signed and
encrypted secure boot monitor image to the authentication API.
For backward compatibility with other K2 devices and K2G GP,
the mon_install API still supports a single argument. In this case
the second argument is set to 0 by u-boot and is ignored by ROM
Signed-off-by: Thanh Tran <thanh-tran@ti.com>
Signed-off-by: Madan Srinivas <madans@ti.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
2017-07-17 17:59:15 +00:00
|
|
|
: "r" (addr), "r" (dpsc), "r" (freq), "r" (bm_addr)
|
|
|
|
: "cc", "r0", "r1", "r2", "r3", "memory");
|
2016-03-16 13:10:08 +00:00
|
|
|
return result;
|
|
|
|
}
|
|
|
|
|
|
|
|
int mon_power_on(int core_id, void *ep)
|
|
|
|
{
|
|
|
|
int result;
|
|
|
|
|
|
|
|
asm volatile (
|
|
|
|
"stmfd r13!, {lr}\n"
|
|
|
|
"mov r1, %1\n"
|
|
|
|
"mov r2, %2\n"
|
|
|
|
"mov r0, #0\n"
|
|
|
|
"smc #0\n"
|
2017-07-17 18:02:02 +00:00
|
|
|
"mov %0, r0\n"
|
2016-03-16 13:10:08 +00:00
|
|
|
"ldmfd r13!, {lr}\n"
|
|
|
|
: "=&r" (result)
|
|
|
|
: "r" (core_id), "r" (ep)
|
|
|
|
: "cc", "r0", "r1", "r2", "memory");
|
|
|
|
return result;
|
|
|
|
}
|
|
|
|
|
|
|
|
int mon_power_off(int core_id)
|
|
|
|
{
|
|
|
|
int result;
|
|
|
|
|
|
|
|
asm volatile (
|
|
|
|
"stmfd r13!, {lr}\n"
|
|
|
|
"mov r1, %1\n"
|
|
|
|
"mov r0, #1\n"
|
|
|
|
"smc #1\n"
|
2017-07-17 18:02:02 +00:00
|
|
|
"mov %0, r0\n"
|
2016-03-16 13:10:08 +00:00
|
|
|
"ldmfd r13!, {lr}\n"
|
|
|
|
: "=&r" (result)
|
|
|
|
: "r" (core_id)
|
|
|
|
: "cc", "r0", "r1", "memory");
|
|
|
|
return result;
|
|
|
|
}
|
2017-04-07 15:00:03 +00:00
|
|
|
|
|
|
|
#ifdef CONFIG_TI_SECURE_DEVICE
|
|
|
|
#define KS2_HS_SEC_HEADER_LEN 0x60
|
|
|
|
#define KS2_HS_SEC_TAG_OFFSET 0x34
|
|
|
|
#define KS2_AUTH_CMD 130
|
|
|
|
|
|
|
|
/**
|
|
|
|
* k2_hs_bm_auth() - Invokes security functions using a
|
|
|
|
* proprietary TI interface. This binary and source for
|
|
|
|
* this is available in the secure development package or
|
|
|
|
* SECDEV. For details on how to access this please refer
|
|
|
|
* doc/README.ti-secure
|
|
|
|
*
|
|
|
|
* @cmd: Secure monitor command
|
|
|
|
* @arg1: Argument for command
|
|
|
|
*
|
|
|
|
* returns non-zero value on success, zero on error
|
|
|
|
*/
|
|
|
|
static int k2_hs_bm_auth(int cmd, void *arg1)
|
|
|
|
{
|
|
|
|
int result;
|
|
|
|
|
|
|
|
asm volatile (
|
|
|
|
"stmfd r13!, {r4-r12, lr}\n"
|
|
|
|
"mov r0, %1\n"
|
|
|
|
"mov r1, %2\n"
|
|
|
|
"smc #2\n"
|
2017-07-17 18:02:02 +00:00
|
|
|
"mov %0, r0\n"
|
2017-04-07 15:00:03 +00:00
|
|
|
"ldmfd r13!, {r4-r12, lr}\n"
|
|
|
|
: "=&r" (result)
|
|
|
|
: "r" (cmd), "r" (arg1)
|
|
|
|
: "cc", "r0", "r1", "memory");
|
|
|
|
|
|
|
|
return result;
|
|
|
|
}
|
|
|
|
|
2021-06-11 08:45:05 +00:00
|
|
|
void board_fit_image_post_process(const void *fit, int node, void **p_image,
|
|
|
|
size_t *p_size)
|
2017-04-07 15:00:03 +00:00
|
|
|
{
|
|
|
|
int result = 0;
|
|
|
|
void *image = *p_image;
|
|
|
|
|
|
|
|
if (strncmp(image + KS2_HS_SEC_TAG_OFFSET, "KEYS", 4)) {
|
|
|
|
printf("No signature found in image!\n");
|
|
|
|
hang();
|
|
|
|
}
|
|
|
|
|
|
|
|
result = k2_hs_bm_auth(KS2_AUTH_CMD, image);
|
|
|
|
if (result == 0) {
|
|
|
|
printf("Authentication failed!\n");
|
|
|
|
hang();
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2017-06-29 13:38:25 +00:00
|
|
|
* Overwrite the image headers after authentication
|
|
|
|
* and decryption. Update size to reflect removal
|
2019-07-16 13:49:38 +00:00
|
|
|
* of header and restore original file size.
|
2017-06-29 13:38:25 +00:00
|
|
|
*/
|
2019-07-16 13:49:38 +00:00
|
|
|
*p_size = get_unaligned_le32(image + (*p_size - 4));
|
2017-06-29 13:38:25 +00:00
|
|
|
memcpy(image, image + KS2_HS_SEC_HEADER_LEN, *p_size);
|
2017-04-07 15:00:03 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Output notification of successful authentication to re-assure the
|
|
|
|
* user that the secure code is being processed as expected. However
|
|
|
|
* suppress any such log output in case of building for SPL and booting
|
|
|
|
* via YMODEM. This is done to avoid disturbing the YMODEM serial
|
|
|
|
* protocol transactions.
|
|
|
|
*/
|
|
|
|
if (!(IS_ENABLED(CONFIG_SPL_BUILD) &&
|
|
|
|
IS_ENABLED(CONFIG_SPL_YMODEM_SUPPORT) &&
|
|
|
|
spl_boot_device() == BOOT_DEVICE_UART))
|
|
|
|
printf("Authentication passed\n");
|
|
|
|
}
|
|
|
|
#endif
|