diff --git a/arch/arm/imx-common/hab.c b/arch/arm/imx-common/hab.c index 6731825060..7449487f0d 100644 --- a/arch/arm/imx-common/hab.c +++ b/arch/arm/imx-common/hab.c @@ -110,6 +110,10 @@ * +------------+ + CSF_PAD_SIZE */ +static bool is_hab_enabled(void); + +#if !defined(CONFIG_SPL_BUILD) + #define MAX_RECORD_BYTES (8*1024) /* 4 kbytes */ struct record { @@ -257,22 +261,6 @@ uint8_t hab_engines[16] = { -1 }; -bool is_hab_enabled(void) -{ - struct imx_sec_config_fuse_t *fuse = - (struct imx_sec_config_fuse_t *)&imx_sec_config_fuse; - uint32_t reg; - int ret; - - ret = fuse_read(fuse->bank, fuse->word, ®); - if (ret) { - puts("\nSecure boot fuse read error\n"); - return ret; - } - - return (reg & IS_HAB_ENABLED_BIT) == IS_HAB_ENABLED_BIT; -} - static inline uint8_t get_idx(uint8_t *list, uint8_t tgt) { uint8_t idx = 0; @@ -359,6 +347,68 @@ int get_hab_status(void) return 0; } +int do_hab_status(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[]) +{ + if ((argc != 1)) { + cmd_usage(cmdtp); + return 1; + } + + get_hab_status(); + + return 0; +} + +static int do_authenticate_image(cmd_tbl_t *cmdtp, int flag, int argc, + char * const argv[]) +{ + ulong addr, ivt_offset; + int rcode = 0; + + if (argc < 3) + return CMD_RET_USAGE; + + addr = simple_strtoul(argv[1], NULL, 16); + ivt_offset = simple_strtoul(argv[2], NULL, 16); + + rcode = authenticate_image(addr, ivt_offset); + + return rcode; +} + +U_BOOT_CMD( + hab_status, CONFIG_SYS_MAXARGS, 1, do_hab_status, + "display HAB status", + "" + ); + +U_BOOT_CMD( + hab_auth_img, 3, 0, do_authenticate_image, + "authenticate image via HAB", + "addr ivt_offset\n" + "addr - image hex address\n" + "ivt_offset - hex offset of IVT in the image" + ); + + +#endif /* !defined(CONFIG_SPL_BUILD) */ + +static bool is_hab_enabled(void) +{ + struct imx_sec_config_fuse_t *fuse = + (struct imx_sec_config_fuse_t *)&imx_sec_config_fuse; + uint32_t reg; + int ret; + + ret = fuse_read(fuse->bank, fuse->word, ®); + if (ret) { + puts("\nSecure boot fuse read error\n"); + return ret; + } + + return (reg & IS_HAB_ENABLED_BIT) == IS_HAB_ENABLED_BIT; +} + uint32_t authenticate_image(uint32_t ddr_start, uint32_t image_size) { uint32_t load_addr = 0; @@ -400,7 +450,9 @@ uint32_t authenticate_image(uint32_t ddr_start, uint32_t image_size) (void *)(ddr_start + ivt_offset+IVT_SIZE), 4, 0x10, 0); +#if !defined(CONFIG_SPL_BUILD) get_hab_status(); +#endif puts("\nCalling authenticate_image in ROM\n"); printf("\tivt_offset = 0x%x\n", ivt_offset); @@ -449,7 +501,9 @@ uint32_t authenticate_image(uint32_t ddr_start, uint32_t image_size) hab_caam_clock_enable(0); +#if !defined(CONFIG_SPL_BUILD) get_hab_status(); +#endif } else { puts("hab fuse not enabled\n"); } @@ -459,46 +513,3 @@ uint32_t authenticate_image(uint32_t ddr_start, uint32_t image_size) return result; } - -int do_hab_status(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[]) -{ - if ((argc != 1)) { - cmd_usage(cmdtp); - return 1; - } - - get_hab_status(); - - return 0; -} - -static int do_authenticate_image(cmd_tbl_t *cmdtp, int flag, int argc, - char * const argv[]) -{ - ulong addr, ivt_offset; - int rcode = 0; - - if (argc < 3) - return CMD_RET_USAGE; - - addr = simple_strtoul(argv[1], NULL, 16); - ivt_offset = simple_strtoul(argv[2], NULL, 16); - - rcode = authenticate_image(addr, ivt_offset); - - return rcode; -} - -U_BOOT_CMD( - hab_status, CONFIG_SYS_MAXARGS, 1, do_hab_status, - "display HAB status", - "" - ); - -U_BOOT_CMD( - hab_auth_img, 3, 0, do_authenticate_image, - "authenticate image via HAB", - "addr ivt_offset\n" - "addr - image hex address\n" - "ivt_offset - hex offset of IVT in the image" - ); diff --git a/arch/arm/imx-common/spl.c b/arch/arm/imx-common/spl.c index bdcda7de93..c86b6f83b8 100644 --- a/arch/arm/imx-common/spl.c +++ b/arch/arm/imx-common/spl.c @@ -12,6 +12,7 @@ #include #include #include +#include #if defined(CONFIG_MX6) /* determine boot device from SRC_SBMR1 (BOOT_CFG[4:1]) or SRC_GPR9 register */ @@ -90,3 +91,27 @@ u32 spl_boot_mode(const u32 boot_device) } } #endif + +#if defined(CONFIG_SECURE_BOOT) + +__weak void __noreturn jump_to_image_no_args(struct spl_image_info *spl_image) +{ + typedef void __noreturn (*image_entry_noargs_t)(void); + + image_entry_noargs_t image_entry = + (image_entry_noargs_t)(unsigned long)spl_image->entry_point; + + debug("image entry point: 0x%X\n", spl_image->entry_point); + + /* HAB looks for the CSF at the end of the authenticated data therefore, + * we need to subtract the size of the CSF from the actual filesize */ + if (authenticate_image(spl_image->load_addr, + spl_image->size - CONFIG_CSF_SIZE)) { + image_entry(); + } else { + puts("spl: ERROR: image authentication unsuccessful\n"); + hang(); + } +} + +#endif diff --git a/arch/arm/imx-common/spl_sd.cfg b/arch/arm/imx-common/spl_sd.cfg index 5fc3e8af38..14c135c549 100644 --- a/arch/arm/imx-common/spl_sd.cfg +++ b/arch/arm/imx-common/spl_sd.cfg @@ -4,5 +4,15 @@ * SPDX-License-Identifier: GPL-2.0+ */ +#define __ASSEMBLY__ +#include + IMAGE_VERSION 2 BOOT_FROM sd + +/* + * Secure boot support + */ +#ifdef CONFIG_SECURE_BOOT +CSF CONFIG_CSF_SIZE +#endif \ No newline at end of file diff --git a/arch/arm/include/asm/imx-common/hab.h b/arch/arm/include/asm/imx-common/hab.h index dab6789b10..e0ff459d53 100644 --- a/arch/arm/include/asm/imx-common/hab.h +++ b/arch/arm/include/asm/imx-common/hab.h @@ -145,4 +145,6 @@ typedef void hapi_clock_init_t(void); /* ----------- end of HAB API updates ------------*/ +uint32_t authenticate_image(uint32_t ddr_start, uint32_t image_size); + #endif diff --git a/include/configs/mx6_common.h b/include/configs/mx6_common.h index 3bb939ecf0..6e9b871103 100644 --- a/include/configs/mx6_common.h +++ b/include/configs/mx6_common.h @@ -98,6 +98,9 @@ #define CONFIG_FSL_CAAM #define CONFIG_CMD_DEKBLOB #define CONFIG_SYS_FSL_SEC_LE +#ifdef CONFIG_SPL_BUILD +#define CONFIG_SPL_DRIVERS_MISC_SUPPORT +#endif #endif #endif