powerpc: Clean up CHAIN_OF_TRUST related options

As things stand currently, there is only one PowerPC platform that enables the options for CHAIN_OF_TRUST. From the board header files, remove a number of never-set options. Remove board specific values from arch/powerpc/include/asm/fsl_secure_boot.h as well. Rework include/config_fsl_chain_trust.h to not abuse the CONFIG namespace for constructing CHAIN_BOOT_CMD. Migrate all of the configurable addresses to Kconfig. If any platforms are re-introduced with secure boot support, everything required should still be here, but now in Kconfig, or requires migration of an option to Kconfig. Cc: Peng Fan <peng.fan@nxp.com> Signed-off-by: Tom Rini <trini@konsulko.com>
2024-09-20 14:41:58 +00:00 · 2022-06-17 16:24:34 -04:00 · 2022-06-17 16:24:34 -04:00 · f4cd75e96a
commit f4cd75e96a
parent 52aaa1840d
8 changed files with 66 additions and 89 deletions
--- a/arch/Kconfig.nxp
+++ b/arch/Kconfig.nxp
@ -75,6 +75,46 @@ config SPL_UBOOT_KEY_HASH
 	  41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b.
 	  Otherwise leave this empty.

+if PPC
+
+config BOOTSCRIPT_COPY_RAM
+	bool "Secure boot copies boot script to RAM"
+	help
+	  On systems that support chain of trust booting, a number of addresses
+	  are required to set variables that are used in the copying and then
+	  verification of different parts of the system.  If enabled, the subsequent
+	  options are for what location to use in each step.
+
+config BS_ADDR_DEVICE
+	hex "Address in RAM for bs_device"
+	depends on BOOTSCRIPT_COPY_RAM
+
+config BS_SIZE
+	hex "The size of bs_size which is the amount read from bs_device"
+	depends on BOOTSCRIPT_COPY_RAM
+
+config BS_ADDR_RAM
+	hex "Address in RAM for bs_ram"
+	depends on BOOTSCRIPT_COPY_RAM
+
+config BS_HDR_ADDR_DEVICE
+	hex "Address in RAM for bs_hdr_device"
+	depends on BOOTSCRIPT_COPY_RAM
+
+config BS_HDR_SIZE
+	hex "The size of bs_hdr_size which is the amount read from bs_hdr_device"
+	depends on BOOTSCRIPT_COPY_RAM
+
+config BS_HDR_ADDR_RAM
+	hex "Address in RAM for bs_hdr_ram"
+	depends on BOOTSCRIPT_COPY_RAM
+
+config BOOTSCRIPT_HDR_ADDR
+	hex "CONFIG_BOOTSCRIPT_HDR_ADDR"
+	default BS_ADDR_RAM if BOOTSCRIPT_COPY_RAM
+
+endif
+
 config SYS_FSL_SRK_LE
 	def_bool y
 	depends on ARM
--- a/arch/powerpc/include/asm/fsl_secure_boot.h
+++ b/arch/powerpc/include/asm/fsl_secure_boot.h
@ -10,19 +10,12 @@
 #ifdef CONFIG_NXP_ESBC
 #if defined(CONFIG_FSL_CORENET)
 #define CONFIG_SYS_PBI_FLASH_BASE		0xc0000000
-#elif defined(CONFIG_TARGET_BSC9132QDS)
-#define CONFIG_SYS_PBI_FLASH_BASE		0xc8000000
-#elif defined(CONFIG_TARGET_C29XPCIE)
-#define CONFIG_SYS_PBI_FLASH_BASE		0xcc000000
 #else
 #define CONFIG_SYS_PBI_FLASH_BASE		0xce000000
 #endif
 #define CONFIG_SYS_PBI_FLASH_WINDOW		0xcff80000

-#if defined(CONFIG_TARGET_B4860QDS) || \
-	defined(CONFIG_TARGET_B4420QDS) || \
-	defined(CONFIG_TARGET_T4240QDS) || \
-	defined(CONFIG_TARGET_T2080QDS) || \
+#if defined(CONFIG_TARGET_T2080QDS) || \
 	defined(CONFIG_TARGET_T2080RDB) || \
 	defined(CONFIG_TARGET_T1042RDB) || \
 	defined(CONFIG_TARGET_T1042D4RDB) || \
@ -78,40 +71,6 @@
 #endif /* ifdef CONFIG_SPL_BUILD */

 #ifndef CONFIG_SPL_BUILD
-/*
- * fsl_setenv_chain_of_trust() must be called from
- * board_late_init()
- */
-
-/* If Boot Script is not on NOR and is required to be copied on RAM */
-#ifdef CONFIG_BOOTSCRIPT_COPY_RAM
-#define CONFIG_BS_HDR_ADDR_RAM		0x00010000
-#define CONFIG_BS_HDR_ADDR_DEVICE	0x00800000
-#define CONFIG_BS_HDR_SIZE		0x00002000
-#define CONFIG_BS_ADDR_RAM		0x00012000
-#define CONFIG_BS_ADDR_DEVICE		0x00802000
-#define CONFIG_BS_SIZE			0x00001000
-
-#define CONFIG_BOOTSCRIPT_HDR_ADDR	CONFIG_BS_HDR_ADDR_RAM
-#else
-
-/* The bootscript header address is different for B4860 because the NOR
- * mapping is different on B4 due to reduced NOR size.
- */
-#if defined(CONFIG_TARGET_B4860QDS) || defined(CONFIG_TARGET_B4420QDS)
-#define CONFIG_BOOTSCRIPT_HDR_ADDR	0xecc00000
-#elif defined(CONFIG_FSL_CORENET)
-#define CONFIG_BOOTSCRIPT_HDR_ADDR	0xe8e00000
-#elif defined(CONFIG_TARGET_BSC9132QDS)
-#define CONFIG_BOOTSCRIPT_HDR_ADDR	0x88020000
-#elif defined(CONFIG_TARGET_C29XPCIE)
-#define CONFIG_BOOTSCRIPT_HDR_ADDR	0xec020000
-#else
-#define CONFIG_BOOTSCRIPT_HDR_ADDR	0xee020000
-#endif
-
-#endif /* #ifdef CONFIG_BOOTSCRIPT_COPY_RAM */
-
 #include <config_fsl_chain_trust.h>
 #endif /* #ifndef CONFIG_SPL_BUILD */
 #endif /* #ifdef CONFIG_CHAIN_OF_TRUST */
--- a/board/freescale/common/fsl_chain_of_trust.c
+++ b/board/freescale/common/fsl_chain_of_trust.c
@ -12,6 +12,7 @@
 #include <fsl_sfp.h>
 #include <log.h>
 #include <dm/root.h>
+#include <asm/fsl_secure_boot.h>

 #if defined(CONFIG_SPL_BUILD) && defined(CONFIG_SPL_FRAMEWORK)
 #include <spl.h>
@ -76,14 +77,14 @@ int fsl_setenv_chain_of_trust(void)

 	/* If Boot mode is Secure, set the environment variables
 	 * bootdelay = 0 (To disable Boot Prompt)
-	 * bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute Boot script)
+	 * bootcmd = CHAIN_BOOT_CMD (Validate and execute Boot script)
 	 */
 	env_set("bootdelay", "-2");

 #ifdef CONFIG_ARM
 	env_set("secureboot", "y");
 #else
-	env_set("bootcmd", CONFIG_CHAIN_BOOT_CMD);
+	env_set("bootcmd", CHAIN_BOOT_CMD);
 #endif

 	return 0;
--- a/configs/T2080QDS_SECURE_BOOT_defconfig
+++ b/configs/T2080QDS_SECURE_BOOT_defconfig
@ -1,8 +1,13 @@
 CONFIG_PPC=y
 CONFIG_SYS_TEXT_BASE=0xEFF40000
 CONFIG_ENV_SIZE=0x2000
-CONFIG_NXP_ESBC=y
 CONFIG_DEFAULT_DEVICE_TREE="t2080qds"
+CONFIG_MPC85xx=y
+CONFIG_TARGET_T2080QDS=y
+CONFIG_MPC85XX_HAVE_RESET_VECTOR=y
+CONFIG_ENABLE_36BIT_PHYS=y
+CONFIG_NXP_ESBC=y
+CONFIG_BOOTSCRIPT_HDR_ADDR=0xee020000
 CONFIG_FSL_USE_PCA9547_MUX=y
 CONFIG_VID=y
 CONFIG_VID_FLS_ENV="t208xqds_vdd_mv"
@ -10,10 +15,6 @@ CONFIG_VOL_MONITOR_IR36021_READ=y
 CONFIG_VOL_MONITOR_IR36021_SET=y
 CONFIG_FSL_QIXIS=y
 # CONFIG_QIXIS_I2C_ACCESS is not set
-CONFIG_MPC85xx=y
-CONFIG_TARGET_T2080QDS=y
-CONFIG_MPC85XX_HAVE_RESET_VECTOR=y
-CONFIG_ENABLE_36BIT_PHYS=y
 # CONFIG_SYS_MALLOC_F is not set
 CONFIG_MP=y
 CONFIG_FIT=y
--- a/include/config_fsl_chain_trust.h
+++ b/include/config_fsl_chain_trust.h
@ -18,21 +18,21 @@
 */

 #ifdef CONFIG_USE_BOOTARGS
-#define CONFIG_SET_BOOTARGS	"setenv bootargs \'" CONFIG_BOOTARGS" \';"
+#define SET_BOOTARGS	"setenv bootargs \'" CONFIG_BOOTARGS" \';"
 #else
-#define CONFIG_SET_BOOTARGS	"setenv bootargs \'root=/dev/ram "	\
+#define SET_BOOTARGS	"setenv bootargs \'root=/dev/ram "	\
 				"rw console=ttyS0,115200 ramdisk_size=600000\';"
 #endif

-#define CONFIG_SECBOOT \
+#define SECBOOT \
 	"setenv bs_hdraddr " __stringify(CONFIG_BOOTSCRIPT_HDR_ADDR)";" \
-	CONFIG_SET_BOOTARGS	\
+	SET_BOOTARGS	\
 	"esbc_validate $bs_hdraddr;" \
 	"source $img_addr;"	\
 	"esbc_halt\0"

 #ifdef CONFIG_BOOTSCRIPT_COPY_RAM
-#define CONFIG_BS_COPY_ENV \
+#define BS_COPY_ENV \
 	"setenv bs_hdr_ram " __stringify(CONFIG_BS_HDR_ADDR_RAM)";" \
 	"setenv bs_hdr_device " __stringify(CONFIG_BS_HDR_ADDR_DEVICE)";" \
 	"setenv bs_hdr_size " __stringify(CONFIG_BS_HDR_SIZE)";" \
@ -43,33 +43,28 @@
 /* For secure boot flow, default environment used will be used */
 #if defined(CONFIG_SYS_RAMBOOT) || defined(CONFIG_NAND_BOOT) || \
 	defined(CONFIG_SD_BOOT)
-#if defined(CONFIG_RAMBOOT_NAND) || defined(CONFIG_NAND_BOOT)
-#define CONFIG_BS_COPY_CMD \
+#if defined(CONFIG_NAND_BOOT)
+#define BS_COPY_CMD \
 	"nand read $bs_hdr_ram $bs_hdr_device $bs_hdr_size ;" \
 	"nand read $bs_ram $bs_device $bs_size ;"
 #elif defined(CONFIG_SD_BOOT)
-#define CONFIG_BS_COPY_CMD \
+#define BS_COPY_CMD \
 	"mmc read $bs_hdr_ram $bs_hdr_device $bs_hdr_size ;" \
 	"mmc read $bs_ram $bs_device $bs_size ;"
 #endif
 #else
-#define CONFIG_BS_COPY_CMD \
+#define BS_COPY_CMD \
 	"cp.b $bs_hdr_device $bs_hdr_ram  $bs_hdr_size ;" \
 	"cp.b $bs_device $bs_ram  $bs_size ;"
 #endif
+#else /* !CONFIG_BOOTSCRIPT_COPY_RAM */
+#define BS_COPY_ENV
+#define BS_COPY_CMD
 #endif /* CONFIG_BOOTSCRIPT_COPY_RAM */

-#ifndef CONFIG_BS_COPY_ENV
-#define CONFIG_BS_COPY_ENV
-#endif
-
-#ifndef CONFIG_BS_COPY_CMD
-#define CONFIG_BS_COPY_CMD
-#endif
-
-#define CONFIG_CHAIN_BOOT_CMD	CONFIG_BS_COPY_ENV \
-				CONFIG_BS_COPY_CMD \
-				CONFIG_SECBOOT
+#define CHAIN_BOOT_CMD	BS_COPY_ENV \
+			BS_COPY_CMD \
+			SECBOOT

 #endif
 #endif
--- a/include/configs/P1010RDB.h
+++ b/include/configs/P1010RDB.h
@ -53,7 +53,6 @@
 #endif

 #ifdef CONFIG_NAND_SECBOOT	/* NAND Boot */
-#define CONFIG_RAMBOOT_NAND
 #define CONFIG_RESET_VECTOR_ADDRESS	0x110bfffc
 #endif

@ -348,8 +347,7 @@ extern unsigned long get_sdram_size(void);
 					FTIM2_GPCM_TWP(0x1f))
 #define CONFIG_SYS_CS3_FTIM3		0x0

-#if defined(CONFIG_RAMBOOT_SDCARD) || defined(CONFIG_RAMBOOT_SPIFLASH) || \
-	defined(CONFIG_RAMBOOT_NAND)
+#if defined(CONFIG_RAMBOOT_SDCARD) || defined(CONFIG_RAMBOOT_SPIFLASH)
 #define CONFIG_SYS_RAMBOOT
 #else
 #undef CONFIG_SYS_RAMBOOT
--- a/include/configs/T104xRDB.h
+++ b/include/configs/T104xRDB.h
@ -66,14 +66,6 @@
 #define CONFIG_PCIE3			/* PCIE controller 3 */
 #define CONFIG_PCIE4			/* PCIE controller 4 */

-#if defined(CONFIG_SPIFLASH)
-#elif defined(CONFIG_MTD_RAW_NAND)
-#ifdef CONFIG_NXP_ESBC
-#define CONFIG_RAMBOOT_NAND
-#define CONFIG_BOOTSCRIPT_COPY_RAM
-#endif
-#endif
-
 /*
 * These can be toggled for performance analysis, otherwise use default.
 */
--- a/include/configs/corenet_ds.h
+++ b/include/configs/corenet_ds.h
@ -15,17 +15,8 @@
 #include "../board/freescale/common/ics307_clk.h"

 #ifdef CONFIG_RAMBOOT_PBL
-#ifdef CONFIG_NXP_ESBC
 #define CONFIG_RAMBOOT_TEXT_BASE	CONFIG_SYS_TEXT_BASE
 #define CONFIG_RESET_VECTOR_ADDRESS	0xfffffffc
-#ifdef CONFIG_MTD_RAW_NAND
-#define CONFIG_RAMBOOT_NAND
-#endif
-#define CONFIG_BOOTSCRIPT_COPY_RAM
-#else
-#define CONFIG_RAMBOOT_TEXT_BASE	CONFIG_SYS_TEXT_BASE
-#define CONFIG_RESET_VECTOR_ADDRESS	0xfffffffc
-#endif
 #endif

 #ifdef CONFIG_SRIO_PCIE_BOOT_SLAVE