Add a configuration flag CONFIG_CMD_STM32PROG_OTP to enable the support of
OTP update in stm32prog command.
This new configuration allows to deactivate this feature for security reason
and it is a preliminary step for support of OPT update with the OP-TEE
provisioning TA.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Platforms can overwrite the weak definition of spl_mmc_boot_mode() to
determine where to load U-Boot proper from.
For most of them this is a trivial decision based on Kconfig variables,
but it might be desirable the probe the actual device to answer this
question.
Pass the pointer to the mmc struct to that function, so implementations
can make use of that.
Compile-tested for all users changed.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Stefano Babic <sbabic@denx.de>
Reviewed-by: Ley Foon Tan <ley.foon.tan@inte.com> (for SoCFPGA)
Acked-by: Lokesh Vutla <lokeshvutla@ti.com> (for OMAP and K3)
Reviewed-by: Simon Glass <sjg@chromium.org>
Implement PSCI system suspend and placement of DRAM into SSR while the
CPUs are in suspend. This saves non-trivial amount of power in suspend,
on 2x W632GU6NB-15 ~710mW.
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Patrick Delaunay <patrick.delaunay@foss.st.com>
Cc: Patrice Chotard <patrice.chotard@foss.st.com>
Add the missing @dev reference in some function description.
Fixes: b66bfdf238 ("arm: stm32mp: bsec: migrate trace to log macro")
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Add support of the permanent lock support in U-Boot proper
when BSEC is not managed by secure monitor (TF-A SP_MIN or OP-TEE).
This patch avoid issue with stm32key command and fuse command
on basic boot for this missing feature of U-Boot BSEC driver.
Reported-by: Johann Neuhauser <jneuhauser@dh-electronics.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Tested-by: Johann Neuhauser <jneuhauser@dh-electronics.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Since commit 9855034397 ("fdt: Don't call board_fdt_blob_setup()
without OF_BOARD") board_fdt_blob_setup() is no more called on
STM32MP platforms in trusted boot which hangs during boot process.
Enable OF_BOARD flag to fix this issue.
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Add the partition name and remove the line number in error messages
of treat_partition_list() to provide correct information to user of
STM32CubeProgrammer.
The "line number" value was confusing because it is incorrect here;
the index in part_array[] is not aligned with the line number in
the parsed Layout file, because the empty lines and the lines beginning
by '#' are skipped during the first parsing in parse_flash_layout().
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Default value for CONFIG_SYS_BOOTCOUNT_SINGLEWORD and
CONFIG_SYS_BOOTCOUNT_ADDR are only needed when
CONFIG_BOOTCOUNT_GENERIC is used.
This patch avoids to define these configs when an other bootcount backend
is activated, for example for CONFIG_BOOTCOUNT_ENV.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Today the bootcount is not managed by the Linux kernel for STM32MP15 as
we don't have driver to update the used backup register in TAMP and the
recovery command still executes the normal bootcmd with
'altbootcmd=run bootcmd'.
So the bootcount feature is never used, the config CONFIG_BOOTCOUNT_LIMIT
and the associated environment variable 'altbootcmd' can be removed to
reduce the U-Boot size.
Each boards can re-enable this feature later in their defconfig, if it is
needed, with the expected backend, for example CONFIG_BOOTCOUNT_GENERIC
or CONFIG_BOOTCOUNT_ENV.
CC: Marek Vasut <marex@denx.de>
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
In case the SoC reports the boot device type is USB, it means the SPL was
loaded via BootROM DFU mode. Currently the spl_boot_device() returns boot
device as USB host, change it to DFU instead, so the SPL can continue the
DFU boot and load U-Boot via DFU.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Patrice Chotard <patrice.chotard@foss.st.com>
Cc: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
We should avoid #ifdef in C modules and the unused functions
are eliminated by the linker.
Use the more readable IS_ENABLE() instead.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
In some part of STM32MP15 support the CONFIG_TFABOOT can be replaced
by other config: CONFIG_ARMV7_PSCI and CONFIG_ARM_SMCCC.
This patch also simplifies the code in cpu.c, stm32mp1_ram.c and
clk_stml32mp1.c as execution of U-Boot in sysram (boot without SPL and
without TFA) is not supported: the associated initialization code is
present only in SPL.
This cleanup patch is a preliminary step to support SPL load of OP-TEE
in secure world, with SPL in secure world and U-Boot in no-secure world.
Reported-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Remove the dependency on CONFIG_TFABOOT in stm32mp Kconfig
- always activate the ARCH config: CONFIG_ARCH_SUPPORT_PSCI
and CONFIG_CPU_V7_HAS_NONSEC
- CONFIG_ARMV7_NONSEC is deactivated in trusted defconfig
- the correct sysreset driver is activated in each defconfig:
CONFIG_SYSRESET_PSCI or SYSRESET_SYSCON
Reported-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Currently the upper OTP (after 57) are shadowed in U-Boot proper,
when TFABOOT is not used.
This choice cause an issue when U-Boot is not executed after SPL,
so this BSEC initialization is moved in SPL and no more executed in U-Boot,
so it is still executed only one time.
After this patch this BSEC initialization is done in FSBL: SPL or TF-A.
To force this initialization in all the case, the probe of the BSEC
driver is forced in SPL in the arch st32mp function: spl_board_init().
Even if today BSEC driver is already probed in STM32MP15x clock driver
clk_stm32mp1.c because get_cpu_type() is called in
stm32mp1_get_max_opp_freq() function.
Reported-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
The stm32 gpio driver private data are not needed in arch include files,
they are not used by code except for stm32 gpio and pincontrol drivers,
using the same IP; the defines for this IP is moved in a new file
"stm32_gpio_priv.h" in driver/gpio.
This patch avoids to have duplicated file gpio.h for each SOC
in MPU directory mach-stm32mp and in each MCU directory arch-stm32*
and allows to remove CONFIG_GPIO_EXTRA_HEADER for all STM32.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Use binman to add the stm32image header on SPL binary for basic boot
or on U-Boot binary when it is required, i.e. for TF-A boot without FIP
support, when CONFIG_STM32MP15x_STM32IMAGE is activated.
The "binman" tool is the recommended tool for specific image generation.
This patch allows to suppress the config.mk file and it is a preliminary
step to manage FIT generation with binman.
The init_r parsing of U-Boot device tree to search the binman
information is not required for STM32MP15, so the binman library
can be removed in U-Boot (CONFIG_BINMAN_FDT is deactivated).
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The missing trailing newline could confuse check-config.sh if the
definition of an option was on the first line of the next file that
find(1) happened to return.
Signed-off-by: William Grant <wgrant@ubuntu.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
OF_HOSTFILE is used on sandbox configs only. Although it's pretty
unique and not causing any confusions, we are better of having simpler
config options for the DTB.
So let's replace that with the existing OF_BOARD. U-Boot would then
have only three config options for the DTB origin.
- OF_SEPARATE, build separately from U-Boot
- OF_BOARD, board specific way of providing the DTB
- OF_EMBED embedded in the u-boot binary(should not be used in production
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add stub for tee_find_device function when CONFIG_TEE is not activated
to simplify the caller code.
This patch allows to remove the CONFIG_IS_ENABLED(OPTEE) tests
for stm32 platform.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Acked-by: Etienne Carriere <etienne.carriere@inaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
When booting in EFI, lib/efi_loader/efi_memory.c calls
board_get_usable_ram_top(0) which returns by default
gd->ram_base + gd->ram_size which is the top of DDR.
In case of OPTEE boot, the top of DDR is currently reserved by OPTEE,
board_get_usable_ram_top(0) must return an address outside OPTEE
reserved memory.
gd->ram_top matches this constraint as it has already been initialized
by substracting all DT reserved-memory (included OPTEE memory area).
Fixes: 92b611e8b0 ("stm32mp: correctly handle board_get_usable_ram_top(0)")
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
default n/no doesn't need to be specified. It is default option anyway.
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
[trini: Rework FSP_USE_UPD portion]
Signed-off-by: Tom Rini <trini@konsulko.com>
The STM32MP ROM provides several service. One of them is the ability
to verify ecdsa256 signatures. Hook the ROM API into the ECDSA uclass.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
The function board_get_usable_ram_top can be called after relocation
with total_size = 0 to get the uppermost pointer that is valid to access
in U-Boot.
When total_size = 0, the reserved memory should be not take in account
with lmb library and 'gd->ram_base + gd->ram_size' can be used.
It is the case today in lib/efi_loader/efi_memory.c:efi_add_known_memory()
and this patch avoids that the reserved memory for OP-TEE is not part of
the EFI available memory regions.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
The MTD tee partitions used to save the OP-TEE binary are needed when
TF-A doesn't use the FIP container to load binaries.
This patch puts under CONFIG_STM32MP15x_STM32IMAGE flag the associated
code in U-Boot binary and prepare the code cleanup when
CONFIG_STM32MP15x_STM32IMAGE support will be removed after TF-A migration
to FIP support.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
With FIP support in TF-A (when CONFIG_STM32MP15x_STM32IMAGE
is not activated), the DT nodes needed by OP-TEE are added by OP-TEE
firmware in U-Boot device tree, present in FIP.
These nodes are only required in trusted boot, when TF-A load the file
u-boot.stm32, including the U-Boot device tree with STM32IMAGE header,
in this case OP-TEE can't update the U-Boot device tree.
Moreover in trusted boot mode with FIP, as the OP-TEE nodes are present
in U-Boot device tree only when needed the function
stm32_fdt_disable_optee can be removed.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
By default for trusted boot with TF-A, U-Boot (u-boot-nodtb)
is located in FIP container with its device tree and with
the secure monitor (provided by TF-A or OP-TEE).
The FIP file is loaded by TF-A BL2 and each components is
extracted at the final location.
This patch add CONFIG_STM32MP15x_STM32IMAGE to request the
STM32 image generation for SOC STM32MP15x
when FIP container is not used (u-boot.stm32 is loaded by TF-A
as done previously to keep the backward compatibility).
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
It is a pain to have to specify the value 10 in each call. Add a new
dectoul() function and update the code to use it.
Signed-off-by: Simon Glass <sjg@chromium.org>
It is a pain to have to specify the value 16 in each call. Add a new
hextoul() function and update the code to use it.
Add a proper comment to simple_strtoul() while we are here.
Signed-off-by: Simon Glass <sjg@chromium.org>
OP-TEE is very particular about how the TZC should be configured.
When booting an OP-TEE payload, an incorrect TZC configuration will
result in a panic.
Most information can be derived from the SPL devicetree. The only
information we don't have is the split between TZDRAM and shared
memory. This has to be hardcoded. The rest of the configuration is
fairly easy, and only requires 3 TZC regions. Configure them.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
The purpose of this change is to allow configuring TrustZone (TZC)
memory permissions. For example, OP-TEE expects TZC regions to be
configured in a very particular way. The API presented here is
intended to allow exactly that.
UCLASS support is not implemented, because it would not be too useful.
Changing TZC permissions needs to be done with care, so as not to cut
off access to memory we are currently using. One place where we can
use this is at the end of SPL, right before jumping to OP-TEE.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
When the TAMP register 20 have an invalid value (0x0 for example after
TAMPER error) the "boot_device" U-Boot env variable have no value and
no error is displayed in U-Boot log.
The STM32MP boot command bootcmd_stm32mp failed with strange trace:
"Boot over !"
and the next command in bootcmd_stm32mp failed with few indication:
if test ${boot_device} = serial || test ${boot_device} = usb;
then stm32prog ${boot_device} ${boot_instance};
As it is difficult to investigate, the current patch avoids this issue:
- change the debug message to error: "unexpected boot mode" is displayed
- display trace "Boot over invalid!" in bootcmd_stm32mp
- execute "run distro_bootcmd" to try all the possible target
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Use the device sequence number in boot_instance variable
and no more the SDMMC instance provided by ROM code/TF-A.
After this patch we don't need to define the mmc alias in
device tree, for example:
mmc0 = &sdmmc1;
mmc1 = &sdmmc2;
mmc2 = &sdmmc3;
to have a correct mapping between the ROM code boot device =
"${boot_device}${boot_instance}" and the MMC device in U-Boot.
With this patch the 'mmc0' device (used in mmc commands) is
always used when only one instance sdmmc is activated in device
tree, even if it is only the sdmmc2 or sdmmc3.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Use the existing defines PMIC_SIZE and OTP_SIZE and a new define
CMD_SIZE for virtual partition size.
This patch corrects the size for OTP partition in alternate name
(1024 instead of 512) and avoids other alignment issues.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Enable the clocks during syscon probe when they are present in device tree.
This patch avoids a freeze when the SYSCFG clock is not enabled by
TF-A / OP-TEE.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
The expected sequence to close the device
1/ Load key in DDR with any supported load command
2/ Update OTP with key: STM32MP> stm32key read <addr>
At this point the device is able to perform image authentication but
non-authenticated images can still be used and executed.
So it is the last moment to test boot with signed binary and
check that the ROM code accepts them.
3/ Close the device: only signed binary will be accepted !!
STM32MP> stm32key close
Warning: Programming these OTP is an irreversible operation!
This may brick your system if the HASH of key is invalid
This command should be deactivated by default in real product.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Allow to read the OTP value and lock status with the command
$> stm32key read.
This patch also protects the stm32key fuse command.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Add a helper function to access to BSEC misc driver.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Lock the OTP value of key's hash after the command
$> stm32key fuse <address>
This operation forbids a second update of these OTP as they are
ECC protected in BSEC: any update of these OTP with a different value
causes a BSEC disturb error and the closed chip will be bricked.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Simplify parsing the command argument by using
the macro U_BOOT_CMD_WITH_SUBCMDS.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
This command is used to evaluate the secure boot on stm32mp SOC,
it is deactivated by default in real products.
We activate this command only in STMicroelectronics defconfig
used with the evaluation boards.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>