Obtain from TAMP backup register information about image authorization
status and partition id used for booting. Store this info in
environmental variables ("boot_auth" and "boot_part" correspondingly).
Image authorization supported values:
0x0 - No authentication done
0x1 - Authentication done and failed
0x2 - Authentication done and succeeded
These values are stored to TAMP backup register by Trusted Firmware-A [1].
Testing:
STM32MP> print boot_part
boot_part=1
STM32MP> print boot_auth
boot_auth=2
[1] https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?h=refs/heads/integration&id=ab2b325c1ab895e626d4e11a9f26b9e7c968f8d8
Signed-off-by: Igor Opaniuk <igor.opaniuk@foundries.io>
Co-developed-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
While 23e20b2fa6 ("arm: stm32mp: Fix compilation issue when
SYS_DCACHE_OFF and/or SYS_DCACHE_SYS are enabled") tried fixing
this issue, fix it really by adding #if checks for SYS_ICACHE_OFF
and SYS_DCACHE_OFF.
Cc: Patrice Chotard <patrice.chotard@foss.st.com>
Cc: Patrick Delaunay <patrick.delaunay@foss.st.com>
Signed-off-by: Bhupesh Sharma <bhupesh.sharma@linaro.org>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
This old patch was marked as deferred. Bring it back to life, to continue
towards the removal of common.h
Move this out of the common header and include it only where needed.
Signed-off-by: Simon Glass <sjg@chromium.org>
The PWR_MPUCR CSTBYDIS bit is set, therefore the CA cores can never
enter CStandby state and would always end up in CStop state. Clear
the PDDS bit, which indicates the CA cores can enter CStandby state
as it makes little sense to keep it set with CSTBYDIS also set.
This does however fix a problem too. When both PWR_MPUCR and PWR_MCUCR
PDDS bits are set, then the chip enters CStandby state even though the
PWR_MCUCR CSTBYDIS is set. Clearing the PWR_MPUCR PDDS prevents that
from happening.
Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
board_get_usable_ram_top() returns a physical address that is stored in
gd->ram_top. The return type of the function should be phys_addr_t like the
current type of gd->ram_top.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Now all linker symbols are declared as type char[]. Though we can
reference the address via both the array name 'var' and its address
'&var'. It's better to unify them to avoid confusing developers.
This patch converts all '&var' linker symbol refrences to the most
commonly used format 'var'.
Signed-off-by: Shiji Yang <yangshiji66@outlook.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Change the default base for offset parsing with simple_strtoull(),
so offset in flashlayout is coded in base 10 by default, even if string
start with '0'. The Octal encoding is not supported. The base 16
is still supported when the '0x' header is detected.
This patch solves an unexpected parsing result when the address,
provided by decimal value is starting by 0, for example 0x4400 = 00017408
is a invalid with current code.
...
P 0x04 fsbl1 Binary mmc0 00017408 tf-a.stm32
....
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Avoid to ignore the OTP read/write error and transmits the error
to STM32CubeProgrammer.
Today the error is only displayed in log error:
so the user on HOST thinks the OTP operation is performed.
Reported-by: Mickael GARDET <m.gardet@overkiz.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Fixes: 75ea9e75931c ("stm32mp: stm32prog: add TEE support in stm32prog command")
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Add a protection in misc bsec ops for request with null size.
For example OP-TEE error occurs when get_eth_nb() return 0 in
setup_mac_address() for unknown part number because U-Boot read 0 OTPs.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Add support of STM32MP15x Rev.Y for the Silicon revision REV_ID = 0x2003.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
The get_stm32mp_rom_api_table() function is defined in sys_params.h ,
add the missing header to avoid compiler warning.
Fixes: dbeaca79b7 ("ARM: stm32: Factor out save_boot_params")
Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
In case the IWDG is enabled by either U-Boot or Linux, the IWDG can never
be disabled again. That includes low power states, which means that if the
IWDG is enabled, the SoC would reset itself after a while in suspend via
the IWDG. This is not desired behavior.
It is possible to enable IWDG pre-timeout IRQ which is routed into the EXTI,
and use that IRQ to wake the CPU up before the IWDG timeout is reached and
reset is triggered. This pre-timeout IRQ can be used to reload the WDT and
then suspend the CPU again every once in a while.
Implement this functionality for both IWDG1 and IWDG2 by reading out all
the unmasked IRQs, comparing the list with currently pending IRQs in GICv3:
- If any IRQ is pending and it is NOT IWDG1 or IWDG2 pre-timeout IRQ,
wake up and let OS handle the IRQs
- If IWDG1 or IWDG2 IRQ is pending and no other IRQ is pending,
ping the respective IWDG and suspend again
This does not seem to have any adverse impact on power consumption in suspend.
Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Add support of "FWU_MDATA" partition type in flashlayout to select
the TF-A firmware update metadata partition type guid, associated to
U-Boot "system" partition type guid, FWU_MDATA_GUID introduced by
commit 2eaedc9516 ("FWU: Add FWU metadata structure and driver for
accessing metadata") and used in gpt_get_mdata_partitions() for
commit 554b38f7a5 ("FWU: Add FWU metadata access driver for GPT
partitioned block devices")
See also recommendation in FWU-PSA-A_DEN0118_1.0ALP3.pdf
4.1.2 Metadata integration with GPT
When embedded in a GPT, each metadata replica occupies a single
partition with PartitionTypeGUID = metadata_uuid.
UUID = 8a7a84a0-8387-40f6-ab41-a8b9a5a60d23
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Add support of "ESP" partition type in flashlayout to select
the "EFI System Partition", associated to U-Boot "system"
partition type guid, PARTITION_SYSTEM_GUID =
C12A7328-F81F-11d2-BA4B-00A0C93EC93B.
This partition is the bootable partition for efi boot.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Add support of "ENV" partition type in flashlayout to select
the "u-boot-env" GUID, with PARTITION_U_BOOT_ENVIRONMENT =
3de21764-95bd-54bd-a5c3-4abe786f38a8, that mean a partition
holding a U-Boot environment introduced by
commit c0364ce1c6 ("doc/README.gpt: define partition type
GUID for U-Boot environment")'
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
As stm32prog_get_tee_partitions() is no more used, remove tee_detected
boolean from stm32prog_data struct and all code using it.
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Motivation for this patch is to remove usage of function define
in cmd/mtdparts.c interface, based on env variables mtdids and mtdparts:
mtdparts_init() and find_dev_and_part().
See commit 938db6fe5d ("cmd: mtdparts: describe as legacy")
Now, all MTD devices are populated with their partition's information
found in DT, accessible in MTD devices. Use these information to find
the wanted partitions, no more need of find_dev_and_part() usage.
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
The fdt_addr_t and phys_addr_t size have been decoupled.
A 32bit CPU can expect 64-bit data from the device tree parser,
so fix ofnode_get_addr_size function with fdt_addr_t input to
be able to handle both sizes for stm32mp SoC in spl.c file.
Signed-off-by: Johan Jonker <jbx6244@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
In all these cases, the index on the LHS is immediately afterwards
used to access the array appearing in the ARRAY_SIZE() on the RHS - so
if that index is equal to the array size, we'll access
one-past-the-end of the array.
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
This converts 1 usage of this option to the non-SPL form, since there is
no SPL_STM32MP15X_STM32IMAGE defined in Kconfig
Signed-off-by: Simon Glass <sjg@chromium.org>
This converts 2 usages of this option to the non-SPL form, since there is
no SPL_PMIC_STPMIC1 defined in Kconfig
Signed-off-by: Simon Glass <sjg@chromium.org>
This converts 1 usage of this option to the non-SPL form, since there is
no SPL_CMD_BOOTZ defined in Kconfig
Signed-off-by: Simon Glass <sjg@chromium.org>
We should use the cmd/ directory for commands rather than for common code
used elsewhere in U-Boot. Move the common 'source' code into
image-board.c to achieve this.
The image_source_script() function needs to call run_command_list() so
seems to belong better in the command library. Move and rename it.
Signed-off-by: Simon Glass <sjg@chromium.org>
With U-Boot having access to ROM API call table, it is possible to use
the ROM API call it authenticate e.g. signed kernel fitImages using the
BootROM ECDSA support. Make this available by pulling the ECDSA BootROM
call support from SPL-only guard.
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Signed-off-by: Marek Vasut <marex@denx.de>
The ROM API table pointer is no longer accessible from U-Boot, fix
this by passing the ROM API pointer through. This makes it possible
for U-Boot to call ROM API functions to authenticate payload like
signed fitImages.
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Signed-off-by: Marek Vasut <marex@denx.de>
The STM32MP15xx platform currently comes with two incompatible
implementations of save_boot_params() weak function override.
Factor the save_boot_params() implementation into common cpu.c
code and provide accessors to read out both ROM API table address
and DT address from any place in the code instead.
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Signed-off-by: Marek Vasut <marex@denx.de>
In case Dcache is enabled while the ECDSA authentication function is
called via BootROM ROM API, the MMU tables are set up and the BootROM
region is not marked as executable, so an attempt to run code from it
results in a hang. Mark the BootROM region as executable as suggested
by Patrick to prevent the hang.
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Signed-off-by: Marek Vasut <marex@denx.de>
Add support for "st,stm32mp13-bsec" for STM32MP13x in the
bsec driver based on OP-TEE pseudo TA STM32MP BSEC.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
When OP-TEE is used, the SMC for BSEC management are not available and
the STM32MP BSEC pseudo TA must be used (it is mandatory for STM32MP13
and it is a new feature for STM32MP15x).
The BSEC driver try to open a session to this PTA BSEC at probe
and use it for OTP read or write access to fuse or to shadow.
This patch also adapts the commands stm32key and stboard to handle
the BSEC_LOCK_PERM lock value instead of 1.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Remove unnecessary return in stm32mp_bsec_write_lock and replace tab
by space for plat_auto opts.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Do not access gd->ram_size and assume this is actual valid RAM size. Since commit
777aaaa706 ("common/memsize.c: Fix get_effective_memsize() to check for overflow")
the RAM size may be less than gd->ram_size , call get_effective_memsize() to get
the limited value instead.
The aforementioned commit makes STM32MP15xx boards with 1 GiB of DRAM
at 0xc0000000 hang on boot, which is a grave defect.
Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
As discussed previously [1,2], the source command is not safe to use with
verified boot unless there is a key with required = "images" (which has its
own problems). This is because if such a key is absent, signatures are
verified but not required. It is assumed that configuration nodes will
provide the signature. Because the source command does not use
configurations to determine the image to source, effectively no
verification takes place.
To address this, allow specifying configuration nodes. We use the same
syntax as the bootm command (helpfully provided for us by fit_parse_conf).
By default, we first try the default config and then the default image. To
force using a config, # must be present in the command (e.g. `source
$loadaddr#my-conf`). For convenience, the config may be omitted, just like
the address may be (e.g. `source \#`). This also works for images
(`source :` behaves exactly like `source` currently does).
[1] https://lore.kernel.org/u-boot/7d711133-d513-5bcb-52f2-a9dbaa9eeded@prevas.dk/
[2] https://lore.kernel.org/u-boot/042dcb34-f85f-351e-1b0e-513f89005fdd@gmail.com/
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Two callers of image_source_script specify an image name. However, both
use the deprecated @ syntax, indicating that they have not been updated
in a while. If CONFIG_FIT_SIGNATURE is enabled, we will reject such
names outright. Back in commit 152576a598 ("stm32mp: stm32prog: handle
U-Boot script in flashlayout alternate"), we even renamed one of the
nodes. Instead of hard-coding a script image name, just use the default
image.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
The FWU Multi Bank Update feature allows the platform to boot the
firmware images from one of the partitions(banks). The first stage
bootloader(fsbl) passes the value of the boot index, i.e. the bank
from which the firmware images were booted from to U-Boot. On the
STM32MP157C-DK2 board, this value is passed through one of the SoC's
backup register. Add a function to read the boot index value from the
backup register.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
The current name is inconsistent with SPL which uses CONFIG_SPL_TEXT_BASE
and this makes it imposible to use CONFIG_VAL().
Rename it to resolve this problem.
Signed-off-by: Simon Glass <sjg@chromium.org>
Fix the compilation issue when CONFIG_DEBUG_UART is activated
drivers/serial/serial_stm32.o: in function `debug_uart_init':
drivers/serial/serial_stm32.c:291: undefined reference to \
`board_debug_uart_init'
The board_debug_uart_init is needed for SPL boot, called in
cpu.c::mach_cpu_init(); it is defined in board/st/stm32mp1/spl.c.
But with the removal #ifdefs patch, the function debug_uart_init() is
always compiled even if not present in the final U-Boot image.
This patch adds a file to provided this function when DEBUG_UART and SPL
are activated.
Fixes: c8b2eef52b ("stm32mp15: tidy up #ifdefs in cpu.c")
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
- SPL fixes for STM32F7 MCUs
- Device tree alignement with kernelv6.0-rc4 for MCU's board
- Device tree alignement with kernelv6.0-rc3 for MPU's board
- Update DDR node for STM32MP15
- Cleanup config file for STM32MP1
- Update for cmd_stm32key command
- Fix compatible string to add partitions for STM32MP1
- Update for stm32programmer tool
-----BEGIN PGP SIGNATURE-----
iQJQBAABCgA6FiEEXyrViUccKBz9c35Jysd4L3sz/6YFAmMy5KMcHHBhdHJpY2Uu
Y2hvdGFyZEBmb3NzLnN0LmNvbQAKCRDKx3gvezP/phGoEACO/DdR5qrZcWYZhK8t
4ZhCYW3+anI7hx/aOx2k36JIw8V7kTCivBszTXtvEFLoPARKSt2RCGKRrSciyPw8
e5HaX85fvOum1+p555LzGBerleezz3dMIE6PgjuWHQgznVh5jaJPvu5SacOoU2yt
RCQbrBUqMxZ9HPFWOWsmqBo5rIskgn0fhkSDaqj+v0yqnj/HLZk5NtAy4q3KYxA1
yL4rHB5+SM7ENh1KsPJm+8M5FTjBmVBZKp17mcu/3z3RwNNCjEVG0aXw8Im7pzb8
b0pwnOqxRMBsBNOqnZ6kmNdKeOBZVfh35dBXplUxfMG6VYWwrNUTAgLnwPIFbFWX
qaMiyRdAK5KArOCWFzbJN8oqCrM7hrTnlpmK9ilILJ81VuN/JDvFmLle31DrOxm6
XzVh8GOp+cjEmJckcm8ChAUGB/Q1ToTZd6TMXN69IzcmE0t0rW/j+muILVeq+rT5
JmWz+5av9W1nKRVP9WzfjOVASNdNgNRQMYAn8jJwUU/oiEw6QIZUP4m5rngSNMzQ
f3Jzl+zO7QfFtT4NHir1HNguJRnZxuzxBc3Ok639UwzMJQwHuy6LPJnAlKLUoYuE
LYkplLn7UA8aSbiWJq04fws0xrTYMvK1VWZp5CFgsnsc2usLy4Sks9JIwyqmAxme
dF0ut2NYT3o8Ctn9ppezA+sx2w==
=iA80
-----END PGP SIGNATURE-----
Merge tag 'u-boot-stm32-20220927' of https://source.denx.de/u-boot/custodians/u-boot-stm into next
- Increase SYS_MALLOC_F_LEN for STM32 MCU's board
- SPL fixes for STM32F7 MCUs
- Device tree alignement with kernelv6.0-rc4 for MCU's board
- Device tree alignement with kernelv6.0-rc3 for MPU's board
- Update DDR node for STM32MP15
- Cleanup config file for STM32MP1
- Update for cmd_stm32key command
- Fix compatible string to add partitions for STM32MP1
- Update for stm32programmer tool
Commit 37dc958947 ("global_data.h: Change ram_top type to phys_addr_t")
changed type of ram_top member from ulong to phys_addr_t but did not
changed types in board_get_usable_ram_top() function which returns value
for ram_top.
So change ulong to phys_addr_t type also in board_get_usable_ram_top()
signature and implementations.
Fixes: 37dc958947 ("global_data.h: Change ram_top type to phys_addr_t")
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Change the mask of OTP0 used to close the device on STM32MP
- STM32MP15x: bit 6 of OPT0
- STM32MP13x: 0b111111 = 0x3F for OTP_SECURED closed device
And support the 2 keys for STM32MP13x
- PKHTH : Hash of the 8 ECC Public Keys Hashes Table
(ECDSA is the authentication algorithm)
- EDMK : Encryption/Decryption Master Key
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Update the command stm32key to support several keys selected by
key name and managed by the new sub-command:
stm32key list
stm32key select [<key>]
stm32key read -a
This patch doesn't change the STM32MP15 behavior, only PKH is
supported, but it is a preliminary patch for STM32MP13 support.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Split the read_hash_otp function and introduce the helper function
read_close_status to read the close status in OTP separately of the PKH.
This patch is a preliminary step for STM32MP13 support.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Add defines for value used in stm32key for BSEC permanent lock status
and error.
This patch is a preliminary step to support more lock status in BSEC
driver.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Improve the partitioning trace done in command stm32prog:
- remove the trace "partition: Done" when the GPT partitioning is not done
- indicate the mmc instance used for each 'gpt write' command
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
As the SMC is only supported in SP-MIN for STM32MP15x, the associated
partition should be absent when the TA NVMEM is not available in OPT-TEE
in STM32MP13x.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Solve many compilation warning when stm32prog is activated on the aarch64.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Change the defaut flashlayout location, hardcoded at STM32_DDR_BASE,
to CONFIG_SYS_LOAD_ADDR to avoid issue on board with reserved memory
at STM32_DDR_BASE.
This patch changes the command behavior for STM32MP13 and STM32MP15
platform, as CONFIG_SYS_LOAD_ADDR(0xc2000000) != STM32_DDR_BASE
but without impact for serial boot with STM32CubeProgrammer.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>