Commit graph

125 commits

Author SHA1 Message Date
Bryan O'Donoghue
ca89df7dd4 imx: hab: Convert DCD non-NULL error to warning
commit 8c4037a09a ("imx: hab: Ensure the IVT DCD pointer is Null prior
to calling HAB authenticate function.") makes the DCD field being NULL a
dependency.

This change though will break loading and executing of existing pre-signed
binaries on a u-boot update i.e. if this change is deployed on a board you
will be forced to redo all images on that board to NULL out the DCD.

There is no prior guidance from NXP that the DCD must be NULL similarly
public guidance on usage of the HAB doesn't call out this NULL dependency
(see boundary devices link).

Since later SoCs will reject a non-NULL DCD there's no reason to make a
NULL DCD a requirement, however if there is an actual dependency for later
SoCs the appropriate fix would be to do SoC version checking.

Earlier SoCs are capable (and happy) to authenticate images with non-NULL
DCDs, we should not be forcing this change on downstream users -
particularly if it means those users now must rewrite their build systems
and/or redeploy signed images in the field.

Fixes: 8c4037a09a ("imx: hab: Ensure the IVT DCD pointer is Null prior
to calling HAB authenticate function.")

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Cc: Breno Lima <breno.lima@nxp.com>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Link: https://boundarydevices.com/high-assurance-boot-hab-dummies
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
2018-03-13 07:51:32 -04:00
Yasushi SHOJI
314d9f7e3e imx: syscounter: make sure asm is volatile
Without the volatile attribute, compilers are entitled to optimize out
the same asm().  In the case of __udelay() in syscounter.c, it calls
`get_ticks()` twice, one for the starting time and the second in the
loop to check the current time.  When compilers inline `get_ticks()`
they see the same `mrrc` instructions and optimize out the second one.
This leads to infinite loop since we don't get updated value from the
system counter.

Here is a portion of the disassembly of __udelay:

  88:	428b      	cmp	r3, r1
  8a:	f8ce 20a4 	str.w	r2, [lr, #164]	; 0xa4
  8e:	bf08      	it	eq
  90:	4282      	cmpeq	r2, r0
  92:	f8ce 30a0 	str.w	r3, [lr, #160]	; 0xa0
  96:	d3f7      	bcc.n	88 <__udelay+0x88>
  98:	e8bd 8cf0 	ldmia.w	sp!, {r4, r5, r6, r7, sl, fp, pc}

Note that final jump / loop at 96 to 88, we don't have any `mrrc`.

With a volatile attribute, the above changes to this:

  8a:	ec53 2f0e 	mrrc	15, 0, r2, r3, cr14
  8e:	42ab      	cmp	r3, r5
  90:	f8c1 20a4 	str.w	r2, [r1, #164]	; 0xa4
  94:	bf08      	it	eq
  96:	42a2      	cmpeq	r2, r4
  98:	f8c1 30a0 	str.w	r3, [r1, #160]	; 0xa0
  9c:	d3f5      	bcc.n	8a <__udelay+0x8a>
  9e:	e8bd 8cf0 	ldmia.w	sp!, {r4, r5, r6, r7, sl, fp, pc}
  a2:	bf00      	nop

I'm advised[1] to put volatile on all asm(), so this commit also adds it
to the asm() in timer_init().

[1]: https://lists.denx.de/pipermail/u-boot/2018-March/322062.html

Signed-off-by: Yasushi SHOJI <yasushi.shoji@gmail.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
2018-03-09 13:06:14 +01:00
Masahiro Yamada
b08c8c4870 libfdt: move headers to <linux/libfdt.h> and <linux/libfdt_env.h>
Thomas reported U-Boot failed to build host tools if libfdt-devel
package is installed because tools include libfdt headers from
/usr/include/ instead of using internal ones.

This commit moves the header code:
  include/libfdt.h         -> include/linux/libfdt.h
  include/libfdt_env.h     -> include/linux/libfdt_env.h

and replaces include directives:
  #include <libfdt.h>      -> #include <linux/libfdt.h>
  #include <libfdt_env.h>  -> #include <linux/libfdt_env.h>

Reported-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
2018-03-05 10:16:28 -05:00
Fabio Estevam
0339086bd9 imx: spl: Partially revert "spl: eMMC/SD: Provide one __weak spl_boot_mode() function"
Commit d695d66278 ("spl: eMMC/SD: Provide one __weak spl_boot_mode()
function") breaks the boot on several i.MX6 boards,
such as cuboxi and wandboard:

U-Boot SPL 2018.03-rc1-00212-g48914fc119 (Feb 10 2018 - 11:04:33 +1300)
Trying to boot from MMC1
Failed to mount ext2 filesystem...
spl_load_image_ext: ext4fs mount err - 0

Partially revert it so that we can boot U-Boot again on these
i.MX6 platforms.

Reported-by: Jonathan Gray <jsg@jsg.id.au>
Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
2018-02-24 19:33:32 +01:00
Jagan Teki
3d40915350 imx6q: engicam: Use SPL_LOAD_FIT for MMC boards
Currently SPL_LOAD_FIT is unable to boot from nand on
i.MX6QDL platform, so enable only for MMC boards.

Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
2018-02-22 14:51:01 +01:00
Breno Lima
7b889baf29 arm: imx: hab: Define HAB_RVT_BASE according to the processor version
Currently the following devices are using a different definition for ROM
Vector Table addresses:

- i.MX6DQP =  All rev
- i.MX6DQ >= rev 1.5
- i.MX6SDL >= rev 1.2

There is no need to create a new RVT macros since the only update were the
RVT base address. Remove HAB_RVT_*_NEW macros and define a new RVT base
address.

More details about RVT base address can be found on processors Reference
Manual and in the following documents:

EB803: i.MX 6Dual/6Quad Applications Processor Silicon Revision 1.2 to 1.3
Comparison

EB804: i.MX 6Solo/6DualLite Application Processor Silicon Revision 1.1
to 1.2/1.3 Comparison

Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
2018-02-22 14:36:06 +01:00
Utkarsh Gupta
20fa1dd386 imx: hab: Check if CSF contains deprecated commands
Write, Check and Set MID commands have been deprecated from the Code
Signing Tool (CST) v2.3.3 and will not be implemented in newer versions
of HAB, hence the following features are no longer available:

- Write Data
- Clear Mask
- Set Mask
- Check All Clear
- Check All Set
- Check Any Clear
- Check Any Set
- Set MID

The inappropriate use of Write Data command may lead to an incorrect
authentication boot flow. Since no specific application has been identified
that requires the use of any of these features, it is highly recommended to
add this check.

Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
2018-02-22 14:35:57 +01:00
Utkarsh Gupta
ed286bc80e imx: hab: Check if CSF is valid before authenticating image
For proper authentication the HAB code must check if the CSF is valid.
Users must call the csf_is_valid() function to parse the CSF prior to
authenticating any additional images. The function will return a failure
if any of the following invalid conditions are met:

- CSF pointer is NULL
- CSF Header does not exist
- CSF does not lie within the image bounds
- CSF command length zero

Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
2018-02-22 14:35:42 +01:00
Utkarsh Gupta
8c4037a09a imx: hab: Ensure the IVT DCD pointer is Null prior to calling HAB authenticate function.
DCD commands should only be present in the initial boot image loaded by
the SoC ROM. DCD should not be present in images that will be verified
by software using HAB RVT authentication APIs. Newer versions of HAB
will generate an error if a DCD pointer is present in an image being
authenticated by calling the HAB RVT API. Older versions of HAB will
process and run DCD if it is present, and this could lead to an incorrect
authentication boot flow.

It is highly recommended this check is in place to ensure additional HAB
verified images do not include a DCD table.

Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
2018-02-22 14:35:32 +01:00
Breno Lima
669f2d189e imx: hab: Keep CAAM clock enabled after authenticating additional images
Currently it is not possible to run CMD_DEK on i.MX SPL targets:

=> dek_blob 0x12000000 0x12001000 128

The system hangs after running dek_blob because the CAAM clock is being
disabled by the HAB code. There is no need to disable CAAM clock after
authenticating additional boot images, thus keep CAAM clock enabled to
address this issue.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
2018-02-22 14:35:20 +01:00
Stefan Agner
25c5b4e1bf arm: imx: mx28: Move MX28 selection to Kconfig
The motivation for moving MX28 selection to Kconfig is to be able
to better handle NAND MXS selection through Kconfig.

This selection method also aligns with the way other i.MX SoCs are
selected in U-Boot.

Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
2018-02-08 10:17:17 -05:00
Stefan Agner
c5343d4e11 arm: imx: mx23: Move MX23 selection to Kconfig
The motivation for moving MX23 selection to Kconfig is to be able
to better handle NAND MXS selection through Kconfig.

This selection method also aligns with the way other i.MX SoCs are
selected in U-Boot.

Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
2018-02-08 10:17:16 -05:00
Lukasz Majewski
d695d66278 spl: eMMC/SD: Provide one __weak spl_boot_mode() function
The goal of this patch is to clean up the code related to choosing SPL
MMC boot mode.

The spl_boot_mode() now is called only in spl_mmc_load_image() function,
which is only compiled in if CONFIG_SPL_MMC_SUPPORT is enabled.

To achieve the goal, all per mach/arch implementations eligible for
unification has been replaced with one __weak implementation.

Signed-off-by: Lukasz Majewski <lukma@denx.de>
Reviewed-by: Marek Vasut <marex@denx.de>
Reviewed-by: Stefano Babic <sbabic@denx.de>
Acked-by: Michal Simek <michal.simek@xilinx.com> (For ZynqMP)
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
2018-02-07 22:06:18 -05:00
Bryan O'Donoghue
d1ceb0c488 imx: mx7: run sec_init for CAAM RNG
This patch adds a sec_init call into arch_misc_init(). Doing so in
conjunction with the patch "drivers/crypto/fsl: assign job-rings to
non-TrustZone" enables use of the CAAM in Linux when OPTEE/TrustZone is
active.

u-boot will initialise the RNG and assign ownership of the job-ring
registers to a non-TrustZone context. With recent changes by Lukas Auer to
fully initialize the RNG in sec_init() this means that u-boot will hand-off
the CAAM in a state that Linux then can use the CAAM without touching the
reserved DECO registers.

This change is safe both for the OPTEE/TrustZone boot path and the regular
non-OPTEE/TrustZone boot path.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Marco Franchi <marco.franchi@nxp.com>
Cc: Vanessa Maegima <vanessa.maegima@nxp.com>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Lukas Auer <lukas.auer@aisec.fraunhofer.de>
Tested-by: Lukas Auer <lukas.auer@aisec.fraunhofer.de>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
2018-02-04 12:14:11 +01:00
Patrick Bruenn
55e83d2e36 arm: imx: mx53loco: remove usage of mx53_dram_size
Static variables are not available during board_init_f().
'static uint32_t mx53_dram_size[2];' was used in board specific
dram_init(), dram_init_banksize() and get_effective_memsize() to avoid
multiple calls to get_ram_size().

Reused dram initialization functions from arch/arm/mach-imx/mx5/mx53_dram.c

Signed-off-by: Patrick Bruenn <p.bruenn@beckhoff.com>
2018-02-04 12:00:58 +01:00
Patrick Bruenn
9d9baacb90 arm: imx: m53evk: remove usage of mx53_dram_size
Static variables are not available during board_init_f().
'static uint32_t mx53_dram_size[2];' was used in board specific
dram_init(), dram_init_banksize() and get_effective_memsize() to avoid
multiple calls to get_ram_size().

Reused dram initialization functions from arch/arm/mach-imx/mx5/mx53_dram.c

Signed-off-by: Patrick Bruenn <p.bruenn@beckhoff.com>
2018-02-04 12:00:58 +01:00
Patrick Bruenn
daebb796ff arm: imx: cx9020: move dram init into common place
Move dram_init(), dram_init_banksize() and get_effective_memsize() to
arch/arm/mach-imx/mx5/mx53_dram.c, where it can be reused by m53evk and
mx53loco.

Signed-off-by: Patrick Bruenn <p.bruenn@beckhoff.com>
2018-02-04 12:00:58 +01:00
Peng Fan
e0e4e53375 imx: makefile: compile files for i.MX8M
Compile files for i.MX8M

Signed-off-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Stefano Babic <sbabic@denx.de>
2018-02-04 12:00:58 +01:00
Peng Fan
fcdbde7ce0 imx: mx8m: add soc related settings and files
Add SoC level initialization code
 - arch_cpu_init
 - mmu table
 - detect cpu revision
 - reset cpu and wdog settings
 - timer init
 - wdog settings
 - lowlevel init to save/restore registers
 - a few dummy header file to avoid build failure
 - ft_system_setup

Signed-off-by: Peng Fan <peng.fan@nxp.com>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
2018-02-04 12:00:58 +01:00
Peng Fan
c1ef486327 imx: mx7: move mmc env code to mmc_env.c
The mx7 mmc env code is shared by i.MX8M, so move it to mmc_env.c.

Signed-off-by: Peng Fan <peng.fan@nxp.com>
2018-02-04 12:00:58 +01:00
Peng Fan
80ebf86d9b imx: cpu: support get_boot_device for i.MX8M
Enable get_boot_device for i.MX8M, it supports boot type USB.

Signed-off-by: Peng Fan <peng.fan@nxp.com>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Stefano Babic <sbabic@denx.de>
2018-02-04 12:00:58 +01:00
Peng Fan
770611f21e imx: mx7: move get_boot_device to cpu.c
Move get_boot_device to cpu.c to prepare adding i.MX8M support,
because i.MX8M share same code with i.MX7.

Signed-off-by: Peng Fan <peng.fan@nxp.com>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Stefano Babic <sbabic@denx.de>
2018-02-04 12:00:58 +01:00
Peng Fan
ecd7ab5628 imx: bootaux: support i.MX8M
Add i.MX8M support. Because i.MX8M use SiP call trap
to Arm Trusted Firmware to handle M4, so use #ifdef
to avoid build error on i.MX6/7.

Signed-off-by: Peng Fan <peng.fan@nxp.com>
2018-02-04 12:00:58 +01:00
Peng Fan
8cf223133c imx: cleanup bootaux
Move i.MX6/7 bootaux code to imx_bootaux.c.
The i.MX6/7 has different src layout, so define M4 reg offset
to ease the cleanup. Redefine the M4 related BIT for share
common code.

Signed-off-by: Peng Fan <peng.fan@nxp.com>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
2018-02-04 12:00:58 +01:00
Peng Fan
6ce8b10b87 imx: refactor imx_get_mac_from_fuse
Move imx_get_mac_from_fuse to a new mac.c for i.MX6/7.
Since fuse regs structure are different for i.MX6/7, use mac
address offset in code and define a new local struture
imx_mac_fuse.

Also sort the config order.

Signed-off-by: Peng Fan <peng.fan@nxp.com>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Stefano Babic <sbabic@denx.de>
2018-02-04 12:00:58 +01:00
Peng Fan
e56d9d79e5 imx: cpu: add cpu speed/grade for i.MX8M
Use more general enum types for speed grade.
Refine get_cpu_speed_grade_hz to support i.MX8M.

Signed-off-by: Peng Fan <peng.fan@nxp.com>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Stefano Babic <sbabic@denx.de>
2018-02-04 12:00:58 +01:00
Peng Fan
423e84bc72 imx: cpu: move speed/temp to common cpu
The i.MX7 cpu speed/temp code could be reused on i.MX8M,
so move them to common cpu code.

Signed-off-by: Peng Fan <peng.fan@nxp.com>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Stefano Babic <sbabic@denx.de>
2018-02-04 12:00:58 +01:00
Peng Fan
d7cb10a05f imx: spl: implement spl_boot_device for i.MX8M
Implement spl_boot_device for i.MX8M.

Signed-off-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Stefano Babic <sbabic@denx.de>
Reviewed-by: Stefano Babic <sbabic@denx.de>
2018-02-04 12:00:58 +01:00
Peng Fan
7537e93290 imx: cpu: update cpu file to support i.MX8M
Update get_reset_cause to reflect i.MX8M
Compile out get_ahb_clk and set_chipselect_size for i.MX8M

Signed-off-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Stefano Babic <sbabic@denx.de>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Stefano Babic <sbabic@denx.de>
2018-02-04 12:00:58 +01:00
Peng Fan
de274663f5 imx: add sip function
Add SiP (Silicon Provider) services function to issue
SMC call to Arm Trusted Firmware.

More SiP information could be found in
  https://github.com/ARM-software/arm-trusted-firmware/blob/master/
  docs/arm-sip-service.rst

Signed-off-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Stefano Babic <sbabic@denx.de>
2018-02-04 12:00:58 +01:00
Peng Fan
bb0fabe42d imx: mx8m: add clock driver
Add clock driver to support i.MX8M.

There are two kind PLLs, FRAC pll and SSCG pll. ROM already
configured SYS PLL1/2, we only need to configure the output.
ocotp/i2c/pll decoding and configuration/usdhc/lcdif/dram pll/
enet clock are configured in the code.

Signed-off-by: Peng Fan <peng.fan@nxp.com>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Stefano Babic <sbabic@denx.de>
2018-02-04 12:00:58 +01:00
Peng Fan
7a7391fd7e imx: add i.MX8M into Kconfig
Add i.MX8M into Kconfig, create a new folder mx8m
dedicated for i.MX8M.

Signed-off-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Stefano Babic <sbabic@denx.de>
Reviewed-by: Stefano Babic <sbabic@denx.de>
2018-02-04 12:00:58 +01:00
Anson Huang
4f0cd03723 imx: mx7: psci: add system power off support
Add i.MX7 PSCI system power off support, linux
kernel can use "poweroff" command to power off
system via SNVS, PMIC power will be disabled.

Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
2018-02-04 12:00:58 +01:00
Anson Huang
169c20e903 imx: mx7: psci: add system reset support
Add i.MX7 PSCI system reset support, linux
kernel can use "reboot" command to reset
system even wdog driver is disabled in kernel.

Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
2018-02-04 12:00:58 +01:00
Tom Rini
1d12a7c8cd Merge git://git.denx.de/u-boot-spi 2018-01-26 07:46:34 -05:00
Álvaro Fernández Rojas
48263504c8 wait_bit: use wait_for_bit_le32 and remove wait_for_bit
wait_for_bit callers use the 32 bit LE version

Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Reviewed-by: Daniel Schwierzeck <daniel.schwierzeck@gmail.com>
Reviewed-by: Jagan Teki <jagan@openedev.com>
2018-01-24 12:03:43 +05:30
Bryan O'Donoghue
9587b0d611 arm: imx: hab: Add hab_failsafe console command
hab_failsafe when called puts the part into BootROM recovery mode.
This will allow u-boot scripts to script the dropping down into recovery
mode.

=> hab_failsafe

Shows the i.MX7 appear as "hiddev0,hidraw5: USB HID v1.10 Device [Freescale
SemiConductor Inc  SP Blank ULT1] " in a Linux dmesg thus allowing download
of a new image via the BootROM USB download protocol routine.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
2018-01-14 17:26:30 +01:00
Bryan O'Donoghue
317956e82c arm: imx: hab: Implement hab_rvt_failsafe
This patch implements the basic callback hooks for
hab_rvt_check_failsafe for BootROM code using the older BootROM address
layout - in my test case the i.MX7. Code based on new BootROM callbacks
will just do nothing and there's definitely a TODO to implement that extra
functionality on the alternative BootROM API.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
2018-01-14 17:26:30 +01:00
Bryan O'Donoghue
07eefaf16e arm: imx: hab: Make imx_hab_is_enabled global
It will be helpful to boot commands to know if the HAB is enabled. Export
imx_hab_is_enabled() now to facilitate further work with this data-point in
a secure-boot context.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
2018-01-14 17:26:30 +01:00
Bryan O'Donoghue
4467ae6c28 arm: imx: hab: Make authenticate_image() return zero on open boards
The BootROM will not successfully process a HAB image passed by u-boot
unless the board has been set into locked mode. Some of the existing usages
of authenticate_image() expect and rely on unlocked boards doing the
following

1. Not calling into the BootROM authenticate_image() callback
2. Returning a pass status for authenticate_image() calls anyway

A previous patch removed the necessity to call into imx_hab_is_enabled()
twice. This patch ensures the reliance on authenticate_image() returning
zero is maintained.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Suggested-by: Breno Matheus Lima <brenomatheus@gmail.com>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
2018-01-14 17:26:30 +01:00
Bryan O'Donoghue
e5b30e4ac1 arm: imx: hab: Rename is_hab_enabled imx_hab_is_enabled
Understanding if the HAB is enabled is something that we want to
interrogate and report on outside of the HAB layer. First step to that is
renaming the relevant function to match the previously introduced external
naming convention imx_hab_function()

The name imx_hab_is_hab_enabled() is a tautology. A more logical name is
imx_hab_is_enabled().

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
2018-01-14 17:26:30 +01:00
Bryan O'Donoghue
57f6548606 arm: imx: hab: Prefix authenticate_image with imx_hab
Tidy up the HAB namespace a bit by prefixing external functions with
imx_hab. All external facing functions past this point will be prefixed in
the same way to make the fact we are doing IMX HAB activities clear from
reading the code. authenticate_image() could mean anything
imx_hab_authenticate_image() is on the other hand very explicit.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
2018-01-14 17:26:30 +01:00
Bryan O'Donoghue
58bebfb753 arm: imx: hab: Make internal functions and data static
There is no need to export these functions and data structures externally.
Make them all static now.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
2018-01-14 17:26:30 +01:00
Bryan O'Donoghue
2c6c68d282 arm: imx: hab: Print HAB event log only after calling ROM
The current flow of authenticate_image() will print the HAB event log even
if we reject an element of the IVT header before ever calling into the ROM.
This can be confusing.

This patch changes the flow of the code so that the HAB event log is only
printed out if we have called into the ROM and received some sort of status
code.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Suggested-by: Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
2018-01-14 17:26:30 +01:00
Bryan O'Donoghue
b7c3cae7d3 arm: imx: hab: Add a hab_rvt_check_target to image auth
Add a hab_rvt_check_target() step to authenticate_image() as a sanity
check for the target memory region authenticate_image() will run over,
prior to making the BootROM authentication callback itself.

This check is recommended by the HAB documentation so it makes sense to
adhere to the guidance and perform that check as directed.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
2018-01-14 17:26:30 +01:00
Bryan O'Donoghue
c0a55b7344 arm: imx: hab: Implement hab_rvt_check_target
This patch implements the basic callback hooks for hab_rvt_check_target()
for BootROM code using the older BootROM address layout - in my test case
the i.MX7. Code based on new BootROM callbacks will just have HAB_SUCCESS
as a result code. Adding support for the new BootROM callbacks is a TODO.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
2018-01-14 17:26:30 +01:00
Bryan O'Donoghue
824ef302f3 arm: imx: hab: Print additional IVT elements during debug
This patch enables printout of the IVT entry, dcd and csf data fields.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
2018-01-14 17:26:30 +01:00
Bryan O'Donoghue
fd15fe5f84 arm: imx: hab: Print CSF based on IVT descriptor
The IVT gives the absolute address of the CSF. There is no requirement for
the CSF to be located adjacent to the IVT so lets use the address provided
in the IVT header instead of the hard-coded fixed CSF offset currently in
place.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
2018-01-14 17:26:30 +01:00
Bryan O'Donoghue
04099e9ced arm: imx: hab: Only call ROM once headers are verified
Previous patches added IVT header verification steps. We shouldn't call
hab_rvt_entry() until we have done the basic header verification steps.

This patch changes the time we make the hab_rvt_entry() call so that it
only takes place if we are happy with the IVT header sanity checks.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
2018-01-14 17:26:30 +01:00
Bryan O'Donoghue
e59eb9e00f arm: imx: hab: Verify IVT self matches calculated address
The IVT is a self-describing structure which contains a self field. The
self field is the absolute physical base address the IVT ought to be at in
memory. Use the IVT self field to validate the calculated ivt_addr bugging
out if the two values differ.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
2018-01-14 17:26:30 +01:00