mirror of
https://github.com/AsahiLinux/u-boot
synced 2024-11-05 20:54:31 +00:00
57de1ea5be
secure_tee_install is used to install and initialize a secure TEE OS such as Linaro OP-TEE into the secure world. This function takes in the address where the signed TEE image is loaded as an argument. The signed TEE image consists of a header (struct tee_header), TEE code+data followed by the signature generated using image signing tool from TI security development package (SECDEV). Refer to README.ti-secure for more information. This function uses 2 new secure APIs. 1. PPA_SERV_HAL_TEE_LOAD_MASTER - Must be called on CPU Core 0. Protected memory for TEE must be reserved before calling this function. This API needs arguments filled into struct ppa_tee_load_info. The TEE image is authenticated and if there are no errors, the control passes to the TEE entry point. 2. PPA_SERV_HAL_TEE_LOAD_SLAVE - Called on other CPU cores only after a TEE_LOAD_MASTER call. Takes no arguments. Checks if TEE was successfully loaded (on core 0) and transfers control to the same TEE entry point. The code at TEE entry point is expected perform OS initialization steps and return back to non-secure world (U-Boot). Signed-off-by: Harinarayan Bhatta <harinarayan@ti.com> Signed-off-by: Andrew F. Davis <afd@ti.com> Reviewed-by: Tom Rini <trini@konsulko.com>
60 lines
1.9 KiB
C
60 lines
1.9 KiB
C
/*
|
|
* (C) Copyright 2016
|
|
* Texas Instruments, <www.ti.com>
|
|
*
|
|
* Andreas Dannenberg <dannenberg@ti.com>
|
|
*
|
|
* SPDX-License-Identifier: GPL-2.0+
|
|
*/
|
|
#ifndef _OMAP_SEC_COMMON_H_
|
|
#define _OMAP_SEC_COMMON_H_
|
|
|
|
#include <common.h>
|
|
|
|
/*
|
|
* Invoke secure ROM API on high-security (HS) device variants. It formats
|
|
* the variable argument list into the format expected by the ROM code before
|
|
* triggering the actual low-level smc entry.
|
|
*/
|
|
u32 secure_rom_call(u32 service, u32 proc_id, u32 flag, ...);
|
|
|
|
/*
|
|
* Invoke a secure ROM API on high-secure (HS) device variants that can be used
|
|
* to verify a secure blob by authenticating and optionally decrypting it. The
|
|
* exact operation performed depends on how the certificate that was embedded
|
|
* into the blob during the signing/encryption step when the secure blob was
|
|
* first created.
|
|
*/
|
|
int secure_boot_verify_image(void **p_image, size_t *p_size);
|
|
|
|
/*
|
|
* Invoke a secure HAL API that allows configuration of the external memory
|
|
* firewall regions.
|
|
*/
|
|
int secure_emif_firewall_setup(uint8_t region_num, uint32_t start_addr,
|
|
uint32_t size, uint32_t access_perm,
|
|
uint32_t initiator_perm);
|
|
|
|
/*
|
|
* Invoke a secure HAL API on high-secure (HS) device variants that reserves a
|
|
* region of external memory for secure world use, and protects it using memory
|
|
* firewalls that prevent public world access. This API is intended to setaside
|
|
* memory that will be used for a secure world OS/TEE.
|
|
*/
|
|
int secure_emif_reserve(void);
|
|
|
|
/*
|
|
* Invoke a secure HAL API to lock the external memory firewall configurations.
|
|
* After this API is called, none of the HAL APIs for configuring the that
|
|
* firewall will be usable (calls to those APIs will return failure and have
|
|
* no effect).
|
|
*/
|
|
int secure_emif_firewall_lock(void);
|
|
|
|
/*
|
|
* Invoke a secure HAL API to authenticate and install a Trusted Execution
|
|
* Environment (TEE) image.
|
|
*/
|
|
int secure_tee_install(u32 tee_image);
|
|
|
|
#endif /* _OMAP_SEC_COMMON_H_ */
|