u-boot/arch/arm/include/asm/omap_sec_common.h
Harinarayan Bhatta 57de1ea5be arm: omap5: Add TEE loading support
secure_tee_install is used to install and initialize a secure TEE OS such as
Linaro OP-TEE into the secure world. This function takes in the address
where the signed TEE image is loaded as an argument. The signed TEE image
consists of a header (struct tee_header), TEE code+data followed by the
signature generated using image signing tool from TI security development
package (SECDEV). Refer to README.ti-secure for more information.

This function uses 2 new secure APIs.

1. PPA_SERV_HAL_TEE_LOAD_MASTER - Must be called on CPU Core 0. Protected
   memory for TEE must be reserved before calling this function. This API
   needs arguments filled into struct ppa_tee_load_info. The TEE image is
   authenticated and if there are no errors, the control passes to the TEE
   entry point.

2. PPA_SERV_HAL_TEE_LOAD_SLAVE - Called on other CPU cores only after
   a TEE_LOAD_MASTER call. Takes no arguments. Checks if TEE was
   successfully loaded (on core 0) and transfers control to the same TEE
   entry point.

The code at TEE entry point is expected perform OS initialization steps
and return back to non-secure world (U-Boot).

Signed-off-by: Harinarayan Bhatta <harinarayan@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
2016-12-03 13:21:21 -05:00

60 lines
1.9 KiB
C

/*
* (C) Copyright 2016
* Texas Instruments, <www.ti.com>
*
* Andreas Dannenberg <dannenberg@ti.com>
*
* SPDX-License-Identifier: GPL-2.0+
*/
#ifndef _OMAP_SEC_COMMON_H_
#define _OMAP_SEC_COMMON_H_
#include <common.h>
/*
* Invoke secure ROM API on high-security (HS) device variants. It formats
* the variable argument list into the format expected by the ROM code before
* triggering the actual low-level smc entry.
*/
u32 secure_rom_call(u32 service, u32 proc_id, u32 flag, ...);
/*
* Invoke a secure ROM API on high-secure (HS) device variants that can be used
* to verify a secure blob by authenticating and optionally decrypting it. The
* exact operation performed depends on how the certificate that was embedded
* into the blob during the signing/encryption step when the secure blob was
* first created.
*/
int secure_boot_verify_image(void **p_image, size_t *p_size);
/*
* Invoke a secure HAL API that allows configuration of the external memory
* firewall regions.
*/
int secure_emif_firewall_setup(uint8_t region_num, uint32_t start_addr,
uint32_t size, uint32_t access_perm,
uint32_t initiator_perm);
/*
* Invoke a secure HAL API on high-secure (HS) device variants that reserves a
* region of external memory for secure world use, and protects it using memory
* firewalls that prevent public world access. This API is intended to setaside
* memory that will be used for a secure world OS/TEE.
*/
int secure_emif_reserve(void);
/*
* Invoke a secure HAL API to lock the external memory firewall configurations.
* After this API is called, none of the HAL APIs for configuring the that
* firewall will be usable (calls to those APIs will return failure and have
* no effect).
*/
int secure_emif_firewall_lock(void);
/*
* Invoke a secure HAL API to authenticate and install a Trusted Execution
* Environment (TEE) image.
*/
int secure_tee_install(u32 tee_image);
#endif /* _OMAP_SEC_COMMON_H_ */