mirror of
https://github.com/AsahiLinux/u-boot
synced 2024-12-13 14:53:06 +00:00
0830d72bb9
This patch adds support for authentication of both plain text and encrypted binaries. A new SECDEV package is needed to enable encryption of binaries by default for AM3x. The ROM authentication API detects encrypted images at runtime and automatically decrypts the image if the signature verification passes. Addition of encryption on AM3x results in a change in the image format. On AM4x, AM5x and, on AM3x devices signing clear test images, the signature is appended to the end of the binary. On AM3x, when the SECDEV package is used to create signed and encrypted images, the signature is added as a header to the start of the binary. So the binary size calculation has been updated to reflect this change. The signing tools and encrypted image format for AM3x cannot be changed to behave like AM4x and AM5x to maintain backward compatibility with older Sitara M-Shield releases. Signed-off-by: Madan Srinivas <madans@ti.com> Signed-off-by: Andrew F. Davis <afd@ti.com>
377 lines
10 KiB
C
377 lines
10 KiB
C
/*
|
|
*
|
|
* Common security related functions for OMAP devices
|
|
*
|
|
* (C) Copyright 2016-2017
|
|
* Texas Instruments, <www.ti.com>
|
|
*
|
|
* Daniel Allred <d-allred@ti.com>
|
|
* Andreas Dannenberg <dannenberg@ti.com>
|
|
* Harinarayan Bhatta <harinarayan@ti.com>
|
|
* Andrew F. Davis <afd@ti.com>
|
|
*
|
|
* SPDX-License-Identifier: GPL-2.0+
|
|
*/
|
|
|
|
#include <common.h>
|
|
#include <stdarg.h>
|
|
|
|
#include <asm/arch/sys_proto.h>
|
|
#include <asm/cache.h>
|
|
#include <asm/omap_common.h>
|
|
#include <asm/omap_sec_common.h>
|
|
#include <asm/spl.h>
|
|
#include <asm/ti-common/sys_proto.h>
|
|
#include <mapmem.h>
|
|
#include <spl.h>
|
|
#include <tee/optee.h>
|
|
|
|
/* Index for signature verify ROM API */
|
|
#ifdef CONFIG_AM33XX
|
|
#define API_HAL_KM_VERIFYCERTIFICATESIGNATURE_INDEX (0x0000000C)
|
|
#else
|
|
#define API_HAL_KM_VERIFYCERTIFICATESIGNATURE_INDEX (0x0000000E)
|
|
#endif
|
|
|
|
/* Index for signature PPA-based TI HAL APIs */
|
|
#define PPA_HAL_SERVICES_START_INDEX (0x200)
|
|
#define PPA_SERV_HAL_TEE_LOAD_MASTER (PPA_HAL_SERVICES_START_INDEX + 23)
|
|
#define PPA_SERV_HAL_TEE_LOAD_SLAVE (PPA_HAL_SERVICES_START_INDEX + 24)
|
|
#define PPA_SERV_HAL_SETUP_SEC_RESVD_REGION (PPA_HAL_SERVICES_START_INDEX + 25)
|
|
#define PPA_SERV_HAL_SETUP_EMIF_FW_REGION (PPA_HAL_SERVICES_START_INDEX + 26)
|
|
#define PPA_SERV_HAL_LOCK_EMIF_FW (PPA_HAL_SERVICES_START_INDEX + 27)
|
|
|
|
/* Offset of header size if image is signed as ISW */
|
|
#define HEADER_SIZE_OFFSET (0x6D)
|
|
|
|
int tee_loaded = 0;
|
|
|
|
/* Argument for PPA_SERV_HAL_TEE_LOAD_MASTER */
|
|
struct ppa_tee_load_info {
|
|
u32 tee_sec_mem_start; /* Physical start address reserved for TEE */
|
|
u32 tee_sec_mem_size; /* Size of the memory reserved for TEE */
|
|
u32 tee_cert_start; /* Address where signed TEE binary is loaded */
|
|
u32 tee_cert_size; /* Size of TEE certificate (signed binary) */
|
|
u32 tee_jump_addr; /* Address to jump to start TEE execution */
|
|
u32 tee_arg0; /* argument to TEE jump function, in r0 */
|
|
};
|
|
|
|
static uint32_t secure_rom_call_args[5] __aligned(ARCH_DMA_MINALIGN);
|
|
|
|
u32 secure_rom_call(u32 service, u32 proc_id, u32 flag, ...)
|
|
{
|
|
int i;
|
|
u32 num_args;
|
|
va_list ap;
|
|
|
|
va_start(ap, flag);
|
|
|
|
num_args = va_arg(ap, u32);
|
|
|
|
if (num_args > 4) {
|
|
va_end(ap);
|
|
return 1;
|
|
}
|
|
|
|
/* Copy args to aligned args structure */
|
|
for (i = 0; i < num_args; i++)
|
|
secure_rom_call_args[i + 1] = va_arg(ap, u32);
|
|
|
|
secure_rom_call_args[0] = num_args;
|
|
|
|
va_end(ap);
|
|
|
|
/* if data cache is enabled, flush the aligned args structure */
|
|
flush_dcache_range(
|
|
(unsigned int)&secure_rom_call_args[0],
|
|
(unsigned int)&secure_rom_call_args[0] +
|
|
roundup(sizeof(secure_rom_call_args), ARCH_DMA_MINALIGN));
|
|
|
|
return omap_smc_sec(service, proc_id, flag, secure_rom_call_args);
|
|
}
|
|
|
|
static u32 find_sig_start(char *image, size_t size)
|
|
{
|
|
char *image_end = image + size;
|
|
char *sig_start_magic = "CERT_";
|
|
int magic_str_len = strlen(sig_start_magic);
|
|
char *ch;
|
|
|
|
while (--image_end > image) {
|
|
if (*image_end == '_') {
|
|
ch = image_end - magic_str_len + 1;
|
|
if (!strncmp(ch, sig_start_magic, magic_str_len))
|
|
return (u32)ch;
|
|
}
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
int secure_boot_verify_image(void **image, size_t *size)
|
|
{
|
|
int result = 1;
|
|
u32 cert_addr, sig_addr;
|
|
size_t cert_size;
|
|
|
|
/* Perform cache writeback on input buffer */
|
|
flush_dcache_range(
|
|
rounddown((u32)*image, ARCH_DMA_MINALIGN),
|
|
roundup((u32)*image + *size, ARCH_DMA_MINALIGN));
|
|
|
|
cert_addr = (uint32_t)*image;
|
|
sig_addr = find_sig_start((char *)*image, *size);
|
|
|
|
if (sig_addr == 0) {
|
|
printf("No signature found in image!\n");
|
|
result = 1;
|
|
goto auth_exit;
|
|
}
|
|
|
|
*size = sig_addr - cert_addr; /* Subtract out the signature size */
|
|
/* Subtract header if present */
|
|
if (strncmp((char *)sig_addr, "CERT_ISW_", 9) == 0)
|
|
*size = ((u32 *)*image)[HEADER_SIZE_OFFSET];
|
|
cert_size = *size;
|
|
|
|
/* Check if image load address is 32-bit aligned */
|
|
if (!IS_ALIGNED(cert_addr, 4)) {
|
|
printf("Image is not 4-byte aligned!\n");
|
|
result = 1;
|
|
goto auth_exit;
|
|
}
|
|
|
|
/* Image size also should be multiple of 4 */
|
|
if (!IS_ALIGNED(cert_size, 4)) {
|
|
printf("Image size is not 4-byte aligned!\n");
|
|
result = 1;
|
|
goto auth_exit;
|
|
}
|
|
|
|
/* Call ROM HAL API to verify certificate signature */
|
|
debug("%s: load_addr = %x, size = %x, sig_addr = %x\n", __func__,
|
|
cert_addr, cert_size, sig_addr);
|
|
|
|
result = secure_rom_call(
|
|
API_HAL_KM_VERIFYCERTIFICATESIGNATURE_INDEX, 0, 0,
|
|
4, cert_addr, cert_size, sig_addr, 0xFFFFFFFF);
|
|
|
|
/* Perform cache writeback on output buffer */
|
|
flush_dcache_range(
|
|
rounddown((u32)*image, ARCH_DMA_MINALIGN),
|
|
roundup((u32)*image + *size, ARCH_DMA_MINALIGN));
|
|
|
|
auth_exit:
|
|
if (result != 0) {
|
|
printf("Authentication failed!\n");
|
|
printf("Return Value = %08X\n", result);
|
|
hang();
|
|
}
|
|
|
|
/*
|
|
* Output notification of successful authentication as well the name of
|
|
* the signing certificate used to re-assure the user that the secure
|
|
* code is being processed as expected. However suppress any such log
|
|
* output in case of building for SPL and booting via YMODEM. This is
|
|
* done to avoid disturbing the YMODEM serial protocol transactions.
|
|
*/
|
|
if (!(IS_ENABLED(CONFIG_SPL_BUILD) &&
|
|
IS_ENABLED(CONFIG_SPL_YMODEM_SUPPORT) &&
|
|
spl_boot_device() == BOOT_DEVICE_UART))
|
|
printf("Authentication passed: %s\n", (char *)sig_addr);
|
|
|
|
return result;
|
|
}
|
|
|
|
u32 get_sec_mem_start(void)
|
|
{
|
|
u32 sec_mem_start = CONFIG_TI_SECURE_EMIF_REGION_START;
|
|
u32 sec_mem_size = CONFIG_TI_SECURE_EMIF_TOTAL_REGION_SIZE;
|
|
/*
|
|
* Total reserved region is all contiguous with protected
|
|
* region coming first, followed by the non-secure region.
|
|
* If 0x0 start address is given, we simply put the reserved
|
|
* region at the end of the external DRAM.
|
|
*/
|
|
if (sec_mem_start == 0)
|
|
sec_mem_start =
|
|
(CONFIG_SYS_SDRAM_BASE + (
|
|
#if defined(CONFIG_OMAP54XX)
|
|
omap_sdram_size()
|
|
#else
|
|
get_ram_size((void *)CONFIG_SYS_SDRAM_BASE,
|
|
CONFIG_MAX_RAM_BANK_SIZE)
|
|
#endif
|
|
- sec_mem_size));
|
|
return sec_mem_start;
|
|
}
|
|
|
|
int secure_emif_firewall_setup(uint8_t region_num, uint32_t start_addr,
|
|
uint32_t size, uint32_t access_perm,
|
|
uint32_t initiator_perm)
|
|
{
|
|
int result = 1;
|
|
|
|
/*
|
|
* Call PPA HAL API to do any other general firewall
|
|
* configuration for regions 1-6 of the EMIF firewall.
|
|
*/
|
|
debug("%s: regionNum = %x, startAddr = %x, size = %x", __func__,
|
|
region_num, start_addr, size);
|
|
|
|
result = secure_rom_call(
|
|
PPA_SERV_HAL_SETUP_EMIF_FW_REGION, 0, 0, 4,
|
|
(start_addr & 0xFFFFFFF0) | (region_num & 0x0F),
|
|
size, access_perm, initiator_perm);
|
|
|
|
if (result != 0) {
|
|
puts("Secure EMIF Firewall Setup failed!\n");
|
|
debug("Return Value = %x\n", result);
|
|
}
|
|
|
|
return result;
|
|
}
|
|
|
|
#if (CONFIG_TI_SECURE_EMIF_TOTAL_REGION_SIZE < \
|
|
CONFIG_TI_SECURE_EMIF_PROTECTED_REGION_SIZE)
|
|
#error "TI Secure EMIF: Protected size cannot be larger than total size."
|
|
#endif
|
|
int secure_emif_reserve(void)
|
|
{
|
|
int result = 1;
|
|
u32 sec_mem_start = get_sec_mem_start();
|
|
u32 sec_prot_size = CONFIG_TI_SECURE_EMIF_PROTECTED_REGION_SIZE;
|
|
|
|
/* If there is no protected region, there is no reservation to make */
|
|
if (sec_prot_size == 0)
|
|
return 0;
|
|
|
|
/*
|
|
* Call PPA HAL API to reserve a chunk of EMIF SDRAM
|
|
* for secure world use. This region should be carved out
|
|
* from use by any public code. EMIF firewall region 7
|
|
* will be used to protect this block of memory.
|
|
*/
|
|
result = secure_rom_call(
|
|
PPA_SERV_HAL_SETUP_SEC_RESVD_REGION,
|
|
0, 0, 2, sec_mem_start, sec_prot_size);
|
|
|
|
if (result != 0) {
|
|
puts("SDRAM Firewall: Secure memory reservation failed!\n");
|
|
debug("Return Value = %x\n", result);
|
|
}
|
|
|
|
return result;
|
|
}
|
|
|
|
int secure_emif_firewall_lock(void)
|
|
{
|
|
int result = 1;
|
|
|
|
/*
|
|
* Call PPA HAL API to lock the EMIF firewall configurations.
|
|
* After this API is called, none of the PPA HAL APIs for
|
|
* configuring the EMIF firewalls will be usable again (that
|
|
* is, calls to those APIs will return failure and have no
|
|
* effect).
|
|
*/
|
|
|
|
result = secure_rom_call(
|
|
PPA_SERV_HAL_LOCK_EMIF_FW,
|
|
0, 0, 0);
|
|
|
|
if (result != 0) {
|
|
puts("Secure EMIF Firewall Lock failed!\n");
|
|
debug("Return Value = %x\n", result);
|
|
}
|
|
|
|
return result;
|
|
}
|
|
|
|
static struct ppa_tee_load_info tee_info __aligned(ARCH_DMA_MINALIGN);
|
|
|
|
int secure_tee_install(u32 addr)
|
|
{
|
|
struct optee_header *hdr;
|
|
void *loadptr;
|
|
u32 tee_file_size;
|
|
u32 sec_mem_start = get_sec_mem_start();
|
|
const u32 size = CONFIG_TI_SECURE_EMIF_PROTECTED_REGION_SIZE;
|
|
u32 ret;
|
|
|
|
/* If there is no protected region, there is no place to put the TEE */
|
|
if (size == 0) {
|
|
printf("Error loading TEE, no protected memory region available\n");
|
|
return -ENOBUFS;
|
|
}
|
|
|
|
hdr = (struct optee_header *)map_sysmem(addr, sizeof(struct optee_header));
|
|
/* 280 bytes = size of signature */
|
|
tee_file_size = hdr->init_size + hdr->paged_size +
|
|
sizeof(struct optee_header) + 280;
|
|
|
|
if ((hdr->magic != OPTEE_MAGIC) ||
|
|
(hdr->version != OPTEE_VERSION) ||
|
|
(tee_file_size > size)) {
|
|
printf("Error in TEE header. Check firewall and TEE sizes\n");
|
|
unmap_sysmem(hdr);
|
|
return CMD_RET_FAILURE;
|
|
}
|
|
|
|
tee_info.tee_sec_mem_start = sec_mem_start;
|
|
tee_info.tee_sec_mem_size = size;
|
|
tee_info.tee_jump_addr = hdr->init_load_addr_lo;
|
|
tee_info.tee_cert_start = addr;
|
|
tee_info.tee_cert_size = tee_file_size;
|
|
tee_info.tee_arg0 = hdr->init_size + tee_info.tee_jump_addr;
|
|
unmap_sysmem(hdr);
|
|
loadptr = map_sysmem(addr, tee_file_size);
|
|
|
|
debug("tee_info.tee_sec_mem_start= %08X\n", tee_info.tee_sec_mem_start);
|
|
debug("tee_info.tee_sec_mem_size = %08X\n", tee_info.tee_sec_mem_size);
|
|
debug("tee_info.tee_jump_addr = %08X\n", tee_info.tee_jump_addr);
|
|
debug("tee_info.tee_cert_start = %08X\n", tee_info.tee_cert_start);
|
|
debug("tee_info.tee_cert_size = %08X\n", tee_info.tee_cert_size);
|
|
debug("tee_info.tee_arg0 = %08X\n", tee_info.tee_arg0);
|
|
debug("tee_file_size = %d\n", tee_file_size);
|
|
|
|
#if !defined(CONFIG_SYS_DCACHE_OFF)
|
|
flush_dcache_range(
|
|
rounddown((u32)loadptr, ARCH_DMA_MINALIGN),
|
|
roundup((u32)loadptr + tee_file_size, ARCH_DMA_MINALIGN));
|
|
|
|
flush_dcache_range((u32)&tee_info, (u32)&tee_info +
|
|
roundup(sizeof(tee_info), ARCH_DMA_MINALIGN));
|
|
#endif
|
|
unmap_sysmem(loadptr);
|
|
|
|
ret = secure_rom_call(PPA_SERV_HAL_TEE_LOAD_MASTER, 0, 0, 1, &tee_info);
|
|
if (ret) {
|
|
printf("TEE_LOAD_MASTER Failed\n");
|
|
return ret;
|
|
}
|
|
printf("TEE_LOAD_MASTER Done\n");
|
|
|
|
#if defined(CONFIG_OMAP54XX)
|
|
if (!is_dra72x()) {
|
|
u32 *smc_cpu1_params;
|
|
/* Reuse the tee_info buffer for SMC params */
|
|
smc_cpu1_params = (u32 *)&tee_info;
|
|
smc_cpu1_params[0] = 0;
|
|
#if !defined(CONFIG_SYS_DCACHE_OFF)
|
|
flush_dcache_range((u32)smc_cpu1_params, (u32)smc_cpu1_params +
|
|
roundup(sizeof(u32), ARCH_DMA_MINALIGN));
|
|
#endif
|
|
ret = omap_smc_sec_cpu1(PPA_SERV_HAL_TEE_LOAD_SLAVE, 0, 0,
|
|
smc_cpu1_params);
|
|
if (ret) {
|
|
printf("TEE_LOAD_SLAVE Failed\n");
|
|
return ret;
|
|
}
|
|
printf("TEE_LOAD_SLAVE Done\n");
|
|
}
|
|
#endif
|
|
|
|
tee_loaded = 1;
|
|
|
|
return 0;
|
|
}
|